Permission Denied Error in Apps Service

Hi Anshika,

Thank you for your response. I appreciate the guidance regarding App Service sandbox restrictions. However, I’d like to clarify that the issue I’m facing is not related to file system access.

The error I’m encountering is:

(PermissionDenied) The principal 5cb7739c-4125-4f7a-9e61-533995efb416 lacks the required data action Microsoft.CognitiveServices/accounts/AIServices/agents/read to perform POST /api/projects/{projectName}/threads.

This appears to be related to Azure AI Foundry RBAC permissions, specifically the lack of access to perform operations on agents within a project.

The support team has now provided a user-assigned managed identity, and I’ve configured DefaultAzureCredential with the provided Client ID.

But now I am getting similar Permission Denied error with another principal ID as:

(PermissionDenied) The principal 6ed63fe6-5767-4d9c-ae8a-828391f9144e lacks the required data action Microsoft.CognitiveServices/accounts/AIServices/agents/read to perform POST /api/projects/{projectName}/threads operation. For instructions on granting the necessary permissions, see https://aka.ms/FoundryPermissions.

2025-10-13T13:08:28.8955662Z Code: PermissionDenied

2025-10-13T13:08:28.8955697Z Message: The principal 6ed63fe6-5767-4d9c-ae8a-828391f9144e lacks the required data action Microsoft.CognitiveServices/accounts/AIServices/agents/read to perform POST /api/projects/{projectName}/threads operation. For instructions on granting the necessary permissions, see https://aka.ms/FoundryPermissions.

Hello Singh, Jabeez,

Thanks for sharing the details! Yes, the error you’re seeing is related to rbac permissions in azure ai foundry. this usually happens when the identity (either a managed identity or a user) doesn’t have the correct permissions to access agents or threads.

what’s happening here is that the identity is missing the microsoft.cognitiveservices/accounts/aiservices/agents/read permission. this specific permission is required for operations such as post /api/projects/{projectname}/threads.

to fix this, assign the azure ai developer or azure ai contributor role to the identity at the resource or resource group level. if you’re using a user-assigned managed identity, make sure it’s added to the project and has the same rbac role assigned. you can refer to the official documentation for details: foundry permissions.

after updating the roles, wait a few minutes for the permissions to propagate, and then restart your app or service to refresh the tokens.

hope this helps! please click accept answer if this resolves your issue.

Hello Singh, Jabeez,

Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Thankyou!

Hello Singh, Jabeez,

I hope this has been helpful! We appreciate hearing from you and would love to help others who may have the same question. Accepting answers helps increase visibility of this question for other members of the Microsoft Q&A community.

Thank you for helping to improve Microsoft Q&A!

Hi Anshika,

Your suggestion was really helpful, thank you! It clarified the permission requirements and helped us narrow down the issue.

Actually, the issue was that we were trying to assign the role in a different resource group than where the Azure AI Foundry resources are located. Once we corrected the scope and assigned the role in the correct resource group, the permissions started working as expected. Appreciate your help in pointing us in the right direction!