Microsoft Discovery FAQ

Get answers to common questions about the Microsoft Discovery service.

Get started

Is Microsoft Discovery primarily an offline optimization and prediction platform, or are there capabilities for direct, real-time, closed-loop process control of physical scientific or manufacturing equipment?

Discovery is an online platform with human oversight. Researchers can change, edit, and kick off runs as needed. We're thinking about extending Microsoft Discovery to digital twins and lab automation using natural language, giving researchers more access to lab processes.

Network security

Do I need to configure network hardening manually?

No. Network hardening is fully automated by the Discovery control plane. All NSP associations, private endpoints, and virtual network injection settings are provisioned automatically when you create a workspace, bookshelf, or supercomputer with the 2026-02-01-preview API version (or later). You only need to:

1. Assign the Discovery NSP Perimeter Joiner custom role before creating the workspace. For the role definition, see Discovery NSP Perimeter Joiner (custom role); for the setup steps, see Assign the NSP Perimeter Joiner role.
2. Provide dedicated subnets in your virtual network for Discovery resources (agent workloads, private endpoints, and workspace services).

What is the difference between network hardening and private endpoints?

These are two complementary layers:

• Network hardening (NSP) protects the managed resources (databases, storage, AI services) that Discovery creates on your behalf. It uses Network Security Perimeters and private endpoints of MRG resources to restrict access to authorized Discovery components only.
• Private endpoints for the data-plane protect your API traffic to the workspace and bookshelf services. You create these in your own virtual network to route API calls through Azure Private Link instead of the public internet.

Which Discovery resources support private endpoints?

Private endpoints are supported for:

Resource type	Group ID	Private DNS zone
Microsoft.Discovery/workspaces	workspace	privatelink.workspace.discovery.azure.com
Microsoft.Discovery/bookshelves	bookshelf	privatelink.bookshelf.discovery.azure.com

Other Discovery resource types (supercomputers, storage, tools, agents) don't support customer-created private endpoints.

Can I disable public network access entirely?

Yes. After creating private endpoints, you can disable public network access on your workspace or bookshelf by setting publicNetworkAccess to Disabled through a PATCH request on the resource. For detailed steps, see Disable public network access.

When disabled, only requests through approved private endpoints are accepted.

Troubleshooting

I get 'doesn't have permission to perform action joinPerimeterRule/action' when creating a workspace. How do I fix it?

The custom role assignment for the Discovery service principal is missing or hasn't propagated yet.

1. Verify the Discovery NSP Perimeter Joiner role exists at your subscription scope.
2. Ensure it's assigned to the Discovery control-plane service App service principal (92c174ac-8e41-4815-a1b7-d81b19ab03ce).
3. Wait up to 5 minutes for Azure RBAC propagation.
4. Retry workspace creation -- the operation is idempotent and safe to retry.

For the role definition (permissions, scope, capabilities, and limitations), see Discovery NSP Perimeter Joiner (custom role). For the step-by-step setup instructions, see Configure network security.

I get 'Service principal not found' when assigning the RBAC role. What should I do?

The Discovery control-plane service App service principal (92c174ac-8e41-4815-a1b7-d81b19ab03ce) doesn't exist in your tenant yet. Create the service principal in your tenant by following the steps in Configure network security.

Then retry the role assignment.

My private endpoint shows 'Approved' but API calls still fail. What's wrong?

Common causes:

Error	Likely cause	Resolution
504 Gateway Timeout	Backend temporarily unavailable	Check if the public path also fails. If both fail, the service may be temporarily unavailable.
401 Unauthorized	Token audience mismatch or missing role	Verify the token is for https://discovery.azure.com/ and you have the required role on the resource.
DNS resolves to public IP	Private DNS zone not linked to virtual network	Create the DNS zone and virtual network link. See Configure private DNS.

DNS resolves to a public IP even though I created a private endpoint. How do I fix it?

1. Verify the private DNS zone exists (for example, privatelink.workspace.discovery.azure.com).
2. Verify the DNS zone is linked to your virtual network.
3. Verify a DNS zone group is configured on the private endpoint (this autocreates A records).
4. If you use custom DNS servers, ensure they forward to Azure DNS (168.63.129.16).

Get answers to common questions about the Microsoft Discovery service.

Discovery is an online platform with human oversight. Researchers can change, edit, and kick off runs as needed. We're thinking about extending Microsoft Discovery to digital twins and lab automation using natural language, giving researchers more access to lab processes.

No. Network hardening is fully automated by the Discovery control plane. All NSP associations, private endpoints, and virtual network injection settings are provisioned automatically when you create a workspace, bookshelf, or supercomputer with the 2026-02-01-preview API version (or later). You only need to:

1. Assign the Discovery NSP Perimeter Joiner custom role before creating the workspace. For the role definition, see Discovery NSP Perimeter Joiner (custom role); for the setup steps, see Assign the NSP Perimeter Joiner role.
2. Provide dedicated subnets in your virtual network for Discovery resources (agent workloads, private endpoints, and workspace services).

These are two complementary layers:

• Network hardening (NSP) protects the managed resources (databases, storage, AI services) that Discovery creates on your behalf. It uses Network Security Perimeters and private endpoints of MRG resources to restrict access to authorized Discovery components only.
• Private endpoints for the data-plane protect your API traffic to the workspace and bookshelf services. You create these in your own virtual network to route API calls through Azure Private Link instead of the public internet.

Private endpoints are supported for:

Resource type	Group ID	Private DNS zone
Microsoft.Discovery/workspaces	workspace	privatelink.workspace.discovery.azure.com
Microsoft.Discovery/bookshelves	bookshelf	privatelink.bookshelf.discovery.azure.com

Other Discovery resource types (supercomputers, storage, tools, agents) don't support customer-created private endpoints.

Yes. After creating private endpoints, you can disable public network access on your workspace or bookshelf by setting publicNetworkAccess to Disabled through a PATCH request on the resource. For detailed steps, see Disable public network access.

When disabled, only requests through approved private endpoints are accepted.

The custom role assignment for the Discovery service principal is missing or hasn't propagated yet.

1. Verify the Discovery NSP Perimeter Joiner role exists at your subscription scope.
2. Ensure it's assigned to the Discovery control-plane service App service principal (92c174ac-8e41-4815-a1b7-d81b19ab03ce).
3. Wait up to 5 minutes for Azure RBAC propagation.
4. Retry workspace creation -- the operation is idempotent and safe to retry.

For the role definition (permissions, scope, capabilities, and limitations), see Discovery NSP Perimeter Joiner (custom role). For the step-by-step setup instructions, see Configure network security.

The Discovery control-plane service App service principal (92c174ac-8e41-4815-a1b7-d81b19ab03ce) doesn't exist in your tenant yet. Create the service principal in your tenant by following the steps in Configure network security.

Then retry the role assignment.

Common causes:

Error	Likely cause	Resolution
504 Gateway Timeout	Backend temporarily unavailable	Check if the public path also fails. If both fail, the service may be temporarily unavailable.
401 Unauthorized	Token audience mismatch or missing role	Verify the token is for https://discovery.azure.com/ and you have the required role on the resource.
DNS resolves to public IP	Private DNS zone not linked to virtual network	Create the DNS zone and virtual network link. See Configure private DNS.

1. Verify the private DNS zone exists (for example, privatelink.workspace.discovery.azure.com).
2. Verify the DNS zone is linked to your virtual network.
3. Verify a DNS zone group is configured on the private endpoint (this autocreates A records).
4. If you use custom DNS servers, ensure they forward to Azure DNS (168.63.129.16).