Share via

401 Authentication Error When Deploying Managed Compute Endpoint

Freddy Mei 20 Reputation points
2025-10-21T22:40:59.9266667+00:00

I’m deploying an endpoint using Managed Compute mode for the gpt-5-mini model, and the deployment fails with a 401 “Server failed to authenticate the request” error. From the logs, it appears that the container is attempting to download the model from an Azure Blob Storage location, but authentication to that storage account is failing.

The blob storage seems to be an internal Azure-managed resource, so I don’t have direct access or visibility to modify permissions or regenerate credentials.

Has anyone encountered this issue before? Are there any guidelines or configuration steps to ensure the managed endpoint can successfully authenticate when retrieving the model? Any guidance would be greatly appreciated.

Please let me know if additional details about the error message or deployment are needed.

User's image

User's image

Foundry Tools
Foundry Tools

Formerly known as Azure AI Services or Azure Cognitive Services is a unified collection of prebuilt AI capabilities within the Microsoft Foundry platform

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. SRILAKSHMI C 18,390 Reputation points Microsoft External Staff Moderator
    2025-10-22T04:03:06.0766667+00:00

    Hello Freddy Mei,

    Welcome to Microsoft Q&A and thank you for reaching out.

    I understand you’re running into a 401 “Server failed to authenticate the request” error while deploying a Managed Compute endpoint for the gpt-5-mini model. This error typically means that the container responsible for loading the model is unable to authenticate to the Azure-managed Blob Storage where the model artifacts are hosted.

    Here are several steps to help you resolve this issue:

    1. Verify Managed Identity Configuration

    Ensure that your Azure AI Foundry project or Azure ML workspace has either a System-Assigned or User-Assigned Managed Identity enabled. You can check this under: Azure Portal → AI Services resource / Managed Compute endpoint → Identity tab

    • Confirm that the identity status is On and that the identity is properly listed.

    2. Check and Assign Role Permissions

    The managed identity associated with your deployment must have appropriate permissions to access Azure Storage. Depending on the mode:

    User-assigned identity: Needs Storage Blob Data Reader access on the workspace storage account.

    Managed Compute (MDC) mode: Requires Storage Blob Data Contributor permissions to pull the model artifacts.

    You can assign roles using Azure CLI:

    az role assignment create \
  --assignee <MANAGED_IDENTITY_CLIENT_ID> \
  --role "Storage Blob Data Contributor" \
  --scope <STORAGE_ACCOUNT_RESOURCE_ID>

    If the Blob Storage is Azure-managed (not visible in your resource group), ensure the endpoint deployment is happening within the same subscription and region as the model. Cross-subscription deployments are not supported for Managed Compute.

    3. Verify Token Configuration

    In some cases, a 401 error can be caused by an invalid or expired authentication token. Make sure your authorization token follows this format: aad#<resourceId>#<aadToken.token>

    Check that the token is valid, active, and associated with the correct identity.

    4. Review Deployment Logs for More Details

    Logs often contain more context about where authentication failed. You can fetch deployment logs using either the Azure CLI or Python SDK:

    Using Azure CLI:

    az ml online-deployment get-logs -e <endpoint-name> -n <deployment-name> -l 100

    Using Python SDK:

    ml_client.online_deployments.get_logs(
    name="<deployment-name>",
    endpoint_name="<endpoint-name>",
    lines=100
)

    Look for entries related to authentication, storage access, or token validation failures.

    5. Network Configuration

    If your environment uses Private Endpoints or Virtual Networks, confirm that:

    The Azure Storage endpoints are accessible.

    The AzureAI and Azure Storage service tags are allowed in your network security rules. Any blocked outbound connection can prevent the model container from reaching the storage resource.

    6. Confirm Authentication Mode in Deployment YAML (if applicable)

    If you’re deploying via YAML or script, confirm that your authentication section is configured correctly:

    auth_mode: managed_identity
identity:
  type: system_assigned

    This ensures the deployment uses the correct managed identity for token generation.

    7. Redeploy After Configuration Updates

    Once you’ve verified or updated your managed identity, permissions, and network setup:

    1. Stop any deployment that’s stuck in “Starting” or “Failed”.
    2. Redeploy the endpoint to refresh the authentication token and reattempt the model download.

    please refer this

    I Hope this helps. Do let me know if you have any further queries.

    Thank you!

    Was this answer helpful?

    0 comments
  2. Jerald Felix 11,555 Reputation points Volunteer Moderator
    2025-10-22T02:50:25.4266667+00:00

    Hey Freddy,

    That's a frustrating one! I've seen this authentication issue pop up a few times with managed compute deployments, especially with the newer GPT-5 models. The 401 error you're seeing is usually related to the managed identity not having the right permissions to access Azure's internal blob storage.

    Here's what's likely happening: When you deploy a model on managed compute, Azure creates a system-assigned managed identity for your endpoint that needs to download the model files from Microsoft's internal storage. Sometimes this identity doesn't get the right permissions automatically.

    Quick things to try:

    1. Check your workspace permissions - Make sure your user account has "Contributor" or "Owner" role on the AI Foundry workspace (not just the resource group)
    2. Try a different region - I know it's annoying, but sometimes certain regions have temporary issues with the automatic permission assignment. If you're not tied to a specific region, try deploying in East US or West Europe
    3. Wait and retry - Sometimes it's just a temporary glitch. Give it 15-20 minutes and try deploying again

    If those don't work:

    Open a support ticket and mention the specific error from your screenshot. The Azure AI team can manually fix the managed identity permissions on the backend - they've had to do this for several people I know.

    When you open the ticket, include:

    • Your workspace name and region
    • The exact model you're trying to deploy (gpt-5-mini)
    • The timestamp of when you tried the deployment
    • That screenshot you already have

    One more thing to check: Make sure you're not hitting any quota limits for GPT-5 models in your subscription. Sometimes quota issues can show up as weird authentication errors.

    Let me know if any of those work for you! This is definitely a known issue with the service, not something you did wrong.

    Best Regards,

    Jerald Felix

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.