Share via

Azure AI Foundry Agent Service "agents/write" denied despite Azure AI User role — Managed Application deny assignment blocking dataActions?

Viktor Már Guðmundsson 20 Reputation points
2025-12-30T14:41:45.7133333+00:00

Background

We publish an Azure Managed Application to the marketplace with "Restrict access with deny assignments" enabled. The managed resource group contains:

  • Container App (Python application using Azure AI Foundry Agent Service)
  • Function App
  • SQL Database
  • Service Bus Queues
  • Azure AI Foundry resource with a Foundry project

This is a follow-up to my previous question about GitHub Actions deployment permissions where subscription-scope roles resolved control plane action denials:

How do I deploy GitHub code to Azure Function App through a user-assigned Managed Identity (MI) without giving the MI Reader & Website Contributor subscription scope roles? The rg scope roles did not work and the rg is deployed in another tenant.

The Problem

Our Container App's System-Assigned Managed Identity cannot call the Azure AI Foundry Agent Service:

(PermissionDenied) The principal lacks the required data action 
`Microsoft.CognitiveServices/accounts/AIServices/agents/write` to perform 
`POST /api/projects/{projectName}/assistants` operation.

According to Microsoft's RBAC documentation for AI Foundry, the Azure AI User role includes:

"dataActions": ["Microsoft.CognitiveServices/*"]

This wildcard should cover Microsoft.CognitiveServices/accounts/AIServices/agents/write. Additionally, the documentation explicitly states under "Permissions to build Agents":

DataActions:

  • Microsoft.CognitiveServices/accounts/AIServices/agents/read
  • Microsoft.CognitiveServices/accounts/AIServices/agents/write
  • Microsoft.CognitiveServices/accounts/AIServices/agents/delete

Yet despite having Azure AI User assigned, the error persists.

Roles Assigned to Container App Managed Identity

We have extensively tested various role combinations. Current assignments:

Subscription scope (Pay-As-You-Go):

  • Azure AI User
  • Azure AI Developer

Resource Group scope (managed RG):

  • Azure AI User
  • Azure AI Developer
  • Owner

Foundry Resource scope:

  • Azure AI User
  • Azure AI Developer
  • Azure AI Owner
  • Azure AI Administrator
  • Cognitive Services Contributor
  • Cognitive Services OpenAI User

Foundry Project scope:

  • Azure AI Owner
  • Azure AI Project Manager
  • Cognitive Services Contributor

Other working roles on other resources:

  • Azure Service Bus Data Sender (Service Bus Namespace scope)
  • Azure Service Bus Data Receiver (Service Bus Namespace scope)
  • Key Vault Secrets User (Key Vault scope)

Additional verification:

  • Waited 16+ hours for RBAC propagation
  • Restarted Container App multiple times to clear token cache
  • Stopped Container App for 10 minutes and restarted

None of these changes affected the error.

Cross-Tenant Foundry Portal Limitation

We also attempted to assign roles via the Foundry portal's Users tab directly on the project. However, we discovered a cross-tenant limitation:

  • The Foundry resource is deployed in the client's tenant (via Managed Application)
  • We (the publisher) are in a separate tenant
  • When searching for principals to add in the Foundry portal, only users from the publisher tenant appear
  • The Container App's Managed Identity (which exists in the client tenant) does not appear in the search results
  • Client tenant users also do not appear

This means we cannot use the Foundry portal's native user management to grant access to resources in the client tenant, even though we have Owner access to the managed resource group.

What Works vs. What Doesn't

Resource Scope of Role DataActions Required Status
Service Bus Queues Service Bus Namespace (RG-level resource) Microsoft.ServiceBus/namespaces/messages/send ✅ Works
SQL Database App Registration + SQL-level permissions db_datareader, db_datawriter via CREATE USER FROM EXTERNAL PROVIDER ✅ Works
Azure AI Foundry Agents Subscription, RG, Resource, Project — all tried Microsoft.CognitiveServices/accounts/AIServices/agents/write ❌ Fails

The Service Bus roles work at resource scope within the managed RG. We attempted the same pattern with AI Foundry (assigning roles directly on the Foundry resource and project) but it does not work.

SQL Database details:

The SQL Database uses an App Registration from our (publisher) tenant, authenticated via ClientSecretCredential. Permissions are granted through SQL-level commands, not Azure RBAC:

CREATE USER [InvoiceAgent_CompanyName_Database] FROM EXTERNAL PROVIDER;
GO
ALTER ROLE db_datareader ADD MEMBER [InvoiceAgent_CompanyName_Database];
GO
ALTER ROLE db_datawriter ADD MEMBER [InvoiceAgent_CompanyName_Database];
GO

This works because SQL-level permissions bypass Azure RBAC entirely — the deny assignment only affects Azure control/data plane actions, not database-internal security.

Service Bus uses Azure RBAC at resource scope and works.

Azure AI Foundry uses Azure RBAC and fails at every scope we've tried.

Our Hypothesis

Based on the previous Q&A response explaining deny assignments:

  1. The Managed Application creates a deny assignment with DataActions: * (deny all)
  2. Specific dataActions are excepted via NotDataActions
  3. Service Bus dataActions appear to be in NotDataActions (hence they work)
  4. Cognitive Services dataActions are NOT in NotDataActions (hence they fail)
  5. Unlike control plane actions, subscription-scope roles do NOT bypass deny assignments for dataActions

We cannot verify this because:

  • Azure Portal doesn't show full deny assignment details
  • We cannot run Get-AzDenyAssignment due to cross-tenant limitations (we're the publisher in a different tenant)

Questions

Do dataActions behave differently than control plane actions regarding deny assignment inheritance?

  • For control plane actions (e.g., Microsoft.Web/sites/config/list/action), subscription-scope roles bypassed the managed RG deny assignment
    • For dataActions, this does not appear to work — is this expected?
    Why do Service Bus dataActions work at resource scope but Cognitive Services dataActions don't? 
    - Are certain dataActions automatically added to `NotDataActions` for Managed Applications?

   - Is there a default allowlist for common Azure services?

   **What is the correct solution for enabling Azure AI Foundry Agent Service in a Managed Application?**

      - Should we add `Microsoft.CognitiveServices/*` or specifically `Microsoft.CognitiveServices/accounts/AIServices/agents/*` to the **allowedDataActions** in our Managed Application definition via Partner Center?

         - Is there documentation on configuring Cognitive Services dataActions for Managed Applications?

         **How can customers or publishers verify what's in the NotDataActions exception list?**

            - Is there a way to view this in Portal or must we use PowerShell/CLI?

            **Is there a workaround for the cross-tenant Foundry portal limitation?**

               - How can publishers assign Foundry roles to Managed Identities that exist in the client tenant?

Environment Details

  • Managed Application: Published via Azure Marketplace with deny assignments enabled
  • Container App: System-Assigned Managed Identity
  • AI Foundry endpoint: *.services.ai.azure.com/api/projects/*
  • SDK: azure-ai-projects using DefaultAzureCredential
  • Cross-tenant: Publisher in separate tenant from client deployment
Foundry Tools
Foundry Tools

Formerly known as Azure AI Services or Azure Cognitive Services is a unified collection of prebuilt AI capabilities within the Microsoft Foundry platform

0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Anshika Varshney 10,655 Reputation points Microsoft External Staff Moderator
    2025-12-30T17:03:22.1233333+00:00

    Hi Viktor Már Guðmundsson,

    Thank you for connecting this thread to Microsoft Q&A
    You're absolutely right to suspect that the deny assignment behavior for dataActions in Managed Applications is different from control plane actions. Based on what you've described and similar issues we've encountered, here are a few thoughts:

    • Deny assignments with dataActions: can block even subscription-scope roles unless the specific dataActions are explicitly added to notDataActions. This is unlike control plane actions, where subscription-level roles often bypass the deny assignment.
    • The fact that Service Bus works while Cognitive Services (AI Foundry) doesn’t suggest that Service Bus dataActions are likely included in the default notDataActions, but Cognitive Services ones are not.
    • Unfortunately, there’s currently no way to view the full deny assignment or notDataActions list in the Azure Portal, especially across tenants. You’d need to use Get-AzDenyAssignment, but as you mentioned, cross-tenant access makes that tricky.

    Please follow the below Step for resolve the issue:
    In your Managed Application definition, try explicitly adding the following to allowedDataActions:

    "Microsoft.CognitiveServices/accounts/AIServices/agents/*"

    or even broader:

    "Microsoft.CognitiveServices/*"

    This should help override the deny assignment for the Agent Service.

    Let us know if updating the allowedDataActions in Partner Center resolves the issue or if there are any remaining questions or additional details, I can help with, I’ll be glad to provide further clarification or guidance.

    Thankyou!

    Was this answer helpful?

    1 person found this answer helpful.

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.