Error (code ManagedIdentityIsNotEnabled) after deploy a web app from AI Studio

Question

Error (code ManagedIdentityIsNotEnabled) after deploy a web app from AI Studio

Evgenii Kazmiruk 5

Originally the question is asked here https://github.com/microsoft/sample-app-aoai-chatGPT/issues/1024

I'm experiencing a repeatable issue when deploying a web app using the button in AI Studio. Since yesterday, every time I deploy the web app and send any text, I receive the same error message:

Error code: 400 - {'error': {'requestid': '010babac-56b0-4756-9807-7f3703fc88bb', 'code': 400, 'message': 'Failed to get managed identity token. Response: {"error":{"code":"ManagedIdentityIsNotEnabled","message":"Managed Identity (MI) is not set for this account while the encryption key source is \'Microsoft.KeyVault\', customer managed storage or Network Security Perimeter is used."}}'}}

I've tested in several tenants. Deployed resources both with Bicep scripts and manually. The issue reproduces every time.

To Reproduce Steps to reproduce the behavior:

Go to Chat section in the AI Project (assume that gpt-4 model was deployed in advance).
Click on 'Add your data'.
Add an index.
Click on Deploy to a web app.
Complete the form (either Create a new web app or Update an existing web app) and enable chat history.
Click Deploy.
Wait till the web app will be deployed (or updated).
Open the created (updated) web app.
Send "hi".
See error

Expected behavior The web app should reply something like "Hi" without any errors.

Screenshots

Configuration: Please provide the following

Azure OpenAI model name and version: `gpt-4, version 0613'
Is chat history enabled: 'yes' (but with disable chat history the error reproduced as well)
Are you using data? If so, what data source? The index was created in Azure AI Search using Azure Blob Storage as data source
Verify the startup command and runtime configuration by showing the output of the following az CLI command:

az webapp show --name <app name> --resource-group <resource group name> --query "{startupCommand: siteConfig.appCommandLine, runtime: siteConfig.linuxFxVersion}"

Output:

{
  "runtime": "PYTHON|3.11",
  "startupCommand": "python3 -m gunicorn app:app"
}

Logs

If the application deployment is failing, please share the deployment logs using the following az CLI command:

az webapp log deployment show --name <app name> --resource-group <rg name>

N/A

If the application is crashing after deployment, please share the application logs using the following az CLI command:

az webapp log tail --name <app name> --resource-group <resource group name>

Output:

2024-07-26T06:19:11  Welcome, you are now connected to log-streaming service. Starting Log Tail -n 10 of existing logs ---- /appsvctmp/volatile/logs/runtime/container.log 2024-07-26T06:04:40.4897229Z            ^^^^^^^^^^^^^^^^^ 2024-07-26T06:04:40.4897262Z   File "/tmp/8dcad37dd7c728a/antenv/lib/python3.11/site-packages/openai/_base_client.py", line 1536, in post 2024-07-26T06:04:40.4897293Z     return await self.request(cast_to, opts, stream=stream, stream_cls=stream_cls) 2024-07-26T06:04:40.4897348Z            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 2024-07-26T06:04:40.4897380Z   File "/tmp/8dcad37dd7c728a/antenv/lib/python3.11/site-packages/openai/_base_client.py", line 1315, in request 2024-07-26T06:04:40.4897407Z     return await self._request( 2024-07-26T06:04:40.4897434Z            ^^^^^^^^^^^^^^^^^^^^ 2024-07-26T06:04:40.4897468Z   File "/tmp/8dcad37dd7c728a/antenv/lib/python3.11/site-packages/openai/_base_client.py", line 1392, in _request 2024-07-26T06:04:40.4897781Z     raise self._make_status_error_from_response(err.response) from None 2024-07-26T06:04:40.4897863Z openai.BadRequestError: Error code: 400 - {'error': {'requestid': '010babac-56b0-4756-9807-7f3703fc88bb', 'code': 400, 'message': 'Failed to get managed identity token. Response: {"error":{"code":"ManagedIdentityIsNotEnabled","message":"Managed Identity (MI) is not set for this account while the encryption key source is \'Microsoft.KeyVault\', customer managed storage or Network Security Perimeter is used."}}'}} Ending Log Tail of existing logs --- Starting Live Log Stream --- 2024-07-26T06:19:27.7903526Z ERROR:root:Exception in send_chat_request 2024-07-26T06:19:27.7924534Z Traceback (most recent call last): 2024-07-26T06:19:27.7924630Z   File "/tmp/8dcad37dd7c728a/app.py", line 318, in send_chat_request 2024-07-26T06:19:27.7924663Z     raw_response = await azure_openai_client.chat.completions.with_raw_response.create(**model_args)    2024-07-26T06:19:27.7924696Z                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^    2024-07-26T06:19:27.7924726Z   File "/tmp/8dcad37dd7c728a/antenv/lib/python3.11/site-packages/openai/_response.py", line 262, in wrapped 2024-07-26T06:19:27.7924754Z     return cast(APIResponse[R], await func(*args, **kwargs)) 2024-07-26T06:19:27.7924782Z                                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^ 2024-07-26T06:19:27.7924850Z   File "/tmp/8dcad37dd7c728a/antenv/lib/python3.11/site-packages/openai/resources/chat/completions.py", line 1295, in create 2024-07-26T06:19:27.7924881Z     return await self._post( 2024-07-26T06:19:27.7924908Z            ^^^^^^^^^^^^^^^^^ 2024-07-26T06:19:27.7924937Z   File "/tmp/8dcad37dd7c728a/antenv/lib/python3.11/site-packages/openai/_base_client.py", line 1536, in post 2024-07-26T06:19:27.7924968Z     return await self.request(cast_to, opts, stream=stream, stream_cls=stream_cls) 2024-07-26T06:19:27.7924996Z            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 2024-07-26T06:19:27.7925026Z   File "/tmp/8dcad37dd7c728a/antenv/lib/python3.11/site-packages/openai/_base_client.py", line 1315, in request 2024-07-26T06:19:27.7925052Z     return await self._request( 2024-07-26T06:19:27.7925092Z            ^^^^^^^^^^^^^^^^^^^^ 2024-07-26T06:19:27.7925123Z   File "/tmp/8dcad37dd7c728a/antenv/lib/python3.11/site-packages/openai/_base_client.py", line 1392, in _request 2024-07-26T06:19:27.7925153Z     raise self._make_status_error_from_response(err.response) from None 2024-07-26T06:19:27.7925206Z openai.BadRequestError: Error code: 400 - {'error': {'requestid': '61184aca-fc0b-4f56-99c0-ab7dd94d3a54', 'code': 400, 'message': 'Failed to get managed identity token. Response: {"error":{"code":"ManagedIdentityIsNotEnabled","message":"Managed Identity (MI) is not set for this account while the encryption key source is \'Microsoft.KeyVault\', customer managed storage or Network Security Perimeter is used."}}'}} 2024-07-26T06:19:27.7925779Z ERROR:root:Error code: 400 - {'error': {'requestid': '61184aca-fc0b-4f56-99c0-ab7dd94d3a54', 'code': 400, 'message': 'Failed to get managed identity token. Response: {"error":{"code":"ManagedIdentityIsNotEnabled","message":"Managed Identity (MI) is not set for this account while the encryption key source is \'Microsoft.KeyVault\', customer managed storage or Network Security Perimeter is used."}}'}} 2024-07-26T06:19:27.7925832Z Traceback (most recent call last): 2024-07-26T06:19:27.7925863Z   File "/tmp/8dcad37dd7c728a/app.py", line 358, in conversation_internal 2024-07-26T06:19:27.7925892Z     result = await stream_chat_request(request_body, request_headers) 2024-07-26T06:19:27.7925922Z              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 2024-07-26T06:19:27.7925950Z   File "/tmp/8dcad37dd7c728a/app.py", line 345, in stream_chat_request 2024-07-26T06:19:27.7925978Z     response, apim_request_id = await send_chat_request(request_body, request_headers) 2024-07-26T06:19:27.7926007Z                                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 2024-07-26T06:19:27.7926033Z   File "/tmp/8dcad37dd7c728a/app.py", line 323, in send_chat_request 2024-07-26T06:19:27.7926075Z     raise e 2024-07-26T06:19:27.7926105Z   File "/tmp/8dcad37dd7c728a/app.py", line 318, in send_chat_request 2024-07-26T06:19:27.7926136Z     raw_response = await azure_openai_client.chat.completions.with_raw_response.create(**model_args)    2024-07-26T06:19:27.7926167Z                    ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^    2024-07-26T06:19:27.7926199Z   File "/tmp/8dcad37dd7c728a/antenv/lib/pyth on3.11/site-packages/openai/_response.py", line 262, in wrapped 2024-07-26T06:19:27.7926232Z     return cast(APIResponse[R], await func(*args, **kwargs)) 2024-07-26T06:19:27.7926264Z                                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^ 2024-07-26T06:19:27.7926315Z   File "/tmp/8dcad37dd7c728a/antenv/lib/python3.11/site-packages/openai/resources/chat/completions.py", line 1295, in create 2024-07-26T06:19:27.7926344Z     return await self._post( 2024-07-26T06:19:27.7926371Z            ^^^^^^^^^^^^^^^^^ 2024-07-26T06:19:27.7926402Z   File "/tmp/8dcad37dd7c728a/antenv/lib/python3.11/site-packages/openai/_base_client.py", line 1536, in post 2024-07-26T06:19:27.7926433Z     return await self.request(cast_to, opts, stream=stream, stream_cls=stream_cls) 2024-07-26T06:19:27.7926464Z            ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ 2024-07-26T06:19:27.7926499Z   File "/tmp/8dcad37dd7c728a/antenv/lib/python3.11/site-packages/openai/_base_client.py", line 1315, in request 2024-07-26T06:19:27.7926530Z     return await self._request( 2024-07-26T06:19:27.7926574Z            ^^^^^^^^^^^^^^^^^^^^ 2024-07-26T06:19:27.7926611Z   File "/tmp/8dcad37dd7c728a/antenv/lib/python3.11/site-packages/openai/_base_client.py", line 1392, in _request 2024-07-26T06:19:27.7926643Z     raise self._make_status_error_from_response(err.response) from None 2024-07-26T06:19:27.7926692Z openai.BadRequestError: Error code: 400 - {'error': {'requestid': '61184aca-fc0b-4f56-99c0-ab7dd94d3a54', 'code': 400, 'message': 'Failed to get managed identity token. Response: {"error":{"code":"ManagedIdentityIsNotEnabled","message":"Managed Identity (MI) is not set for this account while the encryption key source is \'Microsoft.KeyVault\', customer managed storage or Network Security Perimeter is used."}}'}}

navba-MSFT 27,550 Reputation points Microsoft Employee Moderator

2024-08-05T05:33:22.2233333+00:00
@Evgenii Kazmiruk Welcome to Microsoft Q&A Forum, Thank you for posting your query here!

.

Could you please check and confirm if you have CMK (Customer Managed Key) encryption with KeyVault for your Azure OpenAI resource?

Action Plan:
Also ensure that you have enabled the System Managed Identity for your Azure OpenAI and your Azure Webapp as shown below:

Then navigate to your Azure key Vault resource --> Access Control IAM -->Add Role assignment and grant the Contributor RBAC permissions for this system managed identity.

.

Also the managed identity for the services secured by a customer-managed key must have the following permissions in key vault:

wrap key

unwrap key

get

.

.

More information:
Customer-managed keys are stored in Key Vault. The key vault needs to be provisioned with access policies that grant key permissions to the managed identity that's associated with the Azure AI services resource. The managed identity is available only after the resource is created by using the pricing tier that's required for customer-managed keys.

Enabling customer-managed keys also enables a system-assigned managed identity, a feature of Microsoft Entra ID. After the system-assigned managed identity is enabled, this resource is registered with Microsoft Entra ID. After being registered, the managed identity is given access to the key vault that's selected during customer-managed key setup.

.

.

Awaiting your reply.
navba-MSFT 27,550 Reputation points Microsoft Employee Moderator

2024-08-07T04:09:16.6833333+00:00

@Evgenii Kazmiruk Just following up to check if my suggestion helped. Please let me know if you have any further queries. I would be happy to help.
Anonymous

2024-08-15T17:42:49.14+00:00
Hello I'm having a similar issue but not quite the same.
https://learn.microsoft.com/en-us/answers/questions/1864308/failed-to-get-managed-identity-token-managedidenti

There are two things happening here and correct me if I'm wrong:

Its failed to get the managed identity token

And it thinks its customer managed but it isn't.

I am not using Customer-Managed Keys

System Managed Identity turned on for blob storage

I have no custom code, settings, or permissions. Currently my instance runs fine in the chat playground. I set everything up like I have in the past which is and still is working fine.

I'm just trying to figure out what has changed.

3 answers

Your answer

navba-MSFT 27,550 Reputation points Microsoft Employee Moderator

2024-08-05T05:33:22.2233333+00:00

@Evgenii Kazmiruk Welcome to Microsoft Q&A Forum, Thank you for posting your query here!

.

Could you please check and confirm if you have CMK (Customer Managed Key) encryption with KeyVault for your Azure OpenAI resource?

Action Plan:
Also ensure that you have enabled the System Managed Identity for your Azure OpenAI and your Azure Webapp as shown below:

Then navigate to your Azure key Vault resource --> Access Control IAM -->Add Role assignment and grant the Contributor RBAC permissions for this system managed identity.

.

Also the managed identity for the services secured by a customer-managed key must have the following permissions in key vault:

wrap key

unwrap key

get

.

.

More information:
Customer-managed keys are stored in Key Vault. The key vault needs to be provisioned with access policies that grant key permissions to the managed identity that's associated with the Azure AI services resource. The managed identity is available only after the resource is created by using the pricing tier that's required for customer-managed keys.

Enabling customer-managed keys also enables a system-assigned managed identity, a feature of Microsoft Entra ID. After the system-assigned managed identity is enabled, this resource is registered with Microsoft Entra ID. After being registered, the managed identity is given access to the key vault that's selected during customer-managed key setup.

.

.

Awaiting your reply.
navba-MSFT 27,550 Reputation points Microsoft Employee Moderator

2024-08-07T04:09:16.6833333+00:00

@Evgenii Kazmiruk Just following up to check if my suggestion helped. Please let me know if you have any further queries. I would be happy to help.
Anonymous

2024-08-15T17:42:49.14+00:00

Hello I'm having a similar issue but not quite the same.
https://learn.microsoft.com/en-us/answers/questions/1864308/failed-to-get-managed-identity-token-managedidenti

There are two things happening here and correct me if I'm wrong:

Its failed to get the managed identity token

And it thinks its customer managed but it isn't.

I am not using Customer-Managed Keys

System Managed Identity turned on for blob storage

I have no custom code, settings, or permissions. Currently my instance runs fine in the chat playground. I set everything up like I have in the past which is and still is working fine.

I'm just trying to figure out what has changed.

Answer 1

Will 31

I had the same problem @Evgenii Kazmiruk @Teshima, Joe posted above.

I followed the instructions from navba-MSFT and ended up with same error @François Baronnet

I have finally got it to work without removing the conetent from AzureOpenAiEmbeddingName, this key should be set to "text-embedding-ada-002"

Go to azure portal and find your web app
Under Environment Variables, look for these 2 variables: Azure OPENAIEmbeddingEndpoint and AzureOpenAiEmbeddingKey.
Set these 2 values to the endpoint and key associated with your embedding model. This information can be found on the deployments tab of AI studio. Make sure that the AZURE_SEARCH_KEY variable is populated.
Save the updated Environment variables
Open the web app from the azure portal itself (rather than from the studio)

Mhi 5 Reputation points

2024-10-17T13:35:26.3666667+00:00

Does it still work on your side? Newly deployed Webapps are not working again...
Rafal Kaluzny 5 Reputation points

2024-10-28T11:44:54.0866667+00:00

My app had the exact same error after the web app deployment.

This below has been the case for me:

https://github.com/microsoft/sample-app-aoai-chatGPT/issues/1022

So the only thing I updated was AZURE_SEARCH_KEY environment variable to make it work.
Jaro 0 Reputation points

2024-11-05T20:27:30.2733333+00:00

Thank you, @Will! We had also this problem and could fix it with your instructions.
Andrew R. Adams 0 Reputation points

2024-11-07T19:48:09.19+00:00

Thank you Will!

Answer 2

navba-MSFT 27,550 Microsoft Employee Moderator

@Evgenii Kazmiruk @Teshima, Joe The Product Owners have identified the cause of the issue.

.

The fix has been pushed, but the deployment needs to complete before we can validate in production. The updated eta for the web app fix is September 6th.

For the time being, until the fix, follow the below workaround:

.

Workaround:

The below workaround has been provided to update and deploy the webapp manually from the azure portal.

Go to azure portal and find your web app
Under Environment Variables, look for these 2 variables: Azure OPENAIEmbeddingEndpoint and AzureOpenAiEmbeddingKey.
Set these 2 values to the endpoint and key associated with your embedding model. This information can be found on the deployments tab of AI studio. Make sure that the AZURE_SEARCH_KEY variable is populated.
Clear any value for AzureOpenAiEmbeddingName
Save the updated Environment variables
Open the web app from the azure portal itself (rather than from the studio)

.

Hope this helps. If you have any follow-up questions, please let me know. I would be happy to help.

**

Please do not forget to "Accept the answer” and “up-vote” wherever the information provided helps you, this can be beneficial to other community members.

François Baronnet 76 Reputation points

2024-08-19T15:48:55.7866667+00:00

Same situation here. I've followed the instructions and now I have:

Error code: 400 - {'error': {'requestid': 'eab0dd9a-6916-42fb-bd9c-097f1287d9a7', 'code': 400, 'message': "'embeddingEndpoint' is a required parameter for the AzureCognitiveSearch data source type. This parameter is required for queryType vectorSimpleHybrid."}}
Anonymous

2024-08-20T17:03:51.72+00:00

@François Baronnet

This part is very interesting in your error:

This parameter is required for queryType vectorSimpleHybrid.

I pointed out this issue earlier my post is in the link below. It should have been corrected but now seems to be back. I'm not sure if its the same issue or not but check it out.

When I check the payload below in the request I noticed this: Its passing index_name: null and query_type: "vectorSimpleHybrid" which is inline with the errors i'm seeing above. The chatbot is not passing the index_name and the query_type is being passed as camelCase when it is expecting snake_case

https://learn.microsoft.com/en-us/answers/questions/1849860/chat-playground-error-query-type-input-should-be-s
Trent Swords 0 Reputation points

2024-08-26T00:25:07.36+00:00

Can you provide any information on when this fix will be completed? I just tried again and am continuing to get the same error message.
navba-MSFT 27,550 Reputation points Microsoft Employee Moderator

2024-08-26T02:16:13.3733333+00:00

@Trent Swords Unfortunately the eta is pushed out by 1 week. The fix has been pushed, but the deployment needs to complete before we can validate in production.

Please test after September 6th. I have updated the above answer to avoid confusion.
Mhi 5 Reputation points

2024-10-17T09:15:54.4+00:00

Hi @navba-MSFT
I came across this topic as I am still facing this issue on 17. of October. Please comment on that. Is this still not solved or did it come back again the issue? Your suggestions above did not help unfortunately.

Error Message:
Error code: 400 - {'error': {'requestid': ***', 'code': 400, 'message': 'Failed to get managed identity token. Response: {"error":{"code":"ManagedIdentityIsNotEnabled","message":"Managed Identity (MI) is not set for this account while the encryption key source is 'Microsoft.KeyVault', customer managed storage or Network Security Perimeter is used."}}'}}
Anonymous

2024-10-23T18:21:04.3766667+00:00

@navba-MSFT

As around the 17th of October I am getting the same error as I was before, the fix that was pushed out corrected this issue back a couple of months but it seems to have come back.

Error code: 400 - {'error': {'requestid': '***'', 'code': 400, 'message': 'Failed to get managed identity token. Response: {"error":{"code":"ManagedIdentityIsNotEnabled","message":"Managed Identity (MI) is not set for this account while the encryption key source is 'Microsoft.KeyVault', customer managed storage or Network Security Perimeter is used."}}'}}
navba-MSFT 27,550 Reputation points Microsoft Employee Moderator

2024-10-24T05:06:31.74+00:00

@Teshima, Joe Thanks for getting back. Could you please follow the below steps shared by Will and check if that helps ?
Samuel Lawrence 0 Reputation points

2025-01-28T04:11:11.5933333+00:00

@navba-MSFT Hi, it’s January 2025, and I am still encountering this error. I cannot follow the above steps as the UI has changed and I cannot find AZURE_SEARCH_KEY. Could you please update the solution for the new UI Also, will there be a fix for this issue?

Answer 3

Farhad Soltani 0

Hi every one,

Thank you very much. I tried to enter "Manage query keys" from "Keys" in my "AI Service" to Web app "Environment Variables" in "AZURE_SEARCH_KEY" then save. And the web app can works normally.
azure0102

azure0101

Share via

Error (code ManagedIdentityIsNotEnabled) after deploy a web app from AI Studio

3 answers

Your answer