I get this error message when trying to create an agent in . How to resolve this? - Message: Identity(object id: c9e91242-b841-4102-891e-e423a03ea18a) does not have permissions for Microsoft.MachineLearningServices/workspaces/agents/action actions.

Srinivasan, Vignesh 45 Reputation points
2025-02-28T08:20:49.73+00:00

Hey i am trying to create an agent using project_client.agents.create_agent function but I get the following error message . How do i resolve this?

**
Creating agent...**

ERROR:main:An error occurred initializing the agent: (UserError) Identity(object id: c9e91242-b841-4102-891e-e423a03ea18a) does not have permissions for Microsoft.MachineLearningServices/workspaces/agents/action actions. Please refer to https://aka.ms/azureml-auth-troubleshooting to fix the permissions issue.

Code: UserError

Message: Identity(object id: c9e91242-b841-4102-891e-e423a03ea18a) does not have permissions for Microsoft.MachineLearningServices/workspaces/agents/action actions. Please refer to https://aka.ms/azureml-auth-troubleshooting to fix the permissions issue.

Azure Machine Learning
Azure Machine Learning
An Azure machine learning service for building and deploying models.
3,340 questions
0 comments No comments
{count} vote

Accepted answer
  1. JAYA SHANKAR G S 3,960 Reputation points Microsoft External Staff Moderator
    2025-03-03T03:25:06.4166667+00:00

    Hi Srinivasan, Vignesh,

    as Amira Bedhiafi mentioned you need to add role assignment, but the role you need to add is Azure AI Developer, after you assigning the role wait for few minutes and try.

    Check the prerequisites here.

    Please do let me know if any query.

    Thank you

    1 person found this answer helpful.

Accepted answer
  1. Amira Bedhiafi 33,866 Reputation points Volunteer Moderator
    2025-03-02T21:54:54.9933333+00:00

    Can you confirm what is the identity used based on the error message ?

    This could be a service principal, managed identity, or user account.

    The identity needs to have the appropriate role assigned in the Azure Machine Learning workspace. The most common role for managing agents is Contributor or Owner.

    If you need more granular permissions, you can create a custom role with the specific action Microsoft.MachineLearningServices/workspaces/agents/action.

    Steps to Assign a Role:

    • Go to the Azure Portal.
    • Navigate to your Azure Machine Learning workspace.
    • In the left-hand menu, select Access control (IAM).
    • Click Add role assignment.
    • Choose the appropriate role (Contributor or Owner) and assign it to the identity (using the object ID c9e91242-b841-4102-891e-e423a03ea18a)
    1 person found this answer helpful.
    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. BobbyO 5 Reputation points
    2025-03-28T07:16:11.7366667+00:00

    The accepted answer seems inadequate, because it does not address how to know what **object id: c9e91242-b841-4102-891e-e423a03ea18a)** actually is, or rather how to assign permissions to it when it is not a regular user.
    e.g. I've seen this error, and tried a number of az commands to find the object id without success. In my case, at least, it is not the current az login logged-in user; az account show gives lots of data about that user, but no match to the object id GUID in the error. (e.g. az account show | grep 'c9e91242-b841-4102-891e-e423a03ea18a' would return nothing). Problem with that is, without being able to tell what that object id is, what is the command or azure portal way to assign permissions to it ....

    UPDATE

    If you get that error, the azure ai client might not be using the identity you expected it to use.
    azure.identity has a resolution order and it might be picking up your vm Entra id etc.
    You'll want to be secure in your AI calls, so pay attention to what ID the AI calls are using, e.g.

    
    from azure.identity import AzureCliCredential # DefaultAzureCredential
    
    project_client = AIProjectClient.from_connection_string(
            credential=AzureCliCredential()  # if you intend to use the cli user identity
            #  credential=DefaultAzureCredential(),   # Will pick up vm id first if it exists
    		conn_str=project_connection_string
        )
    
    1 person found this answer helpful.
    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.