Hey i am trying to create an agent using project_client.agents.create_agent function but I get the following error message . How do i resolve this?

**
Creating agent...**

ERROR:main:An error occurred initializing the agent: (UserError) Identity(object id: c9e91242-b841-4102-891e-e423a03ea18a) does not have permissions for Microsoft.MachineLearningServices/workspaces/agents/action actions. Please refer to https://aka.ms/azureml-auth-troubleshooting to fix the permissions issue.

Code: UserError

Message: Identity(object id: c9e91242-b841-4102-891e-e423a03ea18a) does not have permissions for Microsoft.MachineLearningServices/workspaces/agents/action actions. Please refer to https://aka.ms/azureml-auth-troubleshooting to fix the permissions issue.

Hi Srinivasan, Vignesh,

as Amira Bedhiafi mentioned you need to add role assignment, but the role you need to add is Azure AI Developer, after you assigning the role wait for few minutes and try.

Check the prerequisites here.

Please do let me know if any query.

Thank you

Hi Srinivasan, Vignesh,

Did above solution worked for you?

If it is working, please do accept the solution and click on Yes to give feedback.

Let me know if you have any query or facing issue.

Thank you

Can you confirm what is the identity used based on the error message ?

This could be a service principal, managed identity, or user account.

The identity needs to have the appropriate role assigned in the Azure Machine Learning workspace. The most common role for managing agents is Contributor or Owner.

If you need more granular permissions, you can create a custom role with the specific action Microsoft.MachineLearningServices/workspaces/agents/action.

Steps to Assign a Role:

• Go to the Azure Portal.
• Navigate to your Azure Machine Learning workspace.
• In the left-hand menu, select Access control (IAM).
• Click Add role assignment.
• Choose the appropriate role (Contributor or Owner) and assign it to the identity (using the object ID c9e91242-b841-4102-891e-e423a03ea18a)

The accepted answer seems inadequate, because it does not address how to know what **object id: c9e91242-b841-4102-891e-e423a03ea18a)** actually is, or rather how to assign permissions to it when it is not a regular user.
e.g. I've seen this error, and tried a number of az commands to find the object id without success. In my case, at least, it is not the current az login logged-in user; az account show gives lots of data about that user, but no match to the object id GUID in the error. (e.g. az account show | grep 'c9e91242-b841-4102-891e-e423a03ea18a' would return nothing). Problem with that is, without being able to tell what that object id is, what is the command or azure portal way to assign permissions to it ....

UPDATE

If you get that error, the azure ai client might not be using the identity you expected it to use.
azure.identity has a resolution order and it might be picking up your vm Entra id etc.
You'll want to be secure in your AI calls, so pay attention to what ID the AI calls are using, e.g.

from azure.identity import AzureCliCredential # DefaultAzureCredential

project_client = AIProjectClient.from_connection_string(
        credential=AzureCliCredential()  # if you intend to use the cli user identity
        #  credential=DefaultAzureCredential(),   # Will pick up vm id first if it exists
		conn_str=project_connection_string
    )