Document Intelligence Studio Label Data Key based authentication error

Menno Laan 0 Reputation points


i have set up a storage account with a container. i have disabled key access and added my Entra id to the roles with storage data contributor and added the system assigned identity of document intelligence identity with storage reader role to storage account.

I can set up a new project in document intelligence studio, and upload a pdf through the portal of document intelligence studio. I even see this file appear in the storage account, so i assume this part is actually working

However when I go to label data and click Run Layout on my pdf I receive this issue:


Key based authentication is disabled for this resource. apim-request-id: e766eeb2-1793-46b0-9cb4-e9630afe977d


I have set disableLocalAuth to true for my document intelligence instance in azure as well.

What am i missing here?

Azure Storage Accounts
Azure Storage Accounts
Globally unique resources that provide access to data management services and serve as the parent namespace for the services.
2,733 questions
Azure AI Document Intelligence
Azure AI Document Intelligence
An Azure service that turns documents into usable data. Previously known as Azure Form Recognizer.
1,430 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,771 questions
{count} votes

1 answer

Sort by: Most helpful
  1. santoshkc 4,925 Reputation points Microsoft Vendor

    Hi @Menno Laan,

    Thank you for reaching out to Microsoft Q&A forum!

    This error message indicates that you have correctly set up the necessary permissions for your Document Intelligence Studio instance to access your storage account. However, the error message you received indicates that key-based authentication is disabled for the resource.
    Ensure that the Azure blob storage account in the same region as your Document Intelligence resource. You also need to create containers to store and organize your blob data within your storage account.

    • If your storage account is behind a firewall, you must enable the following configuration:

    On your storage account page, select Security + networkingNetworking from the left menu. Screenshot of security + networking tab.

    In the main window, select Allow access from selected networks. Screenshot of Selected networks radio button selected.

    On the selected networks page, navigate to the Exceptions category and make certain that the Allow Azure services on the trusted services list to access this storage account checkbox is enabled.

    Screenshot of allow trusted services checkbox, portal view

    Please refer to this documentation: Managed identities for Document Intelligence.

    I hope this helps. Thank you.

    0 comments No comments