Share via

Forbidden - Exception occured in search_function_construction.

Julio Aguilar 20 Reputation points Microsoft Employee
2025-04-12T02:10:03.67+00:00

Hello, I am currently working on Azure AI Foundry and working on deploying a prompt flow using an index with azure ai search.

Currently I am only using Entra ID for everything through managed identities.

I have been able to run the chat through the prompt flow itself but as soon as I deploy and test it from the Foundry test tab, I get this error.

I have tested the suggestion given by this link when it comes to giving access to endpoints when using Entra: Deploy a flow in prompt flow as a managed online endpoint for real-time inference - Azure Machine Learning | Microsoft Learn

As well as https://learn.microsoft.com/en-us/azure/ai-services/openai/how-to/on-your-data-configuration#role-assignments

And many other around the web. I feel like I have given every possible Access to all related resource in the RG. Every time I ask the deployment chat in test tab I get this response User's image

 File "/azureml-envs/prompt-flow/runtime/lib/python3.10/site-packages/promptflow_vectordb/tool/common_index_lookup.py", line 53, in _get_search_func\n    with measure_execution_time(LoggingEvents.SearchFunctionConstruction):\n  File "/azureml-envs/prompt-flow/runtime/lib/python3.10/contextlib.py", line 153, in __exit__\n    self.gen.throw(typ, value, traceback)\n  File "/azureml-envs/prompt-flow/runtime/lib/python3.10/site-packages/promptflow_vectordb/tool/utils/profiling.py", line 21, in measure_execution_time\n    raise Exception(error_msg) from e\n', 'innerException': {'type': 'HttpResponseError', 'message': "Operation returned an invalid status 'Forbidden'",

Any help on this would be extremely appreciated

Azure Machine Learning
0 comments

Answer accepted by question author

Obinna Ejidike 2,870 Reputation points Volunteer Moderator
2025-04-12T07:20:25.5266667+00:00

Hi Julio Aguilar

Thanks for using the Q&A platform.

This issue seems to be tied to Azure AI Foundry's Prompt Flow integration with Azure AI Search when deployed using Managed Identity (Entra ID). The prompt flow runtime cannot access the Azure AI Search index during initialization.

This is likely a role assignment, or network restrictions are blocking the managed identity from calling the search resource.

Usually, you have the control plane and the data plane kind of access, check if the data plane access are provided as well.

Find https://learn.microsoft.com/en-us/azure/search/search-security-rbac?tabs=roles-portal-admin%2Croles-portal%2Croles-portal-query%2Ctest-portal%2Ccustom-role-portal#built-in-roles-used-in-search

Also, if your Azure Search resource is using a private endpoint or restricted networks, ensure the managed identity has access. If using Private Endpoint, the endpoint calling the search must be in the same VNet or configured with a Private DNS zone integration

You can mark it 'Accept Answer' and 'Upvote' if this helped you.

Regards,

Obinna

Was this answer helpful?

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.