Azure Machine Learning
An Azure machine learning service for building and deploying models.
3,333 questions
Problem deploying AI Foundry Hub via Bicep to Managed Application Resource Group
Don van Meel | Twyzer
40
Reputation points
We have a Managed application for the Azure Marketplace. We create a serviceconnection to have acces to the managed application resource group with owner rights added via the principal id
on the management access settings of the plan . We can deploy all kind of resources like app services log analytics storage accounts etc. But we cant create an Azure AI Foundry Hub. We get the following error:
{
"status": "Failed",
"error": {
"code": "ServiceError",
"target": "POST http://authorization.vienna-francecentral.svc/authorization/v1.0/checkaccess/subscriptions/12345/resourceGroups/mrg",
"message": "Received 401 from a service request",
"details": [
{
"code": "Unauthorized",
"message": "{\n \"error\": {\n \"code\": \"UserError\",\n \"severity\": null,\n \"message\": \"Tenant move is not supported for workspace. We are unable to serve the request with old tenant id. Please create new workspace\",\n \"messageFormat\": null,\n \"messageParameters\": null,\n \"referenceCode\": null,\n \"detailsUri\": null,\n \"target\": null,\n \"details\": [],\n \"innerError\": {\n \"code\": \"AuthorizationError\",\n \"innerError\": {\n \"code\": \"ActionUnsupportedByTenantMoveError\",\n \"innerError\": null\n }\n },\n \"debugInfo\": null,\n \"additionalInfo\": null\n },\n \"correlation\": {\n \"operation\": \"4fea6d06ac7b9272a547d33f52b2fe04\",\n \"request\": \"ea3bc897a26f2062\"\n },\n \"environment\": \"francecentral\",\n \"location\": \"francecentral\",\n \"time\": \"2025-05-25T16:45:49.8995266+00:00\",\n \"componentName\": \"authorization\",\n \"statusCode\": 401\n}",
"details": []
}
]
}
}
The bicep looks like this:
resource aiHub 'Microsoft.MachineLearningServices/workspaces@2025-01-01-preview' = {
name: name
location: location
tags: tags
kind: 'hub'
identity: {
type: 'SystemAssigned'
}
properties: {
applicationInsights: applicationInsightsId
keyVault: keyVaultId
storageAccount: storageAccountId
}
}
Ive tried allkind of settings but still getting this error.
Azure Machine Learning
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 88%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESA%3C/text%3E%3C/svg%3E)
Saideep Anchuri 9,425 Reputation points Microsoft External Staff Moderator2025-05-26T07:09:36.0766667+00:00 The error you are encountering when trying to create an Azure AI Foundry Hub indicates that there is an issue with tenant movement. The specific message states, "Tenant move is not supported for workspace. We are unable to serve the request with old tenant id. Please create new workspace." This suggests that the workspace you are trying to use is associated with an old tenant ID, which is not compatible with the current operation.
you may need to create a new Azure AI Foundry workspace that is associated with the correct tenant. Additionally, ensure that your service connection has the necessary permissions and that you are using the correct principal ID with owner rights. The error
authorization.vienna-francecentral.svc, which suggests an issue with authorization checks. Try running a manual Azure CLI command to validate access:az role assignment list --assignee <service-principal-id> --scope /subscriptions/<subscription-id>/resourceGroups/<resource-group-name>Kindly refer below link: Role bac roles
Thank You.
-
Don van Meel | Twyzer 40 Reputation points
2025-05-26T09:09:11.58+00:00 Hi @Saideep Anchuri , thank you for your answer but we are creating this hub for the first time (new) in a managed resource group. This is the result of your request.
-
Manas Mohanty 5,620 Reputation points Microsoft External Staff Moderator2025-05-26T17:04:47.7466667+00:00 Please correct me if I am wrong.
You are trying to create resources with permission inherited from Resource group and You have owner role on resource group.
Sometimes owner does not suffice to create resources. You might need to use a managed identity with all relevant roles for Azure AI foundry hub.
Could you add
Azure AI Project Manager
or
Azure AI User
or
Azure AI Account Owner
in managed identity and test with below bicep commands and let us know.
resource workspace 'Microsoft.MachineLearningServices/workspaces@2024-10-01' = { name: hubName location: location identity: { type: 'SystemAssigned' } properties: { description: 'AI Foundry Hub' storageAccount: storage.id keyVault: keyVault.id applicationInsights: appInsights.id containerRegistry: acr.id } }az deployment group create --resource-group MayRG --template-file main.bicepYou can also follow the bicep template from here https://github.com/Azure/azure-quickstart-templates/blob/master/quickstarts/microsoft.machinelearningservices/aifoundry-basics/main.bicep for sake of simplicity.
Thank you.
-
Saideep Anchuri 9,425 Reputation points Microsoft External Staff Moderator
2025-05-27T06:10:26.1233333+00:00 -
Don van Meel | Twyzer 40 Reputation points
2025-05-27T08:17:47.47+00:00 No, will be later this week.
-
Saideep Anchuri 9,425 Reputation points Microsoft External Staff Moderator
2025-05-27T08:26:39.8233333+00:00 Also make sure dependent resources are created with same tenant id.
Thank You.
-
Saideep Anchuri 9,425 Reputation points Microsoft External Staff Moderator
2025-05-28T00:33:39.84+00:00 We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet.
Thank You.
-
Don van Meel | Twyzer 40 Reputation points
2025-05-29T08:37:21.26+00:00 Hi, i've added the roles as specified but the error still exists.
I've also tried to create a normal workspace and that worked.
After that I created a workspace kind=project with hub-id from the normal workspace and the project hub was created. So the problem only exists with kind=hub.Before the above error accoured (Tenant move error) the error below appeared.
{ "status": "Failed", "error": { "code": "ServiceError", "target": "POST http://authorization.vienna-francecentral.svc/authorization/v1.0/checkaccess/subscriptions/b53exxxx-xxxx-xxxxxxxxx-xxxxxxx180e5/resourceGroups/mrg-ama-vme", "message": "Received 401 from a service request", "details": [ { "code": "Unauthorized", "message": "{\n \"error\": {\n \"code\": \"UserError\",\n \"severity\": null,\n \"message\": \"MiseResultFailure: Microsoft.Identity.ServiceEssentials.Exceptions.MiseModuleException:\\nComponent: AzureAuthorizationModule:1.31.0.0\\nCorrelationId:c59a5e32-b3b3-4c66-afbc-c6a5de0395bd\\nMicrosoft.Identity.ServiceEssentials.Exceptions.MiseModuleException: MISE12042: Module Name:AzureAuthorizationModule, Version:1.31.0.0 failed. \\n ---> Microsoft.Identity.ServiceEssentials.Exceptions.MiseModuleException:\\nComponent: AzureAuthorizationModule:1.31.0.0\\nCorrelationId:c59a5e32-b3b3-4c66-afbc-c6a5de0395bd\\nMicrosoft.Identity.ServiceEssentials.Exceptions.MiseModuleException: MISE12042: Module Name:AzureAuthorizationModule, Version:1.31.0.0 failed. \\n ---> Microsoft.Identity.ServiceEssentials.DataContracts.AzureAuthorization.Errors.AzureAuthorizationHttpException: CheckAccess API call with non successful response. StatusCode: Forbidden Body: (Scrubbed, EUPI) uri: (Scrubbed, OII) Correlation Id: c59a5e32-b3b3-4c66-afbc-c6a5de0395bd and Request Id: bc30d8f1-95b8-4add-9e39-a9ebf46c722c\\n at Microsoft.Identity.ServiceEssentials.DataProviders.AzureAuthorization.AzureAuthorizationDataRequestRefresher.Fetch(MiseContext context, AzureAuthorizationDataRequest request, CancellationToken cancellationToken)\\n at Microsoft.Identity.ServiceEssentials.MiseCacheExtensions.GetRefreshedItemAsync[TData,TRequest](MiseContext context, TRequest request, IDataRequestRefresh`2 fetchRefreshValue, CancellationToken cancellationToken)\\n at Microsoft.Identity.ServiceEssentials.MiseCacheExtensions.GetWithRefreshActionInternalAsync[TData,TRequest](MiseContext context, IMiseCache cache, String cacheKey, TRequest request, IDataRequestRefresh`2 fetchRefreshValue, CancellationToken cancellationToken)\\n at Microsoft.Identity.ServiceEssentials.DataProviders.AzureAuthorization.AzureAuthorizationDataProvider.HandleAsync(IEnumerable`1 dataItems, MiseContext context, CancellationToken cancellationToken)\\n --- End of inner exception stack trace ---\\n at Microsoft.Identity.ServiceEssentials.MiseHost`1.ExecuteModuleAsync(TMiseContext context, IMiseModule`1 module, MiseHostMetrics miseHostMetrics, CancellationToken cancellationToken)\\n --- End of inner exception stack trace ---\\n at Microsoft.Identity.ServiceEssentials.MiseHost`1.ExecuteModuleAsync(TMiseContext context, IMiseModule`1 module, MiseHostMetrics miseHostMetrics, CancellationToken cancellationToken)\\n at Microsoft.Identity.ServiceEssentials.MiseHost`1.ExecuteModulesAsync(TMiseContext context, List`1 modules, MiseHostMetrics miseHostMetrics, CancellationToken cancellationToken)\\n at Microsoft.Identity.ServiceEssentials.MiseHost`1.HandleAsync(TMiseContext context, IReadOnlyCollection`1 modules, CancellationToken cancellationToken); MiseResultFailure Message: MISE12042: Module Name:AzureAuthorizationModule, Version:1.31.0.0 failed. ; MiseResultFailure Inner Exception: Microsoft.Identity.ServiceEssentials.Exceptions.MiseModuleException:\\nComponent: AzureAuthorizationModule:1.31.0.0\\nCorrelationId:c59a5e32-b3b3-4c66-afbc-c6a5de0395bd\\nMicrosoft.Identity.ServiceEssentials.Exceptions.MiseModuleException: MISE12042: Module Name:AzureAuthorizationModule, Version:1.31.0.0 failed. \\n ---> Microsoft.Identity.ServiceEssentials.DataContracts.AzureAuthorization.Errors.AzureAuthorizationHttpException: CheckAccess API call with non successful response. StatusCode: Forbidden Body: (Scrubbed, EUPI) uri: (Scrubbed, OII) Correlation Id: c59a5e32-b3b3-4c66-afbc-c6a5de0395bd and Request Id: bc30d8f1-95b8-4add-9e39-a9ebf46c722c\\n at Microsoft.Identity.ServiceEssentials.DataProviders.AzureAuthorization.AzureAuthorizationDataRequestRefresher.Fetch(MiseContext context, AzureAuthorizationDataRequest request, CancellationToken cancellationToken)\\n at Microsoft.Identity.ServiceEssentials.MiseCacheExtensions.GetRefreshedItemAsync[TData,TRequest](MiseContext context, TRequest request, IDataRequestRefresh`2 fetchRefreshValue, CancellationToken cancellationToken)\\n at Microsoft.Identity.ServiceEssentials.MiseCacheExtensions.GetWithRefreshActionInternalAsync[TData,TRequest](MiseContext context, IMiseCache cache, String cacheKey, TRequest request, IDataRequestRefresh`2 fetchRefreshValue, CancellationToken cancellationToken)\\n at Microsoft.Identity.ServiceEssentials.DataProviders.AzureAuthorization.AzureAuthorizationDataProvider.HandleAsync(IEnumerable`1 dataItems, MiseContext context, CancellationToken cancellationToken)\\n --- End of inner exception stack trace ---\\n at Microsoft.Identity.ServiceEssentials.MiseHost`1.ExecuteModuleAsync(TMiseContext context, IMiseModule`1 module, MiseHostMetrics miseHostMetrics, CancellationToken cancellationToken); MiseResultFailure Inner Exception Message: MISE12042: Module Name:AzureAuthorizationModule, Version:1.31.0.0 failed. ; ModuleCreatedFailureResponsePresent: True\",\n \"messageFormat\": null,\n \"messageParameters\": null,\n \"referenceCode\": null,\n \"detailsUri\": null,\n \"target\": null,\n \"details\": [],\n \"innerError\": {\n \"code\": \"AuthorizationError\",\n \"innerError\": null\n },\n \"debugInfo\": null,\n \"additionalInfo\": null\n },\n \"correlation\": {\n \"operation\": \"957c52c43c4331ee5013ebbfda6b60e5\",\n \"request\": \"2844eb47f191a524\"\n },\n \"environment\": \"francecentral\",\n \"location\": \"francecentral\",\n \"time\": \"2025-05-29T08:01:44.4226473+00:00\",\n \"componentName\": \"authorization\",\n \"statusCode\": 401\n}", "details": [] } ] } } -
Manas Mohanty 5,620 Reputation points Microsoft External Staff Moderator
2025-05-29T08:53:24.25+00:00 Thank you for sharing your observation on using kind: 'hub'
Does that mean you were able to create AI foundry hub resources without using kind:hub.
Did you get a chance to test below Bicep template too.
https://github.com/Azure/azure-quickstart-templates/blob/master/quickstarts/microsoft.machinelearningservices/aifoundry-basics/main.bicepLooking forward to hearing from you.
Thank you.
-
Don van Meel | Twyzer 40 Reputation points
2025-05-29T08:56:51.2366667+00:00 Hi,
Does that mean you were able to create AI foundry hub resources without using kind:hub. => No I'm still not able to create a foundry hub.
I'll check the bicep as soon as I can.
-
Don van Meel | Twyzer 40 Reputation points
2025-05-29T09:13:38.89+00:00 Same error after running the bicep as mentioned.
-
Manas Mohanty 5,620 Reputation points Microsoft External Staff Moderator
2025-06-25T19:34:46.7666667+00:00 Product group ticket owner has pointed towards a successful workspace creation with below resource id.
./subscriptions/e87be501-3ed0-4e71-b915-a244da387c2e/resourcegroups/rg-twzn-datagenyus-prd/providers/Microsoft.MachineLearningServices/workspaces/hub-twzn-dgs-ai-frc-prd
Please let us know if the issue was mitigated at your side.
If the issue still persists, requesting to share a document or recording link in private chat.
Looking forward to hearing from you.
Thank you.
-
Don van Meel | Twyzer 40 Reputation points
2025-06-28T07:16:07.73+00:00 ./subscriptions/e87be501-3ed0-4e71-b915-a244da387c2e/resourcegroups/rg-twzn-datagenyus-prd/providers/Microsoft.MachineLearningServices/workspaces/hub-twzn-dgs-ai-frc-prd
This is not the rg of my managed application
Sign in to comment
Sign in to answer