Share via

Issue: Azure ML Online Endpoint Authorization Not Restricted by Entra ID Group

Sudhanshu Rewari 20 Reputation points
2026-02-09T14:02:08.6466667+00:00

I am working with Azure Machine Learning where I trained a model using a Job, registered the model, created an online endpoint, and deployed the model successfully.

My requirement is to restrict access to the endpoint so that only users belonging to a specific Microsoft Entra ID group can invoke it. Users outside this group should receive an access denied response.

I created an Entra ID security group and assigned the Azure ML Data Scientist role to that group. Azure AD authentication is enabled on the endpoint. However, users who are not members of the group are still able to access the endpoint and receive predictions.

Expected behavior: Only users in the specified Entra ID group should be able to access the endpoint.

Actual behavior: Users outside the group can still invoke the endpoint successfully.

I need guidance on the correct configuration to enforce group-based authorization for Azure ML online endpoints.

Azure Machine Learning
Answer accepted by question author
  1. Sridhar M 5,335 Reputation points Microsoft External Staff Moderator
    2026-02-09T14:24:48.3766667+00:00

    Hi Sudhanshu Rewari

    When you enable Microsoft Entra ID authentication (auth_mode: aad_token) on an Azure Machine Learning managed online endpoint, Azure ML validates only that the caller presents a valid Entra ID access token. This step is purely authentication. It confirms who the caller is, but it does not evaluate Entra ID group membership at request time.

    Authorization for invoking an Azure ML online endpoint is enforced only through Azure RBAC. Azure ML checks whether the caller’s identity (user, service principal, or managed identity) has an allow permission for the action Microsoft.MachineLearningServices/workspaces/onlineEndpoints/*/actions at the applicable scope (endpoint, workspace, resource group, or subscription). There is no deny-based or group-claim-based evaluation during inference.

    Azure RBAC is additive. If a user has any role assignment that allows endpoint invocation—such as Owner, Contributor, AzureML Data Scientist, or a custom role—at the subscription, resource group, or workspace scope, they can successfully invoke the endpoint. Even if you assign the AzureML Data Scientist role to a specific Entra ID group, users outside that group will still have access if they inherit permissions from any broader scope or another group.

    In most cases, this happens because the user invoking the endpoint already has permissions at a higher scope. Typical examples include being a Contributor or Owner at the subscription or resource group level, being part of another Entra ID group with workspace-level permissions, or having been directly assigned a role earlier. Azure ML does not override or negate those permissions when you add a more restrictive group assignment.

    As of now, Azure ML managed online endpoints do not support enforcing “only members of Entra ID group X can invoke this endpoint.” Group membership is not evaluated during scoring, and Azure ML does not support conditional access, deny rules, or JWT group-claim inspection at the endpoint layer.

    you can do with pure Azure ML RBAC:

    The strictest control you can achieve natively is to remove all broader RBAC assignments and assign the required role only at the endpoint scope to your Entra ID group. This works only if users do not have permissions inherited from workspace, resource group, or subscription scopes. If any such inheritance exists, group restriction cannot be enforced.

    Recommended architecture for true group-based authorization:

    If you must enforce Entra ID group membership, Microsoft’s recommended approach is to place an authorization layer in front of the Azure ML endpoint. Common patterns include Azure API Management (APIM) validating the Entra ID token and checking group or role claims before forwarding the request, an Azure Function or App Service with App Service Authentication enforcing group access and then calling the endpoint using a managed identity, or custom logic in the scoring container that decodes the JWT and returns HTTP 403 for unauthorized groups.

    Note:Azure ML online endpoints support Entra ID authentication and Azure RBAC–based authorization, but they do not support group-based authorization at inference time. To strictly restrict access to a specific Entra ID group, you must either fully eliminate broader RBAC inheritance or introduce an external authorization layer such as APIM or a proxy service.

    Reference Documentation:

    I hope this is helpful! Do not hesitate to let me know if you have any other questions.

    Thank you!

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sudhanshu Rewari 20 Reputation points
    2026-02-12T15:48:44.4266667+00:00

    Hey Sridhar,

    Thanks for the information!Based on your response, I am working on implementing the authorization layer (APIM).

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.