Foundry Tools
Formerly known as Azure AI Services or Azure Cognitive Services is a unified collection of prebuilt AI capabilities within the Microsoft Foundry platform
Unable to create agents in Azure AI Foundry portal - 403 Forbidden on Microsoft.MachineLearningServices/workspaces/agents/actionSubject: Unable to create agents in Azure AI Foundry portal - 403 Forbidden on Microsoft.MachineLearningServices/workspaces/age
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(188.79999999999998, 89%, 28%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMD%3C/text%3E%3C/svg%3E)
Max den Hoed
0
Reputation points
Hi
I am unable to create agents via the Azure AI Foundry portal (ai.azure.com)
or via the Foundry Agents API. I receive a 403 Forbidden error.
ERROR MESSAGE:
"Identity(object id: : [OBJECT ID REMOVED]) does not have
permissions for Microsoft.MachineLearningServices/workspaces/agents/action
actions."
ENVIRONMENT:
- Foundry Resource: entra-foundry-eur (Microsoft.CognitiveServices/accounts)
- Foundry Project: entra-foundry-eur-project
- Resource Group: entra-llm-resource
- Location: germanywestcentral
- User: [EMAIL REMOVED]
- Object ID: : [OBJECT ID REMOVED]
INVESTIGATION FINDINGS:
- There is NO Microsoft.MachineLearningServices/workspaces resource in the subscription. The Foundry resource is type Microsoft.CognitiveServices/accounts.
- The Agents API internally routes to a virtual ML workspace path: Microsoft.MachineLearningServices/workspaces/entra-foundry-eur@entra-foundry-eur-project@AML This virtual workspace does not exist as a real ARM resource.
- Creating assistants via the OpenAI-compatible API (entra-foundry-eur.openai.azure.com/openai/assistants) SUCCEEDS, confirming RBAC on Cognitive Services is correct.
- Creating agents via the Foundry API (entra-foundry-eur.services.ai.azure.com/api/projects/.../agents) with api-version=2025-05-15-preview FAILS with 403.
ROLES ASSIGNED TO USER (all confirmed):
- Owner (subscription level)
- Contributor (subscription + resource group)
- Azure AI Developer (hub + project + resource group)
- Azure AI User (resource group)
- AzureML Data Scientist (resource group)
- Cognitive Services OpenAI Contributor (hub + project)
- Cognitive Services Contributor (hub + project)
- Cognitive Services OpenAI User (hub + project)
- Cognitive Services User (hub)
- Storage Blob Data Contributor (storage account)
- Search Index Data Contributor (search service)
- Search Service Contributor (search service)
CORRELATION IDs:
- Trace ID: [TRACE ID REMOVED]
- APIM request ID: [REQUEST ID REMOVED]
- Operation: [OPERATION ID REMOVED]
REQUEST:
Please advise which specific role or configuration is needed to grant
Microsoft.MachineLearningServices/workspaces/agents/action permission
on a CognitiveServices-based Foundry resource with no ML workspace.
Microsoft.MachineLearningServices provider is registered.
Foundry Tools
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(28.799999999999997, 15%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EAV%3C/text%3E%3C/svg%3E)
Anshika Varshney 9,655 Reputation points Microsoft External Staff Moderator2026-03-25T16:18:16.9966667+00:00 Hi Max den Hoed,
Thank you for bringing this to our attention. We are currently checking the details and working on resolving the issue. We’ll update you as soon as we have more information.
Thankyou!
Sign in to comment
Sign in to answer