Azure AI playground: "ERR_BAD_REQUESTPrincipal does not have access to API/Operation"

Question

Hello, I'm trying to get a claude model working on Azure AI playground, but I keep getting the following error: "The principal lacks the required data action Microsoft.CognitiveServices/accounts/AIServices/providers/action to perform POST /anthropic/v1/* operation".

I did check some other posts people have made and added the Azure AI User role and Cognitive Services Contributor roles. After doing so, the error changed to "ERR_BAD_REQUESTPrincipal does not have access to API/Operation.". After trying different roles, no luck.

I would also like to mention that GPT-5.4 works perfect but "gpt-chat-latest" gives a completely different error.

Any help would be appreciated, thanks!

Answer 1

Hello @Tristyn

Thank you for reaching out.

Based on the behavior you described, this appears to be related to RBAC/data-plane permission validation for partner models (Anthropic Claude) within Azure AI Foundry / Azure AI Playground.

The initial error:

“The principal lacks the required data action Microsoft.CognitiveServices/accounts/AIServices/providers/action to perform POST /anthropic/v1/* operation”

typically indicates that the signed-in identity does not yet have the required data-plane permissions needed to invoke inference operations against Anthropic endpoints.

The fact that the error changed afterward to:

“ERR_BAD_REQUESTPrincipal does not have access to API/Operation”

suggests that authentication is now succeeding, but authorization to the Anthropic provider operation is still being blocked.

A few important points to verify:

Ensure the required data-plane role is assigned at the exact Azure AI resource scope (Azure AI Foundry / Cognitive Services resource level), not only at the subscription or resource group level.

The recommended roles are: Azure AI User, Cognitive Services User, Cognitive Services OpenAI User.

Contributor/Owner roles mainly provide management-plane permissions (create/manage resources), They do not automatically grant the dataActions required for inference calls such as: POST /anthropic/v1/*

Verify the role assignment is applied to the correct identity:

• your signed-in user account,

service principal,

or managed identity (depending on how you access the playground/API).

After assigning roles, allow several minutes for RBAC propagation. Then:

sign out/sign back into Azure AI Foundry,

or clear browser cache/session, since stale tokens may continue using old permissions.

Confirm that the Claude model deployment itself is healthy and available in your region/resource. Some Anthropic models are region-restricted, gated, or require marketplace/provider enablement before inference access is allowed.

This is important because GPT models may work successfully while Anthropic calls fail, since Anthropic models use a separate provider backend path (/anthropic/v1/*) with independent entitlement validation.

Regarding the separate “gpt-chat-latest” error: that may be unrelated to RBAC and could instead indicate: preview model limitations, unsupported API version, deployment-type mismatch, regional availability restrictions, or temporary backend issues.

Please also verify: the model is deployed successfully, the deployment status shows “Healthy,” and the deployment type supports chat/inference operations.

Please refer this

Azure AI roles (includes Cognitive Services User & OpenAI User) https://learn.microsoft.com/azure/ai-studio/concepts/rbac-ai-studio

Troubleshoot model availability & permissions in Azure OpenAI https://learn.microsoft.com/azure/ai-services/openai/how-to/role-based-access-control

Manage, collaborate, and organize with hubs (Azure AI Foundry setup) https://learn.microsoft.com/azure/ai-studio/concepts/ai-resources

I Hope this helps. Do let me know if you have any further queries.

---

If this answers your query, please do click Accept Answer and Yes for was this answer helpful.

Thank you!

Answer 2

After messing around with permissions, I eventually got it working.

Answer 3

The error is caused by missing data actions on the principal for Anthropic (Claude) calls in Azure AI Foundry. Assigning only management-plane roles like Azure AI User, Cognitive Services Contributor, or even Azure AI Owner is not sufficient if the principal does not have the required data action Microsoft.CognitiveServices/accounts/AIServices/providers/action on the specific resource.

For Claude models in Azure AI Foundry, the documented prerequisite is that the principal must have Contributor or Owner role on the resource group that contains the Foundry project and model deployment. This ensures both management and required data-plane permissions for invoking the Anthropic endpoint.

To resolve the issue:

1. Identify the resource group used by the Microsoft Foundry project where the Claude deployment resides.
2. In Azure portal, go to that resource group → Access control (IAM).
3. Ensure the calling principal (user or managed identity used by Azure AI playground) has Contributor or Owner assigned at the resource group scope (not just at the project or account scope).
4. Remove overlapping or conflicting custom assignments if they are not needed, then re-test the call from Azure AI playground.

If the principal is a managed identity (for example, from App Service or another Azure resource) that is calling the Anthropic endpoint, the same requirement applies: assign Contributor or Owner on the resource group hosting the Foundry project.

If, after assigning Contributor/Owner on the resource group, the error persists, verify that:

• The Claude deployment is in a supported region (East US2 or Sweden Central).
• The subscription and Foundry project meet the prerequisites for Claude models.

These steps align with the documented requirement that Claude models in Microsoft Foundry need Contributor or Owner on the resource group to deploy and use models.

---

References:

• Deploy and use Claude models in Microsoft Foundry (preview)
• Azure built-in roles for AI + machine learning