LUIS role-based access control
LUIS will be retired on October 1st 2025 and starting April 1st 2023 you will not be able to create new LUIS resources. We recommend migrating your LUIS applications to conversational language understanding to benefit from continued product support and multilingual capabilities.
LUIS supports Azure role-based access control (Azure RBAC), an authorization system for managing individual access to Azure resources. Using Azure RBAC, you assign different team members different levels of permissions for your LUIS authoring resources. See the Azure RBAC documentation for more information.
Enable Azure Active Directory authentication
To use Azure RBAC, you must enable Azure Active Directory authentication. You can create a new resource with a custom subdomain or create a custom subdomain for your existing resource.
Add role assignment to Language Understanding Authoring resource
Azure RBAC can be assigned to a Language Understanding Authoring resource. To grant access to an Azure resource, you add a role assignment.
In the Azure portal, select All services.
Select Cognitive Services, and navigate to your specific Language Understanding Authoring resource.
You can also set up Azure RBAC for whole resource groups, subscriptions, or management groups. Do this by selecting the desired scope level and then navigating to the desired item. For example, selecting Resource groups and then navigating to a specific resource group.
Select Access control (IAM) on the left navigation pane.
Select Add, then select Add role assignment.
On the Role tab on the next screen, select a role you want to add.
On the Members tab, select a user, group, service principal, or managed identity.
On the Review + assign tab, select Review + assign to assign the role.
Within a few minutes, the target will be assigned the selected role at the selected scope. For help with these steps, see Assign Azure roles using the Azure portal.
LUIS role types
Use the following table to determine access needs for your LUIS application.
These custom roles only apply to authoring (Language Understanding Authoring) and not prediction resources (Language Understanding).
- Owner and Contributor roles take priority over the custom LUIS roles.
- Azure Active Directory (Azure AAD) is only used with custom LUIS roles.
- If you are assigned as a Contributor on Azure, your role will be shown as Owner in LUIS portal.
Cognitive Services LUIS reader
A user that should only be validating and reviewing LUIS applications, typically a tester to ensure the application is performing well before deploying the project. They may want to review the application’s assets (utterances, intents, entities) to notify the app developers of any changes that need to be made, but do not have direct access to make them.
- Read Utterances
- Test Application
All GET APIs under:
All the APIs under:
All the Batch Testing Web APIs
Cognitive Services LUIS writer
A user that is responsible for building and modifying LUIS application, as a collaborator in a larger team. The collaborator can modify the LUIS application in any way, train those changes, and validate/test those changes in the portal. However, this user wouldn't have access to deploying this application to the runtime, as they may accidentally reflect their changes in a production environment. They also wouldn't be able to delete the application or alter its prediction resources and endpoint settings (assigning or unassigning prediction resources, making the endpoint public). This restricts this role from altering an application currently being used in a production environment. They may also create new applications under this resource, but with the restrictions mentioned.
- All functionalities under Cognitive Services LUIS Reader.
The ability to add:
- All APIs under LUIS reader
All POST, PUT and DELETE APIs under:
Cognitive Services LUIS owner
- If you are assigned as an Owner and LUIS Owner you will be be shown as LUIS Owner in LUIS portal.
These users are the gatekeepers for LUIS applications in a production environment. They should have full access to any of the underlying functions and thus can view everything in the application and have direct access to edit any changes for both authoring and runtime environments.
- All functionalities under Cognitive Services LUIS Writer
- Deploy a model
- Delete an application
- All APIs available for LUIS
Submit and view feedback for