Permission Issues Despite Being Assigned Owner/Admin Role in Azure AI Studio

[schroedinger73]

Hi everyone,

I'm currently working with Azure AI Studio as part of my job, and I'm accessing deployed models through permissions granted by my supervisor. However, I'm frequently encountering permission-related errors, even when I'm assigned roles like Owner or Administrator on the relevant resources.

These errors often prevent me from performing basic actions like viewing model details, deploying new versions, or accessing logs. We've double-checked the role assignments in the Azure portal, and everything seems correct on paper.

Has anyone experienced similar issues with role-based access control (RBAC) in Azure AI Studio or related services? Are there any hidden permissions or additional configurations (e.g., at the resource group or subscription level) that we might be missing?

Any help or guidance would be greatly appreciated!

Thanks in advance.

[leestott]

Hi @schroedinger73 firstly I presume you mean Azure AI Foundry https://ai.azure.com AI Studio was a previous product which is no longer available.

Tips for Azure AI Foundry RBAC Role Based Access Control Troubleshooting

Built-in Roles ≠ Standard Azure Roles
Foundry uses unique roles:

• Azure AI User
• Azure AI Project Manager
• Azure AI Account Owner

These roles are not equivalent to classic Azure roles like Owner or Contributor
Explore role definitions

Conditional Role Assignment

• Project Manager and Account Owner can only delegate the Azure AI User role
• Assigning broader roles (e.g. Contributor) requires a subscription-level Owner
  RBAC delegation limitations

Role Scope Separation: Hub vs Project

• Roles don't cascade from the AI Hub to Projects
• You must assign RBAC explicitly at:
  • Hub level → for shared settings and connections
  • Project level → for model deployment, agents, data access

Data Actions Are Role-Specific

• Only Azure AI Project Manager and User include Microsoft.CognitiveServices/* data actions for:
  • Viewing models
  • Running agents
  • Reading threads and logs

NOTE: Even Account Owner may lack project-level data permissions
Understand data actions

BYO Resources & Capability Hosts
If you're using custom endpoints (e.g. storage, OpenAI, vector search):

• You must configure Capability Hosts at both:
  • 🔹 Account level
  • 🔹 Project level

Missing this can silently block access to agents, threads, or search.

Recommended Fixes & Checklist
Role Type Use Foundry-native roles, not just Owner/Contributor
Scope Assignment Assign roles at both hub and project levels
Data Access Confirm project roles include data actions
Agent Errors Set up capability hosts for BYO endpoints
Network Blocks Review private endpoint + NSG configs
Logs + SDK Ensure correct endpoints in SDK usage

[amynic]

@schroedinger73 if @leestott answer answers your question please 'Mark as answer'