Problem deploying AI Foundry Hub via Bicep to Managed Application Resource Group

Question

Problem deploying AI Foundry Hub via Bicep to Managed Application Resource Group

Don van Meel | Twyzer 40

We have a Managed application for the Azure Marketplace. We create a serviceconnection to have acces to the managed application resource group with owner rights added via the principal id User's image

on the management access settings of the plan . We can deploy all kind of resources like app services log analytics storage accounts etc. But we cant create an Azure AI Foundry Hub. We get the following error:

{
    "status": "Failed",
    "error": {
        "code": "ServiceError",
        "target": "POST http://authorization.vienna-francecentral.svc/authorization/v1.0/checkaccess/subscriptions/12345/resourceGroups/mrg",
        "message": "Received 401 from a service request",
        "details": [
            {
                "code": "Unauthorized",
                "message": "{\n  \"error\": {\n    \"code\": \"UserError\",\n    \"severity\": null,\n    \"message\": \"Tenant move is not supported for workspace. We are unable to serve the request with old tenant id. Please create new workspace\",\n    \"messageFormat\": null,\n    \"messageParameters\": null,\n    \"referenceCode\": null,\n    \"detailsUri\": null,\n    \"target\": null,\n    \"details\": [],\n    \"innerError\": {\n      \"code\": \"AuthorizationError\",\n      \"innerError\": {\n        \"code\": \"ActionUnsupportedByTenantMoveError\",\n        \"innerError\": null\n      }\n    },\n    \"debugInfo\": null,\n    \"additionalInfo\": null\n  },\n  \"correlation\": {\n    \"operation\": \"4fea6d06ac7b9272a547d33f52b2fe04\",\n    \"request\": \"ea3bc897a26f2062\"\n  },\n  \"environment\": \"francecentral\",\n  \"location\": \"francecentral\",\n  \"time\": \"2025-05-25T16:45:49.8995266+00:00\",\n  \"componentName\": \"authorization\",\n  \"statusCode\": 401\n}",
                "details": []
            }
        ]
    }
}

The bicep looks like this:

resource aiHub 'Microsoft.MachineLearningServices/workspaces@2025-01-01-preview' = {
  name: name
  location: location
  tags: tags
  kind: 'hub'
  identity: {
    type: 'SystemAssigned'
  }
  properties: {
    applicationInsights: applicationInsightsId
    keyVault: keyVaultId
    storageAccount: storageAccountId
  }
}

Ive tried allkind of settings but still getting this error.

Saideep Anchuri 9,525 Reputation points Moderator

2025-05-26T07:09:36.0766667+00:00
Hi Don van Meel | Twyzer

The error you are encountering when trying to create an Azure AI Foundry Hub indicates that there is an issue with tenant movement. The specific message states, "Tenant move is not supported for workspace. We are unable to serve the request with old tenant id. Please create new workspace." This suggests that the workspace you are trying to use is associated with an old tenant ID, which is not compatible with the current operation.

you may need to create a new Azure AI Foundry workspace that is associated with the correct tenant. Additionally, ensure that your service connection has the necessary permissions and that you are using the correct principal ID with owner rights. The error authorization.vienna-francecentral.svc, which suggests an issue with authorization checks. Try running a manual Azure CLI command to validate access:

az role assignment list --assignee <service-principal-id> --scope /subscriptions/<subscription-id>/resourceGroups/<resource-group-name>

Kindly refer below link: Role bac roles

Thank You.
Don van Meel | Twyzer 40 Reputation points

2025-05-26T09:09:11.58+00:00

Hi @Saideep Anchuri , thank you for your answer but we are creating this hub for the first time (new) in a managed resource group. This is the result of your request.
Manas Mohanty 11,855 Reputation points Microsoft External Staff Moderator

2025-05-26T17:04:47.7466667+00:00
Hi Don van Meel | Twyzer

Please correct me if I am wrong.

You are trying to create resources with permission inherited from Resource group and You have owner role on resource group.

Sometimes owner does not suffice to create resources. You might need to use a managed identity with all relevant roles for Azure AI foundry hub.

Could you add

Azure AI Project Manager

or

Azure AI User

or

Azure AI Account Owner

in managed identity and test with below bicep commands and let us know.

resource workspace 'Microsoft.MachineLearningServices/workspaces@2024-10-01' = { name: hubName location: location identity: { type: 'SystemAssigned' } properties: { description: 'AI Foundry Hub' storageAccount: storage.id keyVault: keyVault.id applicationInsights: appInsights.id containerRegistry: acr.id } }

az deployment group create --resource-group MayRG --template-file main.bicep

You can also follow the bicep template from here https://github.com/Azure/azure-quickstart-templates/blob/master/quickstarts/microsoft.machinelearningservices/aifoundry-basics/main.bicep for sake of simplicity.

Thank you.
Saideep Anchuri 9,525 Reputation points Moderator

2025-05-27T06:10:26.1233333+00:00

Hi Don van Meel | Twyzer

Did you get any chance to check above response.

Thank You.
Don van Meel | Twyzer 40 Reputation points

2025-05-27T08:17:47.47+00:00

No, will be later this week.
Saideep Anchuri 9,525 Reputation points Moderator

2025-05-27T08:26:39.8233333+00:00

Hi Don van Meel | Twyzer

Also make sure dependent resources are created with same tenant id.

Thank You.
Saideep Anchuri 9,525 Reputation points Moderator

2025-05-28T00:33:39.84+00:00

Hi Don van Meel | Twyzer

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet.

Thank You.

Don van Meel | Twyzer 40

Hi, i've added the roles as specified but the error still exists.

I've also tried to create a normal workspace and that worked.
After that I created a workspace kind=project with hub-id from the normal workspace and the project hub was created. So the problem only exists with kind=hub.

Before the above error accoured (Tenant move error) the error below appeared.

{

"status": "Failed",

"error": {

    "code": "ServiceError",

    "target": "POST http://authorization.vienna-francecentral.svc/authorization/v1.0/checkaccess/subscriptions/b53exxxx-xxxx-xxxxxxxxx-xxxxxxx180e5/resourceGroups/mrg-ama-vme",

    "message": "Received 401 from a service request",

    "details": [

        {

            "code": "Unauthorized",

            "message": "{\n  \"error\": {\n    \"code\": \"UserError\",\n    \"severity\": null,\n    \"message\": \"MiseResultFailure: Microsoft.Identity.ServiceEssentials.Exceptions.MiseModuleException:\\nComponent: AzureAuthorizationModule:1.31.0.0\\nCorrelationId:c59a5e32-b3b3-4c66-afbc-c6a5de0395bd\\nMicrosoft.Identity.ServiceEssentials.Exceptions.MiseModuleException: MISE12042: Module Name:AzureAuthorizationModule, Version:1.31.0.0 failed. \\n ---> Microsoft.Identity.ServiceEssentials.Exceptions.MiseModuleException:\\nComponent: AzureAuthorizationModule:1.31.0.0\\nCorrelationId:c59a5e32-b3b3-4c66-afbc-c6a5de0395bd\\nMicrosoft.Identity.ServiceEssentials.Exceptions.MiseModuleException: MISE12042: Module Name:AzureAuthorizationModule, Version:1.31.0.0 failed. \\n ---> Microsoft.Identity.ServiceEssentials.DataContracts.AzureAuthorization.Errors.AzureAuthorizationHttpException: CheckAccess API call with non successful response. StatusCode: Forbidden Body: (Scrubbed, EUPI) uri: (Scrubbed, OII) Correlation Id: c59a5e32-b3b3-4c66-afbc-c6a5de0395bd and Request Id: bc30d8f1-95b8-4add-9e39-a9ebf46c722c\\n   at Microsoft.Identity.ServiceEssentials.DataProviders.AzureAuthorization.AzureAuthorizationDataRequestRefresher.Fetch(MiseContext context, AzureAuthorizationDataRequest request, CancellationToken cancellationToken)\\n   at Microsoft.Identity.ServiceEssentials.MiseCacheExtensions.GetRefreshedItemAsync[TData,TRequest](MiseContext context, TRequest request, IDataRequestRefresh`2 fetchRefreshValue, CancellationToken cancellationToken)\\n   at Microsoft.Identity.ServiceEssentials.MiseCacheExtensions.GetWithRefreshActionInternalAsync[TData,TRequest](MiseContext context, IMiseCache cache, String cacheKey, TRequest request, IDataRequestRefresh`2 fetchRefreshValue, CancellationToken cancellationToken)\\n   at Microsoft.Identity.ServiceEssentials.DataProviders.AzureAuthorization.AzureAuthorizationDataProvider.HandleAsync(IEnumerable`1 dataItems, MiseContext context, CancellationToken cancellationToken)\\n   --- End of inner exception stack trace ---\\n   at Microsoft.Identity.ServiceEssentials.MiseHost`1.ExecuteModuleAsync(TMiseContext context, IMiseModule`1 module, MiseHostMetrics miseHostMetrics, CancellationToken cancellationToken)\\n   --- End of inner exception stack trace ---\\n   at Microsoft.Identity.ServiceEssentials.MiseHost`1.ExecuteModuleAsync(TMiseContext context, IMiseModule`1 module, MiseHostMetrics miseHostMetrics, CancellationToken cancellationToken)\\n   at Microsoft.Identity.ServiceEssentials.MiseHost`1.ExecuteModulesAsync(TMiseContext context, List`1 modules, MiseHostMetrics miseHostMetrics, CancellationToken cancellationToken)\\n   at Microsoft.Identity.ServiceEssentials.MiseHost`1.HandleAsync(TMiseContext context, IReadOnlyCollection`1 modules, CancellationToken cancellationToken); MiseResultFailure Message: MISE12042: Module Name:AzureAuthorizationModule, Version:1.31.0.0 failed. ; MiseResultFailure Inner Exception: Microsoft.Identity.ServiceEssentials.Exceptions.MiseModuleException:\\nComponent: AzureAuthorizationModule:1.31.0.0\\nCorrelationId:c59a5e32-b3b3-4c66-afbc-c6a5de0395bd\\nMicrosoft.Identity.ServiceEssentials.Exceptions.MiseModuleException: MISE12042: Module Name:AzureAuthorizationModule, Version:1.31.0.0 failed. \\n ---> Microsoft.Identity.ServiceEssentials.DataContracts.AzureAuthorization.Errors.AzureAuthorizationHttpException: CheckAccess API call with non successful response. StatusCode: Forbidden Body: (Scrubbed, EUPI) uri: (Scrubbed, OII) Correlation Id: c59a5e32-b3b3-4c66-afbc-c6a5de0395bd and Request Id: bc30d8f1-95b8-4add-9e39-a9ebf46c722c\\n   at Microsoft.Identity.ServiceEssentials.DataProviders.AzureAuthorization.AzureAuthorizationDataRequestRefresher.Fetch(MiseContext context, AzureAuthorizationDataRequest request, CancellationToken cancellationToken)\\n   at Microsoft.Identity.ServiceEssentials.MiseCacheExtensions.GetRefreshedItemAsync[TData,TRequest](MiseContext context, TRequest request, IDataRequestRefresh`2 fetchRefreshValue, CancellationToken cancellationToken)\\n   at Microsoft.Identity.ServiceEssentials.MiseCacheExtensions.GetWithRefreshActionInternalAsync[TData,TRequest](MiseContext context, IMiseCache cache, String cacheKey, TRequest request, IDataRequestRefresh`2 fetchRefreshValue, CancellationToken cancellationToken)\\n   at Microsoft.Identity.ServiceEssentials.DataProviders.AzureAuthorization.AzureAuthorizationDataProvider.HandleAsync(IEnumerable`1 dataItems, MiseContext context, CancellationToken cancellationToken)\\n   --- End of inner exception stack trace ---\\n   at Microsoft.Identity.ServiceEssentials.MiseHost`1.ExecuteModuleAsync(TMiseContext context, IMiseModule`1 module, MiseHostMetrics miseHostMetrics, CancellationToken cancellationToken); MiseResultFailure Inner Exception Message: MISE12042: Module Name:AzureAuthorizationModule, Version:1.31.0.0 failed. ; ModuleCreatedFailureResponsePresent: True\",\n    \"messageFormat\": null,\n    \"messageParameters\": null,\n    \"referenceCode\": null,\n    \"detailsUri\": null,\n    \"target\": null,\n    \"details\": [],\n    \"innerError\": {\n      \"code\": \"AuthorizationError\",\n      \"innerError\": null\n    },\n    \"debugInfo\": null,\n    \"additionalInfo\": null\n  },\n  \"correlation\": {\n    \"operation\": \"957c52c43c4331ee5013ebbfda6b60e5\",\n    \"request\": \"2844eb47f191a524\"\n  },\n  \"environment\": \"francecentral\",\n  \"location\": \"francecentral\",\n  \"time\": \"2025-05-29T08:01:44.4226473+00:00\",\n  \"componentName\": \"authorization\",\n  \"statusCode\": 401\n}",

            "details": []

        }

    ]

}
}

Manas Mohanty 11,855 Reputation points Microsoft External Staff Moderator

2025-05-29T08:53:24.25+00:00

Hi Don van Meel | Twyzer

Thank you for sharing your observation on using kind: 'hub'

Does that mean you were able to create AI foundry hub resources without using kind:hub.

Did you get a chance to test below Bicep template too.

https://github.com/Azure/azure-quickstart-templates/blob/master/quickstarts/microsoft.machinelearningservices/aifoundry-basics/main.bicepLooking forward to hearing from you.

Thank you.
Don van Meel | Twyzer 40 Reputation points

2025-05-29T08:56:51.2366667+00:00

Hi,

Does that mean you were able to create AI foundry hub resources without using kind:hub. => No I'm still not able to create a foundry hub.

I'll check the bicep as soon as I can.
Don van Meel | Twyzer 40 Reputation points

2025-05-29T09:13:38.89+00:00

Same error after running the bicep as mentioned.
Manas Mohanty 11,855 Reputation points Microsoft External Staff Moderator

2025-06-25T19:34:46.7666667+00:00

Hi Don van Meel | Twyzer

Product group ticket owner has pointed towards a successful workspace creation with below resource id.

./subscriptions/e87be501-3ed0-4e71-b915-a244da387c2e/resourcegroups/rg-twzn-datagenyus-prd/providers/Microsoft.MachineLearningServices/workspaces/hub-twzn-dgs-ai-frc-prd

Please let us know if the issue was mitigated at your side.

If the issue still persists, requesting to share a document or recording link in private chat.

Looking forward to hearing from you.

Thank you.
Don van Meel | Twyzer 40 Reputation points

2025-06-28T07:16:07.73+00:00

./subscriptions/e87be501-3ed0-4e71-b915-a244da387c2e/resourcegroups/rg-twzn-datagenyus-prd/providers/Microsoft.MachineLearningServices/workspaces/hub-twzn-dgs-ai-frc-prd

This is not the rg of my managed application
Manas Mohanty 11,855 Reputation points Microsoft External Staff Moderator

2025-06-30T11:36:12.43+00:00

Hi Don van Meel | Twyzer

Please share latest error trace containing co-relation and request id once you are available to post.

Thank you.
Manas Mohanty 11,855 Reputation points Microsoft External Staff Moderator

2025-07-02T06:34:07.1433333+00:00

Hi Don van Meel | Twyzer

Thank you for sharing relevant thread on light house not supporting AML deployment.

https://free.blessedness.top/en-us/answers/questions/2276417/deployment-of-resource-type-machinelearning-fails

Seems to be limitation on using Managed application as per my past encounters and above thread. Trying to confirm the same with Management and migration team and shall update you post that.

Thank you.

Your answer

Saideep Anchuri 9,525 Reputation points Moderator

2025-05-26T07:09:36.0766667+00:00

Hi Don van Meel | Twyzer

The error you are encountering when trying to create an Azure AI Foundry Hub indicates that there is an issue with tenant movement. The specific message states, "Tenant move is not supported for workspace. We are unable to serve the request with old tenant id. Please create new workspace." This suggests that the workspace you are trying to use is associated with an old tenant ID, which is not compatible with the current operation.

you may need to create a new Azure AI Foundry workspace that is associated with the correct tenant. Additionally, ensure that your service connection has the necessary permissions and that you are using the correct principal ID with owner rights. The error authorization.vienna-francecentral.svc, which suggests an issue with authorization checks. Try running a manual Azure CLI command to validate access:

az role assignment list --assignee <service-principal-id> --scope /subscriptions/<subscription-id>/resourceGroups/<resource-group-name>

Kindly refer below link: Role bac roles

Thank You.
Don van Meel | Twyzer 40 Reputation points

2025-05-26T09:09:11.58+00:00

Hi @Saideep Anchuri , thank you for your answer but we are creating this hub for the first time (new) in a managed resource group. This is the result of your request.
Manas Mohanty 11,855 Reputation points Microsoft External Staff Moderator

2025-05-26T17:04:47.7466667+00:00

Hi Don van Meel | Twyzer

Please correct me if I am wrong.

You are trying to create resources with permission inherited from Resource group and You have owner role on resource group.

Sometimes owner does not suffice to create resources. You might need to use a managed identity with all relevant roles for Azure AI foundry hub.

Could you add

Azure AI Project Manager

or

Azure AI User

or

Azure AI Account Owner

in managed identity and test with below bicep commands and let us know.

resource workspace 'Microsoft.MachineLearningServices/workspaces@2024-10-01' = { name: hubName location: location identity: { type: 'SystemAssigned' } properties: { description: 'AI Foundry Hub' storageAccount: storage.id keyVault: keyVault.id applicationInsights: appInsights.id containerRegistry: acr.id } }

az deployment group create --resource-group MayRG --template-file main.bicep

You can also follow the bicep template from here https://github.com/Azure/azure-quickstart-templates/blob/master/quickstarts/microsoft.machinelearningservices/aifoundry-basics/main.bicep for sake of simplicity.

Thank you.
Saideep Anchuri 9,525 Reputation points Moderator

2025-05-27T06:10:26.1233333+00:00

Hi Don van Meel | Twyzer

Did you get any chance to check above response.

Thank You.
Don van Meel | Twyzer 40 Reputation points

2025-05-27T08:17:47.47+00:00

No, will be later this week.
Saideep Anchuri 9,525 Reputation points Moderator

2025-05-27T08:26:39.8233333+00:00

Hi Don van Meel | Twyzer

Also make sure dependent resources are created with same tenant id.

Thank You.
Saideep Anchuri 9,525 Reputation points Moderator

2025-05-28T00:33:39.84+00:00

Hi Don van Meel | Twyzer

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet.

Thank You.
Manas Mohanty 11,855 Reputation points Microsoft External Staff Moderator

2025-05-29T08:53:24.25+00:00

Hi Don van Meel | Twyzer

Thank you for sharing your observation on using kind: 'hub'

Does that mean you were able to create AI foundry hub resources without using kind:hub.

Did you get a chance to test below Bicep template too.

https://github.com/Azure/azure-quickstart-templates/blob/master/quickstarts/microsoft.machinelearningservices/aifoundry-basics/main.bicepLooking forward to hearing from you.

Thank you.
Don van Meel | Twyzer 40 Reputation points

2025-05-29T08:56:51.2366667+00:00

Hi,

Does that mean you were able to create AI foundry hub resources without using kind:hub. => No I'm still not able to create a foundry hub.

I'll check the bicep as soon as I can.
Don van Meel | Twyzer 40 Reputation points

2025-05-29T09:13:38.89+00:00

Same error after running the bicep as mentioned.
Manas Mohanty 11,855 Reputation points Microsoft External Staff Moderator

2025-06-25T19:34:46.7666667+00:00

Hi Don van Meel | Twyzer

Product group ticket owner has pointed towards a successful workspace creation with below resource id.

./subscriptions/e87be501-3ed0-4e71-b915-a244da387c2e/resourcegroups/rg-twzn-datagenyus-prd/providers/Microsoft.MachineLearningServices/workspaces/hub-twzn-dgs-ai-frc-prd

Please let us know if the issue was mitigated at your side.

If the issue still persists, requesting to share a document or recording link in private chat.

Looking forward to hearing from you.

Thank you.
Don van Meel | Twyzer 40 Reputation points

2025-06-28T07:16:07.73+00:00

./subscriptions/e87be501-3ed0-4e71-b915-a244da387c2e/resourcegroups/rg-twzn-datagenyus-prd/providers/Microsoft.MachineLearningServices/workspaces/hub-twzn-dgs-ai-frc-prd

This is not the rg of my managed application
Manas Mohanty 11,855 Reputation points Microsoft External Staff Moderator

2025-06-30T11:36:12.43+00:00

Hi Don van Meel | Twyzer

Please share latest error trace containing co-relation and request id once you are available to post.

Thank you.
Manas Mohanty 11,855 Reputation points Microsoft External Staff Moderator

2025-07-02T06:34:07.1433333+00:00

Hi Don van Meel | Twyzer

Thank you for sharing relevant thread on light house not supporting AML deployment.

https://free.blessedness.top/en-us/answers/questions/2276417/deployment-of-resource-type-machinelearning-fails

Seems to be limitation on using Managed application as per my past encounters and above thread. Trying to confirm the same with Management and migration team and shall update you post that.

Thank you.

Share via

Problem deploying AI Foundry Hub via Bicep to Managed Application Resource Group

Your answer