Unable to update auth for Azure ML default datastores

Question

Unable to update auth for Azure ML default datastores

Kamini Singh 0 Microsoft Employee

During a security scan, the following issue was reported:

Found [2] data stores which use credential-based access for authentication: [Name: workspaceblobstore, Type: AzureBlob, AuthenticationType: AccountKey] [Name: workspaceartifactstore, Type: AzureBlob, AuthenticationType: AccountKey]

These two datastores are created by default when an Azure Machine Learning workspace is deployed. By default, they use account key–based authentication. To address this, I’m trying to update these datastores to use the managed identity assigned to the ML workspace (which already has the Storage Blob Data Contributor role on the associated storage account).

However, I’m facing issues when attempting this change via Bicep.

resource workspaceArtifactstoreUpdate 'Microsoft.MachineLearningServices/workspaces/datastores@2025-06-01' = {
 name: 'workspaceartifactstore' 
 parent: <mlworkspace>
 properties: {
   datastoreType: 'AzureBlob'  
   credentials: {
     credentialsType: 'None'
   }
   serviceDataAccessAuthIdentity: 'WorkspaceUserAssignedIdentity'
}

and I am seeing errors like this:

{"status":"Failed","error":{"code":"DeploymentFailed","target":"/subscriptions/<subid>/resourceGroups/<rg-name>/providers/Microsoft.Resources/deployments/mlworkspace","message":"At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/arm-deployment-operations for usage details.","details":[{"code":"Immutable","message":"Update to datastore is not allowed. Only credentials of a datastore can be updated.","details":[],"additionalInfo":[{"type":"ComponentName","info":{"value":"managementfrontend"}},{"type":"Correlation","info":{"value":{"operation":"1aad5e986f7bc0b1aad537d6a1330a2b","request":"e06f49d3a1635e12"}}},{"type":"Environment","info":{"value":"uksouth"}},{"type":"Location","info":{"value":"uksouth"}},{"type":"Time","info":{"value":"2025-10-31T22:06:42.5494646+00:00"}}]}]

Question: What is the recommended way to update the default datastores (workspaceblobstore and workspaceartifactstore) to use managed identity authentication instead of account keys especially when managing the workspace via Bicep or ARM templates?

1 answer

Your answer

Answer 1

Hi Kamini,

You cannot change the datastore type or arbitrary top-level properties via ARM/Bicep once the default datastores exist — the service treats the datastore resource as immutable except for the credentials object. Your Bicep attempt failed because it tried to update immutable parts of the datastore.

Recommended approach :

Ensure the workspace has the user-assigned managed identity (or system identity) and that identity has Storage Blob Data Contributor on the storage account.

Update only the datastore credentials to use Managed Identity by calling the Azure ML REST API, Azure CLI, or the Azure ML SDK. Do not try to replace datastoreType or other immutable fields in the same operation.

Minimal options

A. Use az rest (PATCH) — run after deployment

az rest --method PATCH \
  --uri "https://management.azure.com/subscriptions/<sub>/resourceGroups/<rg>/providers/Microsoft.MachineLearningServices/workspaces/<ws>/datastores/<datastoreName>?api-version=2025-06-01" \
  --body '{
    "properties": {
      "credentials": {
        "credentialsType": "ManagedIdentity",
        "managedIdentity": {
          "resourceId": "/subscriptions/<sub>/resourceGroups/<rg>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<identityName>"
        }
      },
      "serviceDataAccessAuthIdentity": {
        "type": "UserAssigned",
        "resourceId": "/subscriptions/<sub>/resourceGroups/<rg>/providers/Microsoft.ManagedIdentity/userAssignedIdentities/<identityName>"
      }
    }
  }'

This PATCH modifies only credential-related properties. Adjust the identity resourceId to your UAI. Check the response and properties.credentials on the returned resource.

B. Use Azure ML SDK / Python (preferred for repeatable automation)

from azure.identity import DefaultAzureCredential
from azure.ai.ml import MLClient

ml_client = MLClient(DefaultAzureCredential(), subscription_id, resource_group, workspace_name)
ds = ml_client.datastores.get("workspaceblobstore")

# update credentials to managed identity (pseudo-structure - set fields required by your SDK version)
ds.properties["credentials"] = {
  "credentialsType": "ManagedIdentity",
  "managedIdentity": {
    "resourceId": "/subscriptions/.../resourceGroups/.../providers/Microsoft.ManagedIdentity/userAssignedIdentities/identityName"
  }
}
# push update (call/method name depends on SDK version)
ml_client.datastores.create_or_update("workspaceblobstore", ds)

(Use the exact method names for the azure-ai-ml version you have; the key point: update the credentials object only.)

C. If you must keep everything as IaC (Bicep) — add a deployment step

Deploy workspace with Bicep, then run a CLI/REST update as a post-deploy step. In Bicep you can add a Microsoft.Resources/deploymentScripts resource that executes the az rest or az ml command above as part of the deployment pipeline.

To Verify

After update, confirm properties.credentials.credentialsType is ManagedIdentity.

Confirm the workspace identity can access the storage account and that ML operations succeed.

Summary

ARM/Bicep cannot change immutable datastore properties except credentials.

Use the Azure ML REST API, CLI, or SDK to PATCH only the credentials (and set the appropriate serviceDataAccessAuthIdentity) to a managed identity.

If you need this inside a Bicep deployment, run a post-deploy script (deploymentScript) that invokes the CLI/REST update.

Share via

Unable to update auth for Azure ML default datastores

1 answer

Your answer