Azure AI Language
An Azure service that provides natural language capabilities including sentiment analysis, entity extraction, and automated question answering.
432 questions
What is the meaning of the following error - Principal does not have access to API/Operation
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(131.20000000000002, 74%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EDG%3C/text%3E%3C/svg%3E)
Dushyant Godse
16
Reputation points
- I registered an Azure Application (my-cog-app") and created a service principal. Within my cognitive service resource (my-cog-svc), I granted access role as "Cognitive Services user" to the registered azure app.
- Within the "my-cog-app" registered app, I added Microsoft Cognitive services "user_impersonation" permission.
- I got the bearer access token by authorizing request using my my-cog-app client id, secret and scope as https://www.cognitiveservices.azure.com/.default
- Using the access token, I called the text analytics service within cognitive service and I get the following response
{
"error": {
"code": "PermissionDenied",
"message": "Principal does not have access to API/Operation."
}
} - I noticed when the azure account I signed in is added to the cognitive services API permissions as "Cognitive Services user", I get the cognitive service to return a valid response. However when I remove the signed-in user from the API permissions, I get the Principal does not have access to API/Operation.
I am confused because I am thinking the the registered app "my-cog-app" that is also added as a "cognitive services user" in the API permissions of the cognitive service is supposed to allow access to the service on behalf of signed-in users. Am I wrong to assume that?
{count} votes
-
Dushyant Godse 16 Reputation points
2021-10-13T21:52:25.68+00:00 Here is the signed in user is removed from the Access control as "Cognitive services user". Only the registered application (my-cogsvc-app) is added
This causes the Principal does not have access to API/Operation
However if I added the "DG" signed-in user with cognitive services user, I get a text analytics service to return a response using the bearer access token
-
romungi-MSFT 48,221 Reputation points Microsoft Employee2021-10-14T14:01:35.487+00:00 @Dushyant Godse I think the authentication method with the app without the user is failing because the application user calling the API to get bearer token is unable to use the role. I am not too familiar about how the authentication with app services work with managed identity.
The documentation mentions to use the certificate or the app service key from the client application but I am not sure how you can call this while requesting a bearer token.
Hoping, other experts from identity and app service following this thread could provide more insights on this. -
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(291.2, 3%, 38%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJP%3C/text%3E%3C/svg%3E)
Joji Parayidathil Cherian 0 Reputation points2024-12-04T12:27:01.7766667+00:00 @Dushyant Godse I too facing similar issue . It would be really helpful if can help me the resolution.
Thanks in advance! -
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(284.8, 51%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EML%3C/text%3E%3C/svg%3E)
Max Lacy 340 Reputation points2024-12-04T16:47:52.7166667+00:00 Help me understand why user impersonation was added, given that the service principal already had the necessary permissions through the Cognitive Services User access role? Additionally, could you please clarify what actions are being taken when you mention calling the text analytics service?
Sign in to comment
Sign in to answer