Error in web app deployed from AI Foundry; all queries result in error

Question

Error in web app deployed from AI Foundry; all queries result in error

Barry Briggs 110

Redeploy (working) web app from Azure AI Foundry. Tried with and without chat history enabled.

Get Error code: 400 - {'error': {'requestid': '7a5c4617-80ed-40bd-b2d3-11771466a883', 'code': 400, 'message': 'Failed to get managed identity token. Response: {"error":{"code":"ManagedIdentityIsNotEnabled","message":"Managed Identity (MI) is not set for this account while the encryption key source is 'Microsoft.KeyVault', customer managed storage or Network Security Perimeter is used."}}'}}Tried editing AZURE_OPENAI_KEYs per older posts to no avail.

Prabhavathi Manchala 1,050 Reputation points Microsoft External Staff

2025-04-10T19:41:58.59+00:00
Hi Barry Briggs,

The error you're seeing usually happens when your Azure AI Foundry web app is set to use Azure Key Vault for encryption, but Managed Identity (MI) isn't enabled. Azure needs MI to securely access the Key Vault and retrieve keys or secrets. Without MI, the app can't authenticate, which leads to the error message you're seeing.

To fix this, turn on the system-assigned managed identity for the AI Foundry workspace (or relevant resource) and grant it access to the Key Vault.

Enable Managed Identity on your Azure AI Foundry web app by going to Azure Portal → your AI Foundry Web App → Identity → System Assigned → Set Status to On → Save.

Assign a Key Vault Access Policy by going to Azure Key Vault → Access Configuration → choose RBAC or access policies → add a policy or role granting your web app's managed identity.

Minimum permission: Secret Management → Get.

Redeploy your web app once these settings are saved.
Barry Briggs 110 Reputation points

2025-04-10T19:52:10.81+00:00

Thanks for quick response...
Prabhavathi Manchala 1,050 Reputation points Microsoft External Staff

2025-04-10T20:11:14.63+00:00
Hi Barry Briggs,

Thank you for the details, to better understand the issue, could you kindly help with a few things?

Did the app recently start using Key Vault for encryption, or has it always been configured this way?

Can you confirm whether the app has the necessary permissions to access secrets in Key Vault?

Were there any recent updates to the app or its settings, such as moving to a new subscription or adding new security features?

After verifying the Managed Identity and permissions, did you redeploy the app, and did the issue persist?
Barry Briggs 110 Reputation points

2025-04-10T20:18:49.3566667+00:00

OK, some answers. Until today I wasn't even aware there was an associated KV resource but I went ahead and edited the KV permissions as suggested.

The app was deployed from Foundry back in December and there were no encryption settings explicitly set. Today I changed the AI Search index that the app was pointing to (same AI Search service, different index), other than that no changes. Same subscription, no security changes.

After making the KV changes I redeployed the app.

The issue persists.

Really appreciate your attention!
Barry Briggs 110 Reputation points

2025-04-10T20:21:01.31+00:00

I should point out no entries for the app existed in KV before; I added them today. Only entries for the AI Foundry project.
Prabhavathi Manchala 1,050 Reputation points Microsoft External Staff

2025-04-10T20:44:55.6866667+00:00

Hi Barry Briggs,

Thank you for your response. Based on the details you've provided, it seems you've made updates to the Key Vault permissions. To fully resolve the issue, could you please confirm whether you followed the steps I mentioned in my earlier response?
Barry Briggs 110 Reputation points

2025-04-10T20:50:19.1+00:00

Yes I followed the steps precisely. Can you tell me where "encryption" is enabled for app as you mention in your first response? What exactly is encrypted and (as this is a prototype) is it something that can be turned off?
Prabhavathi Manchala 1,050 Reputation points Microsoft External Staff

2025-04-10T22:19:57.6333333+00:00

Hi Barry Briggs,

In Azure, encryption protects sensitive data like API keys, credentials, secrets, and search index data. This ensures data stays secure, whether stored or transmitted. If you're using Azure Key Vault with customer-managed keys, those keys are used to encrypt and decrypt this data.

Yes, since this is a prototype, you can disable customer-managed encryption if not needed.

Go to Azure AI Search in the Azure Portal → find the Encryption section → if customer-managed keys are used, see the Key Vault details → switch to Microsoft-managed keys, which don’t need access to your Key Vault.

Switching to Microsoft-managed keys will disable Key Vault-based encryption for this service.
Prabhavathi Manchala 1,050 Reputation points Microsoft External Staff

2025-04-11T22:01:38.6366667+00:00

Hi Barry Briggs,

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution, please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
Barry Briggs 110 Reputation points

2025-04-14T15:38:17.7366667+00:00

No resolution yet. Here is what I suspect is going on.

I don't think it has anything to do with encryption or KV. In deploying my application I take all the defaults and do not customize anything, so hard to believe any KV misconfig is causing it.

What I think is happening is this. The search index created in Azure AI Search is created with API Key authentication. Connecting the newly created vector index in Azure AI Foundry's chat playground to GPT-4o works just fine and chats work as expected.

My suspicion is that the default Web App code is somehow configured or hardcoded to look for managed identities (both in the search index and in the Cosmos chat history). This would be a change as -- I'd like to emphasize -- this used to work and all I did was change which index the chat used.

Is this something you can investigate? And/or if you think appropriate I can change the search instance to use managed identities.

1 answer

Your answer

Prabhavathi Manchala 1,050 Reputation points Microsoft External Staff

2025-04-10T19:41:58.59+00:00

Hi Barry Briggs,

The error you're seeing usually happens when your Azure AI Foundry web app is set to use Azure Key Vault for encryption, but Managed Identity (MI) isn't enabled. Azure needs MI to securely access the Key Vault and retrieve keys or secrets. Without MI, the app can't authenticate, which leads to the error message you're seeing.

To fix this, turn on the system-assigned managed identity for the AI Foundry workspace (or relevant resource) and grant it access to the Key Vault.

Enable Managed Identity on your Azure AI Foundry web app by going to Azure Portal → your AI Foundry Web App → Identity → System Assigned → Set Status to On → Save.

Assign a Key Vault Access Policy by going to Azure Key Vault → Access Configuration → choose RBAC or access policies → add a policy or role granting your web app's managed identity.

Minimum permission: Secret Management → Get.

Redeploy your web app once these settings are saved.
Barry Briggs 110 Reputation points

2025-04-10T19:52:10.81+00:00

Thanks for quick response...
Prabhavathi Manchala 1,050 Reputation points Microsoft External Staff

2025-04-10T20:11:14.63+00:00

Hi Barry Briggs,

Thank you for the details, to better understand the issue, could you kindly help with a few things?

Did the app recently start using Key Vault for encryption, or has it always been configured this way?

Can you confirm whether the app has the necessary permissions to access secrets in Key Vault?

Were there any recent updates to the app or its settings, such as moving to a new subscription or adding new security features?

After verifying the Managed Identity and permissions, did you redeploy the app, and did the issue persist?
Barry Briggs 110 Reputation points

2025-04-10T20:18:49.3566667+00:00

OK, some answers. Until today I wasn't even aware there was an associated KV resource but I went ahead and edited the KV permissions as suggested.

The app was deployed from Foundry back in December and there were no encryption settings explicitly set. Today I changed the AI Search index that the app was pointing to (same AI Search service, different index), other than that no changes. Same subscription, no security changes.

After making the KV changes I redeployed the app.

The issue persists.

Really appreciate your attention!
Barry Briggs 110 Reputation points

2025-04-10T20:21:01.31+00:00

I should point out no entries for the app existed in KV before; I added them today. Only entries for the AI Foundry project.
Prabhavathi Manchala 1,050 Reputation points Microsoft External Staff

2025-04-10T20:44:55.6866667+00:00

Hi Barry Briggs,

Thank you for your response. Based on the details you've provided, it seems you've made updates to the Key Vault permissions. To fully resolve the issue, could you please confirm whether you followed the steps I mentioned in my earlier response?
Barry Briggs 110 Reputation points

2025-04-10T20:50:19.1+00:00

Yes I followed the steps precisely. Can you tell me where "encryption" is enabled for app as you mention in your first response? What exactly is encrypted and (as this is a prototype) is it something that can be turned off?
Prabhavathi Manchala 1,050 Reputation points Microsoft External Staff

2025-04-10T22:19:57.6333333+00:00

Hi Barry Briggs,

In Azure, encryption protects sensitive data like API keys, credentials, secrets, and search index data. This ensures data stays secure, whether stored or transmitted. If you're using Azure Key Vault with customer-managed keys, those keys are used to encrypt and decrypt this data.

Yes, since this is a prototype, you can disable customer-managed encryption if not needed.

Go to Azure AI Search in the Azure Portal → find the Encryption section → if customer-managed keys are used, see the Key Vault details → switch to Microsoft-managed keys, which don’t need access to your Key Vault.

Switching to Microsoft-managed keys will disable Key Vault-based encryption for this service.
Prabhavathi Manchala 1,050 Reputation points Microsoft External Staff

2025-04-11T22:01:38.6366667+00:00

Hi Barry Briggs,

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. In case if you have any resolution, please do share that same with the community as it can be helpful to others. Otherwise, will respond with more details and we will try to help.
Barry Briggs 110 Reputation points

2025-04-14T15:38:17.7366667+00:00

No resolution yet. Here is what I suspect is going on.

I don't think it has anything to do with encryption or KV. In deploying my application I take all the defaults and do not customize anything, so hard to believe any KV misconfig is causing it.

What I think is happening is this. The search index created in Azure AI Search is created with API Key authentication. Connecting the newly created vector index in Azure AI Foundry's chat playground to GPT-4o works just fine and chats work as expected.

My suspicion is that the default Web App code is somehow configured or hardcoded to look for managed identities (both in the search index and in the Cosmos chat history). This would be a change as -- I'd like to emphasize -- this used to work and all I did was change which index the chat used.

Is this something you can investigate? And/or if you think appropriate I can change the search instance to use managed identities.

Answer 1

Suresh Chikkam 1,330 Microsoft External Staff

Hi Barry Briggs,

Thanks for all the details. Based on what you have shared, the issue is not with encryption or Key Vault, it’s most likely that the AI Foundry Web App is trying to access Azure Cognitive Search using Managed Identity, which hasn’t been enabled or granted the right permissions.

Even if you didn’t set this up manually, the default app is often wired to use Managed Identity for security. So, when you switched to a new index, the app likely tried to use MI for authentication and failed which explains the ManagedIdentityIsNotEnabled error.

You have two ways to fix this:

Option 1: Enable Managed Identity for your Web App and grant it access to the Cognitive Search index.

Here’s how:

In the Azure Portal, go to your Web App → Identity → enable System-assigned identity.

Then go to your Azure Cognitive Search resource → Access Control (IAM) → assign the Search Index Data Reader role to the Web App’s identity.

Docs for reference: Enable Managed Identity, Assign Search roles

Option 2: If you’d rather not use Managed Identity, you can modify the Web App code to authenticate with the Azure Search API key instead. This matches how it works in the Foundry Playground.

var searchClient = new SearchClient(
    new Uri("https://<your-search-service>.search.windows.net"),
    "<index-name>",
    new AzureKeyCredential("<your-api-key>"));

Either approach will work it just depends on whether you want to stick with the default (Managed Identity) or go with API keys for now.

Hope it helps!

Please do not forget to click "Accept the answer” and Yes wherever the information provided helps you, this can be beneficial to other community members.

User's image

If you have any other questions or still running into more issues, let me know in the "comments" and I would be happy to help you.

Suresh Chikkam 1,330 Reputation points Microsoft External Staff

2025-04-17T06:34:08.5733333+00:00

Hi Barry Briggs,

Following up to see if the above answer was helpful. If this answers your query, do click Accept Answer and Yes, if you have any further query do let us know.
Suresh Chikkam 1,330 Reputation points Microsoft External Staff

2025-04-21T10:24:23.7833333+00:00

Hi Barry Briggs,

We haven’t heard from you on the last response and was just checking back to see if you have a resolution yet. If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know
Barry Briggs 110 Reputation points

2025-04-21T17:35:56.38+00:00

I redeployed the app this morning making sure everything is set to Managed Identity. Gave the AI project Contributor access to the AI Search, in addition to the AI Hub. Still getting this error.

EDIT (and a question): so it appears that there are multiple instances of Azure OpenAI used in this app. I created an instance for AI Search to do the vector embeddings; mistakenly I thought that AI Foundry would use the same instance. It appears that AI Foundry creates its own instances of OpenAI and AI Services: true? I've created a visualization of all the services used in this very simple app: wow!

Finally: it would still seem that the autogenerated app created at "Deploy" requires managed identity. Can you confirm?
Suresh Chikkam 1,330 Reputation points Microsoft External Staff

2025-04-22T06:16:06.9133333+00:00

Hi Barry Briggs,

Thanks so much for the update and the great insight you have shared. AI Foundry provisions a range of Azure resources during deployment, including its own instances of Azure OpenAI and Azure AI Search, which can make the architecture more complex than expected especially for a prototype.

To your question: yes, the autogenerated app created through AI Foundry does require Managed Identity to be enabled for runtime operations. While the Playground uses API keys for convenience, the deployed web app defaults to using identity-based authentication for services like Azure AI Search and Cosmos DB. That’s why enabling the system-assigned Managed Identity for the web app and assigning it the correct roles is essential for successful operation.

One clarification I’d like to offer based on your earlier step: assigning Contributor access is helpful, but for Azure Cognitive Search specifically, the web app’s identity should be granted the Search Index Data Reader role. This role gives just the right level of access to perform query operations without over-permissioning the identity.

Once again check everything wired correctly, I recommend double-checking that:

The Web App’s system-assigned identity is enabled and active

It’s assigned the Search Index Data Reader role on your Azure Cognitive Search resource

Any other dependencies like Cosmos DB (if chat history is enabled) also have appropriate role assignments

I can completely understand how this can be a bit opaque given how much is handled automatically.
Barry Briggs 110 Reputation points

2025-04-22T14:40:40.3433333+00:00

Thanks Suresh. These suggestions were very helpful and it's now working (hooray!).

Looking back I think you should report some bugs in the AI Foundry code that creates and deploys the web app:

·         Cosmos DB is not automatically assigned a managed identity

·         Search resource is not automatically assigned Search Index Data Reader role

·         Not all environment variables in web app are set, including (I believe) OpenAI key

·         AI Services resource is not automatically assigned a managed identity

Also one other usability point for the Azure Portal team, please note that the UI for setting system managed identity is in many different places depending on the service: for example, it's under Settings for Cosmos DB, and under Resource Management for Azure AI. This is not obviously a functionality issue but is a real pain having to look around for it in different places in each service.

Again -- thanks for your help!
Suresh Chikkam 1,330 Reputation points Microsoft External Staff

2025-04-22T16:36:11.3+00:00

Hi Barry Briggs,

Glad to hear everything’s working now!

Really appreciate you taking the time to share this feedback. You're absolutely right, those are valid gaps in the current AI Foundry deployment flow, and I’ll make sure to raise them with the product team. Automating identity assignments and environment variable setups would definitely make things smoother, especially when deploying quickly for prototyping.

Thanks again for the thoughtful insights and for sticking with it. If your question has been solved, you can click Accept Answer and Yes, which may help members with similar questions. Thank you very much!
Barry Briggs 110 Reputation points

2025-04-23T21:39:06.62+00:00

Thanks very much. The web app is indeed working now BUT the AI Foundry playground no longer does. Now after I connect to the search index (which appears to work) and ask a question in the chat playground, I get:

401: Access denied due to invalid subscription key or wrong API endpoint. Make sure to provide a valid key for an active subscription and use a correct regional API endpoint for your resource.

EDIT: In AI Foundry I removed the index from "Add your data" and started clean (system prompt: "You are an AI assistant that helps people find information." user prompt: "hello"). Same error. Reloaded ai.azure.com; same error. Changed LLM (from gpt-4o to phi3): Same error.
Suresh Chikkam 1,330 Reputation points Microsoft External Staff

2025-04-24T03:00:33.6533333+00:00

Hi Barry Briggs,

Really glad to hear the web app is working now.

As for the 401 error in the playground that usually points to an issue with the API key or endpoint. As we discussed earlier, the deployed app uses Managed Identity, but the Foundry playground still relies on API keys to connect to services like Azure OpenAI and Cognitive Search.

I'd recommend going into the project settings in Foundry (click the gear icon) and double-checking the OpenAI and Search configurations make sure there's a valid key set and that the endpoint matches the correct region for your resource. You can get both the key and endpoint from the Azure Portal under your OpenAI resource.

Once those values are set correctly, the playground should work as expected.
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Barry Briggs 110 Reputation points

2025-04-24T19:59:34.8866667+00:00

Not sure if previous reply lost or is in review but reposting:

I reverified the keys. For reference, the only resource added to the project was an AI Search instance. Others (OpenAI, AI Services) were autogenerated by AI Foundry; didn’t touch. Also have Azure blobs but did not touch storage keys.

Therefore, in an attempt to isolate the problem, I used Management Center to delete the AI Search resource.

Then I reloaded ai.azure.com and immediately got an error message saying it could not find a resource. I navigated to the chat playground, typed “hello” (not changing anything else) and again got the 401 error – so was not the AI Search.

Then I went to “Add my data” and to my surprise the indexes from the deleted AI Search resource still showed (why?). Clicking on one caused the entire UI to hang.

I see a number of bugs and no real solution. In order:

·         The Management Center and the chat UI are out of sync. Deleting a resource is not reflected elsewhere in AI Foundry.

·         Selecting an invalid search index in “Add my data” causes the AI Foundry to hang.

·         The “401” error should report which resource/endpoint/API key it thinks is invalid.

·         The Management Center should also report the connection status of resources.

The only real solution to my issue as far as I can tell is to delete the project and start over from scratch.

Agreed?
Suresh Chikkam 1,330 Reputation points Microsoft External Staff

2025-04-28T01:48:45.7833333+00:00

Hi Barry Briggs,

Thanks a lot for laying everything out so clearly. I completely understand and I agree with you, the Management Center and Playground definitely seem out of sync when a resource is deleted, and the way the Playground hangs on an invalid index isn’t ideal either. The 401 errors not clearly pointing to the resource or key issue also makes troubleshooting harder than it should be.

Given all of this, yes, I think you're absolutely right. Starting fresh with a new project is the best move at this point to avoid getting stuck in these UI issues.

I’ll make sure to pass all your feedback along to the AI Foundry product team. It’s really valuable and will help make the experience better for others too.

And if you run into anything else while setting up the new project, just let me know.

Share via

Error in web app deployed from AI Foundry; all queries result in error

1 answer

Your answer