High severity HTTP 403 intermediate · Fix: 2-5 min

PermissionDenied

azure.core.exceptions.ClientAuthenticationError: PermissionDenied

What this error means
Azure OpenAI returns PermissionDenied when the calling identity lacks required RBAC roles to access the resource.

Stack trace

traceback 
azure.core.exceptions.ClientAuthenticationError: (403) PermissionDenied: The client does not have permission to perform this action.
    at azure.ai.openai._client._client._send_request(...)
QUICK FIX
Assign the 'Cognitive Services OpenAI User' RBAC role to your identity on the Azure OpenAI resource immediately.

Why it happens

Azure OpenAI enforces Role-Based Access Control (RBAC) on resources. If the user or service principal calling the API lacks the necessary RBAC role assignments (like 'Cognitive Services OpenAI User'), the service denies access with a PermissionDenied error.

Detection

Monitor API call failures for 403 PermissionDenied errors and verify the identity used for authentication has the required RBAC roles assigned in the Azure portal or via CLI.

Causes & fixes

1

The Azure AD user or service principal lacks the 'Cognitive Services OpenAI User' RBAC role on the Azure OpenAI resource.

✓ Fix

Assign the 'Cognitive Services OpenAI User' role to the calling identity on the Azure OpenAI resource via Azure Portal, CLI, or ARM templates.

2

The authentication token is obtained for a different tenant or subscription without access to the Azure OpenAI resource.

✓ Fix

Ensure the token is acquired for the correct Azure tenant and subscription where the OpenAI resource exists and that the identity has RBAC permissions there.

3

Using an incorrect or expired API key or token that does not authenticate properly.

✓ Fix

Refresh the authentication credentials and confirm the API key or token is valid and scoped for the Azure OpenAI resource.

Code: broken vs fixed

Broken - triggers the error
python
from azure.ai.openai import OpenAIClient
import os

client = OpenAIClient(os.environ['AZURE_OPENAI_ENDPOINT'], credential=None)  # Missing credential causes PermissionDenied
response = client.get_models()  # This line triggers PermissionDenied error
Fixed - works correctly
python
from azure.identity import DefaultAzureCredential
from azure.ai.openai import OpenAIClient
import os

credential = DefaultAzureCredential()  # Use proper Azure AD credential
client = OpenAIClient(os.environ['AZURE_OPENAI_ENDPOINT'], credential=credential)  # Fixed: added credential
response = client.get_models()
print(response)  # Should succeed if RBAC roles are assigned
Added DefaultAzureCredential to authenticate with Azure AD and ensure the calling identity has RBAC permissions, fixing the PermissionDenied error.

Workaround

If immediate RBAC role assignment is not possible, use an API key with sufficient permissions from the Azure portal as a temporary credential to authenticate the client.

Prevention

Implement automated RBAC role assignment during deployment pipelines and validate identity permissions before making API calls to avoid PermissionDenied errors.

Python 3.9+ · azure-ai-openai >=1.0.0 · tested on 1.1.0
Verified 2026-04
Verify ↗

Related errors

Azure OpenAI AuthenticationFailed Error Azure OpenAI Invalid API Key Error

Related guides

'' how to assign rbac roles azure openai guide '' azure openai authentication concepts concept

Community Notes

No notes yetBe the first to share a version-specific fix or tip.