Custom Vision Publish Error: AuthorizationFailed on Storage Encryption Scopes

Platformation AI 0 Reputation points

Hi everyone,

I'm having a very frustrating issue trying to publish a Custom Vision model, and I keep getting the same AuthorizationFailed error every time.

Here is the exact error message:

"error":{"code":"AuthorizationFailed","message":"The client '*****' with object id '' does not have authorization to perform action 'Microsoft.Storage/storageAccounts/encryptionScopes/read' over scope '/subscription//resourceGroups/iris-UKSouth-prod-data/providers/Microsoft.Storage/storageAccounts/irisprodukspredictions/encryptionScopes/****' or the scope is invalid."

What I'm doing:

  • I built a Custom Vision Object Detection Model.
  • When I click Publish and choose my prediction resource (PlatformationLogoDetection-Prediction), the publish operation fails instantly with the error above.

What’s confusing:

  • I cannot see the storage account mentioned in the error (irisprodukspredictions) anywhere in my subscription.
  • I have Developer Support and Contributor access on my subscription.
  • My Storage Accounts page shows zero storage accounts.
  • It looks like Custom Vision is pointing to a storage account in a completely different subscription (iris-UKSouth-prod-data), which I don’t have permission to view.
  • Because of this, the service cannot read encryption scopes and the publish fails.

What I’ve tried:

  • Checked region alignment (all UK South).
  • Checked IAM access on my resources.
  • Recreated the Custom Vision resources.
  • Tried multiple publish attempts.
  • Tried creating a support request in Azure Portal, but I keep getting sent into troubleshooters and cannot reach the real support ticket wizard.

My question:

Why is Custom Vision trying to read encryption scopes from a storage account I cannot access, and how can I give myself (or the Custom Vision service) the correct RBAC permissions?

Any help would be really appreciated - this is blocking me from deploying my model.

Best regards,
Noah

Note: All PII information redacted from support side.

  1. Aryan Parashar 3,695 Reputation points Microsoft External Staff Moderator

    Hi Platformation AI,

    I completely understand the situation you are facing, and I appreciate your patience.

    You are absolutely correct: the Custom Vision service is indeed capable of accessing a blob storage account hosted in a different subscription. However, the specific resource you are currently using does not yet have the necessary authorization to access the target storage account.

    I realize that navigating permission errors across different subscriptions can be frustrating, but you can resolve this in one of two ways:

    Request Access: You can request the necessary RBAC permissions (specifically "Storage Blob Data Contributor" roles) for the storage account located in the iris-UKSouth-prod-data subscription.

    Or you need to create a new storage account or have a storage account of which you have RBAC permission to store and upload files which you can check while creating the project as shown below: 👁 User's image
    Let me know if you are still facing issues.

    Thank you for reaching out to The Microsoft Q&A Portal.

  2. Aryan Parashar 3,695 Reputation points Microsoft External Staff Moderator

    Hi Platformation AI,

    Please let me know if you’ve had a chance to try the suggested workaround, I’m here if you need further help.

Sign in to comment
Sign in to answer

Your answer