How to connect to Translator using Managed Identity

Hello @Rishikesh S ,

Welcome to Microsoft Q&A .Thank you for reaching out to us.

Based on the details provided, Azure Translator supports authentication using Managed Identity (Microsoft Entra ID) and an Azure Function App can securely access the service without using keys. The observed 401 PermissionDenied response typically indicates a configuration mismatch

The issue usually arises due to misalignment in one or more of the following:

• RBAC role assignment
• Token scope (audience)
• Endpoint configuration
• Network restrictions

Please check if the following steps help-

1. Validating RBAC Role Assignment
   1. Confirm that the Function App managed identity is assigned:
      • Cognitive Services User
   2. Please note that
      1. This role enables data-plane (API) access
      2. Cognitive Services Contributor only provides management permissions and is not sufficient for API authorization
2. Validating token scope nsure the access token is requested with the following scope: https://cognitiveservices.azure.com/.default An incorrect scope or audience will result in a 401 PermissionDenied response
3. Validating endpoint configuration Use one of the supported endpoint patterns: Custom Subdomain Endpoint - https://<resource-name>.cognitiveservices.azure.com/translator/text/v3.0/translate Requires only:
   • Authorization: Bearer <token>
   Alternative (Global Endpoint): https://api.cognitive.microsofttranslator.com Requires additional header - Ocp-Apim-ResourceId: <Translator Resource ID>
4. Validating network configuration If the Translator resource has any of the following enabled:
   • Selected Networks
   • Private Endpoint
   • Virtual Network (VNet)
   Then:
   • Public Translator endpoint access is restricted
   • Requests must go through the private/VNet endpoint
   • Token-based (Managed Identity) authentication may not be supported in this mode
   Supported approaches in this configuration:
   • Use key-based authentication through the private endpoint
   • Or adjust network configuration if Managed Identity authentication is required

Thus, to resolve the issue, ensure the following are correctly configured:

• Managed Identity is enabled on the Function App
• Cognitive Services User role is assigned at Translator resource scope
• Token scope is: https://cognitiveservices.azure.com/.default
• Correct endpoint is used:
  • Custom endpoint (recommended), or
  • Global endpoint with required headers
• Network configuration allows access (or corresponding auth method is used)

Once these are aligned, Managed Identity authentication for Azure Translator should function successfully.

The following references might be helpful , please check them out

• Authentication and authorization in Azure Translator in Foundry Tools service - Foundry Tools | Microsoft Learn
• Enable Microsoft Entra ID authentication - Foundry Tools | Microsoft Learn
• Translate behind firewalls - Azure Translator - Foundry Tools | Microsoft Learn
• Custom subdomains - Foundry Tools | Microsoft Learn
• Managed Identities - Azure App Service | Microsoft Learn  

Thank you

Please "Accept" the answer with an "Upvote" by clicking on "Accept Answer" and thumbs-up button if the response was helpful. This will be benefitting other community members who face the same issue.

Hello Rishikesh S,

Welcome to the Microsoft Q&A and thank you for posting your questions here.

I understand that you're asking how you can connect Azure Translator text translation from an Azure Function using Managed Identity.

The 401 PermissionDenied error was caused by using the wrong authorization path for Azure Translator. Also, assigning Cognitive Services Contributor is not sufficient for Microsoft Entra ID / Managed Identity calls to Translator, because the supported role for Translator API access is Cognitive Services User. The request must also use the correct Microsoft Entra token audience and the correct Translator endpoint. - https://learn.microsoft.com/en-us/azure/ai-services/translator/how-to/microsoft-entra-id-auth, https://learn.microsoft.com/en-us/azure/ai-services/translator/text-translation/reference/authentication, https://learn.microsoft.com/en-us/dotnet/api/azure.provisioning.cognitiveservices.cognitiveservicesbuiltinrole.cognitiveservicescontributor?view=azure-dotnet

The best practice is to:

• Enable a system-assigned or user-assigned managed identity on the Azure Function App.
• Assign the Function App managed identity the Cognitive Services User role on the Azure Translator resource scope.
• Request the Microsoft Entra access token using this scope: https://cognitiveservices.azure.com/.default.
• Call Translator using the custom subdomain endpoint, for example: https://<translator-resource-name>.cognitiveservices.azure.com/translator/text/v3.0/translate?api-version=3.0&to=fr.
• Do not use Microsoft Entra / Managed Identity authentication if the Translator resource is configured with Selected Networks, Private Endpoints, or VNet endpoint mode; in that network-restricted mode, the supported path is key-based authentication against the Translator virtual network/custom endpoint, or the network restriction must be removed if Managed Identity is required.

After assigning Cognitive Services User, using the correct token scope, and calling the Translator custom subdomain endpoint, the Function App can authenticate to Azure Translator with Managed Identity successfully. If the resource is in private/network-restricted mode, switch to key-based authentication or redesign the network/authentication approach. - https://learn.microsoft.com/en-us/azure/ai-services/translator/how-to/use-firewalls

Use the below resource links for more reading and steps:

• Enable Microsoft Entra ID authentication for Azure Translator
• Azure Translator authentication and authorization
• Custom subdomains for Azure AI services
• Use managed identities for App Service and Azure Functions
• Azure Identity authentication best practices for .NET
• Translator virtual network / firewall behavior

I hope this is helpful! Do not hesitate to let me know if you have any other questions, steps or clarifications.

Please don't forget to close up the thread here by upvoting and accept it as an answer if it is helpful.