Receiving the following error translating documents. "InvalidDocumentAccessLevel"

Matthew 0 Reputation points

Hello,

I am receiving InvalidDocumentAccessLevel errors on my submissions to the Foundry Translator I setup. I have given the Translator both Storage Blob Data Contributor and Storage Blob Data Reader permissions to my containers. I've tried with just contributor and just reader and both. I have no firewalls setup, all public access as well. I can translate text just fine, its just documents that require access to the containers seem to be an issue.

I have tried copying to the root folder without subfolders and I have even tried ensuring the filenames were basic like, test.pdf. All the files I'm submitting are text based readable files, no images.

storage and translator are in EastUS, so no location issues.

I am not submitting SAS with my translator job submissions as I did configure IAM.

I've spent quite a bit of time trying to figure out what I've missed but it all seems to be configured correctly.

Any ideas?

  1. Karnam Venkata Rajeswari 3,835 Reputation points Microsoft External Staff Moderator

    Hello @Matthew ,

    Following up to see if the below answer was helpful. If this answers your query, could you please take a moment to mark it as Accepted with an upvote? This helps others in the community with the same question find the solution more easily.

    Thank you

  2. TMcFarland 0 Reputation points

    I have the same issue as Matthew. Trying to figure out the secret sauce for getting this to work has taken an excessive amount of my time. Documentation and help tips are all over the place and inconsistent. I've tried just about every type of combination of tips and tricks recommended. I'm starting to wonder if Managed Identity does not work with the Document Translator. Due to corporate restrictions, I have to use Managed Identity and I cannot use SAS to access my blob storage files. All the permissions seem to have been granted and everything looks correct, but this same error persists. I can't figure out what is being missed or if there is a bug in the service. Any feedback would be appreciated.

Sign in to comment

2 answers

  1. Karnam Venkata Rajeswari 3,835 Reputation points Microsoft External Staff Moderator

    Hello @Matthew ,

    Welcome to Microsoft Q&A .Thank you for reaching out to us.

     Thank you for sharing the detailed scenario The observed behavior-text translation working while document translation fails with InvalidDocumentAccessLevel indicates that the issue is specific to how document translation interacts with storage, rather than a general service availability, region alignment, or document format problem.

    The document translation differs from text translation in an important way that while text translation processes content directly, document translation requires the service to read from and write to Azure Blob Storage. Because of this dependency, failures can occur even when permissions appear to be correctly configured.

    The error InvalidDocumentAccessLevel not be interpreted as a permissions issue alone. In addition to identity and access configuration, this error may also occur due to:

    • Request structure inconsistencies
    • Incorrect or mismatched storage paths
    • File versus container interpretation differences
    • URL formatting or encoding issues

    Please check if the following steps help -

    1. Validating Request Format and Endpoint Pleaes ensure the batch request follows the correct format: Endpoint: https://<resource-name>.cognitiveservices.azure.com/translator/text/batch/v1.1/batches Required headers:
      • Ocp-Apim-Subscription-Key
      • Content-Type: application/json
      Request body must include a valid inputs structure with correct sourceUrl and targetUrl Please note that when using managed identity, SAS tokens should not be included in the URLs.
    2. Validating File v/s Container Scenario Confirm whether the request is intended for:
      • Full container translation (container URL), or
      • Specific file translation (file-level URL)
      If a file path is provided without correctly aligning the request structure, the service may interpret it as a container request, which can result in access validation failure.
    3. Verifying Managed Identity and RBAC Configuration
      1. Ensure system-assigned managed identity is enabled on the Translator resource
      2. Assign appropriate roles:
        • Source: Storage Blob Data Reader
        • Target: Storage Blob Data Contributor
      3. Ensure roles are assigned to the correct identity and scope
      4. Allow sufficient time for RBAC propagation after updates
    4. .Validating Storage URLs and Paths Ensure that storage URLs are accurate and correctly formatted:
      • Container: https://<storage-account>.blob.core.windows.net/<container>
      • File: https://<storage-account>.blob.core.windows.net/<container>/<file>
      Additional checks include:
      • No typographical or encoding issues
      • Correct source and target containers
      • Unique target paths for each language
      • No conflicting output files in the destination container

    The following references might be helpful , please check them out

    Authorize Blob Access with Microsoft Entra ID - Azure Storage | Microsoft Learn

    Assign Azure roles using the Azure portal - Azure RBAC | Microsoft Learn

    Create and use managed identities - Foundry Tools | Microsoft Learn

    Please let us know if the response was helpful

    Thank you

    Please 'Upvote'(Thumbs-up) and 'Accept' as answer if the response was helpful. This will be benefitting other community members who face the same issue.

    0 comments No comments
    Sign in to comment

  2. AI answer

    InvalidDocumentAccessLevel for document translation with Azure Translator in Foundry Tools almost always indicates a storage access or request-format issue for batch document translation, even if text translation works.

    For a managed identity / RBAC-based setup, verify the following points end to end:

    1. Confirm the HTTP request format
    • For batch document translation, the request must be sent to:
      • https://<NAME-OF-YOUR-RESOURCE>.cognitiveservices.azure.com/translator/text/batch/v1.1/batches
    • Required headers:
      • Ocp-Apim-Subscription-Key: key for the Translator or Foundry resource
      • Content-Type: application/json or charset=UTF-8
    • Request body must be a JSON object named inputs with sourceUrl and targetUrl container addresses, for example: 
       {
 "inputs": [
 {
 "source": {
 "sourceUrl": "https://<storage_account>.blob.core.windows.net/<source-container>"
 },
 "targets": [
 {
 "targetUrl": "https://<storage_account>.blob.core.windows.net/<target-container>",
 "language": "fr"
 }
 ]
 }
 ]
 }
    • With managed identity, do not include SAS tokens in sourceUrl or targetUrl. Including a SAS token causes requests to fail.
    1. Validate managed identity and RBAC on the storage account
    • Ensure the Translator resource’s managed identity is enabled and has access to the storage account.
    • On the storage account, assign appropriate roles (for example, Storage Blob Data Contributor) to the Translator resource’s managed identity at the account or container level.
    • After assigning or changing role assignments, allow up to 30 minutes for Azure RBAC changes to propagate, then retry and refresh.
    1. Check for destination file name conflicts
    • If a file with the same name already exists in the destination container, the job fails.
    • Ensure the target container does not already contain blobs with the same names as the translated outputs.
    1. Confirm container URLs and filters
    • sourceUrl and targetUrl must be valid container URLs in the form:
      • https://<storage_account_name>.blob.core.windows.net/<container_name>
    • If using prefix or suffix filters, verify they correctly match the blobs intended for translation.
    • Ensure the targetUrl for each target language is unique.
    1. Check job and document status for more detail
    • If translated files do not appear in the target container, query:
      • Job status: Get status for a specific translation job
      • Document status: Get status for a specific document
    • These status calls can provide more specific error details per document.
    1. Validate document formats
    • If some documents are unsupported, the job can fail. Confirm the file types using “Get supported document formats” and ensure only supported formats (such as .docx, .pptx, .pdf, .md, etc.) are in the source container.

    If all of the above are correct—especially the plain container URLs without SAS, correct inputs JSON shape, and RBAC fully propagated—the InvalidDocumentAccessLevel error should be resolved and documents should appear in the target container after a successful 202 Accepted batch request.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.
Sign in to answer

Your answer