Content Understanding Analyzer Copy Fails with ModelNotFound After Successful grantCopyAuthorization (API 2025-11-01)

Hasindu Rathnayake 65 Reputation points
2026-06-01T09:25:48.31+00:00

I'm trying to copy a Content Understanding analyzer between two Azure AI Foundry resources.

Environment:

  • Source region: East US
  • Target region: Australia East
  • API version: 2025-11-01 (GA)
  • Both resources have managed identities enabled
  • Cognitive Services User role assigned in both directions
  • Analyzer status is Ready

The grantCopyAuthorization operation succeeds with HTTP 200.

However, the subsequent copy operation returns:

{
  "error": {
    "code": "NotFound",
    "innererror": {
      "code": "ModelNotFound",
      "message": "The source resource has not granted the necessary permissions..."
    }
  }
}

I also noticed that the grantCopyAuthorization response does not contain the source property described in the REST API documentation.

Questions:

  1. Is the missing source property expected in API version 2025-11-01?
  2. Is cross-region analyzer copy supported between East US and Australia East?
  3. Are there known requirements beyond managed identities and Cognitive Services User role assignments?
Azure Content Understanding in Foundry Tools

1 answer

Sort by: Most helpful
  1. Jerald Felix 16,015 Reputation points Volunteer Moderator
    2026-06-01T16:43:35.3566667+00:00

    Hello Hasindu Rathnayake,

    Greetings! Thanks for raising this question in Q&A forum.

    This is a great and detailed question. The root cause here is most likely a combination of two things — the grantCopyAuthorization response missing the source property means the target resource never properly received the authorization token tied to the correct source identity, so when the copy operation runs, the target cannot verify that the source has granted permission, resulting in the ModelNotFound / source resource has not granted necessary permissions error. Simply put, the authorization handshake is incomplete before the copy is triggered.

    Let me address your three questions and walk you through the steps to resolve this:

    On your Question 1 — Missing source property in the response:

    This is likely not expected behaviour. The source field in the grantCopyAuthorization response is what the copy operation uses to validate the permission chain. Its absence suggests either a bug in the API version 2025-11-01 for the Content Understanding resource type, or the authorization is being issued against the wrong resource endpoint. Double-check that you are calling grantCopyAuthorization on the target resource (not the source) and passing the source resource's details in the request body — this is a common mix-up that causes the source field to be absent in the response.

    On your Question 2 — Cross-region support (East US to Australia East):

    Cross-region analyzer copy is supported in principle for Azure AI Foundry Content Understanding, but Australia East has historically had delayed feature parity compared to East US. It is worth verifying that the 2025-11-01 GA API and the copy feature are fully available in Australia East by checking the Azure AI Foundry regional availability page.

    On your Question 3 — Requirements beyond managed identity and role assignments:

    Yes, there are a few additional requirements that are easy to miss. Here are the steps to check and fix everything end to end:

    Confirm the correct direction of grantCopyAuthorization — This call must be made to the target resource's endpoint, not the source. The request body should contain the source resource's ID. Many developers accidentally call it on the source resource, which causes the source property to be missing from the response.

    The correct call pattern is: POST https://<TARGET-endpoint>/contentunderstanding/analyzers/<analyzerName>:grantCopyAuthorization?api-version=2025-11-01

    Use the full authorization object in the copy call — Take the entire response body from grantCopyAuthorization and pass it as-is into the copy request body on the source resource. Do not reconstruct or modify any fields. If the source field is missing from the response, the copy will always fail.

    Verify managed identity role assignments are on the right scope — The managed identity of the source resource needs Cognitive Services User role on the target resource, and vice versa. Make sure these are assigned at the resource level, not just at the subscription or resource group level, as scope mismatches can cause silent permission failures.

    Check that both resources use System-assigned managed identity — If either resource uses a User-assigned managed identity instead, the identity principal used during the copy handshake may differ from what was authorized. Confirm both are System-assigned or that the correct User-assigned identity is explicitly referenced.

    Ensure no network restrictions are blocking cross-region calls — If either resource has a firewall, private endpoint, or network access restrictions configured, the cross-region copy call may be silently blocked. Temporarily set both resources to "Allow all networks" for testing purposes to rule this out.

    Retry the full flow from scratch — The grantCopyAuthorization token has a limited validity window (typically 24 hours). If there was any delay between getting the authorization and initiating the copy, the token may have expired. Run grantCopyAuthorization again and immediately follow it with the copy call.

    If the source property is still missing after a fresh attempt — This points to a potential bug in the GA API for this resource type. Raise a support ticket with Microsoft under "Azure AI Services / Content Understanding" and include the full request and response payloads (with keys redacted). The missing source field is worth escalating as it may be a known issue being tracked internally.

    If this answer helps you kindly accept the answer which will help others who have similar questions.

    Best Regards,

    Jerald Felix.

    Was this answer helpful?


Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.