An AI tool in Foundry for analyzing documents and media to classify content, extract entities, and generate structured understanding
Hello Hasindu Rathnayake,
Greetings! Thanks for raising this question in Q&A forum.
This is a great and detailed question. The root cause here is most likely a combination of two things — the grantCopyAuthorization response missing the source property means the target resource never properly received the authorization token tied to the correct source identity, so when the copy operation runs, the target cannot verify that the source has granted permission, resulting in the ModelNotFound / source resource has not granted necessary permissions error. Simply put, the authorization handshake is incomplete before the copy is triggered.
Let me address your three questions and walk you through the steps to resolve this:
On your Question 1 — Missing source property in the response:
This is likely not expected behaviour. The source field in the grantCopyAuthorization response is what the copy operation uses to validate the permission chain. Its absence suggests either a bug in the API version 2025-11-01 for the Content Understanding resource type, or the authorization is being issued against the wrong resource endpoint. Double-check that you are calling grantCopyAuthorization on the target resource (not the source) and passing the source resource's details in the request body — this is a common mix-up that causes the source field to be absent in the response.
On your Question 2 — Cross-region support (East US to Australia East):
Cross-region analyzer copy is supported in principle for Azure AI Foundry Content Understanding, but Australia East has historically had delayed feature parity compared to East US. It is worth verifying that the 2025-11-01 GA API and the copy feature are fully available in Australia East by checking the Azure AI Foundry regional availability page.
On your Question 3 — Requirements beyond managed identity and role assignments:
Yes, there are a few additional requirements that are easy to miss. Here are the steps to check and fix everything end to end:
Confirm the correct direction of grantCopyAuthorization — This call must be made to the target resource's endpoint, not the source. The request body should contain the source resource's ID. Many developers accidentally call it on the source resource, which causes the source property to be missing from the response.
The correct call pattern is: POST https://<TARGET-endpoint>/contentunderstanding/analyzers/<analyzerName>:grantCopyAuthorization?api-version=2025-11-01
Use the full authorization object in the copy call — Take the entire response body from grantCopyAuthorization and pass it as-is into the copy request body on the source resource. Do not reconstruct or modify any fields. If the source field is missing from the response, the copy will always fail.
Verify managed identity role assignments are on the right scope — The managed identity of the source resource needs Cognitive Services User role on the target resource, and vice versa. Make sure these are assigned at the resource level, not just at the subscription or resource group level, as scope mismatches can cause silent permission failures.
Check that both resources use System-assigned managed identity — If either resource uses a User-assigned managed identity instead, the identity principal used during the copy handshake may differ from what was authorized. Confirm both are System-assigned or that the correct User-assigned identity is explicitly referenced.
Ensure no network restrictions are blocking cross-region calls — If either resource has a firewall, private endpoint, or network access restrictions configured, the cross-region copy call may be silently blocked. Temporarily set both resources to "Allow all networks" for testing purposes to rule this out.
Retry the full flow from scratch — The grantCopyAuthorization token has a limited validity window (typically 24 hours). If there was any delay between getting the authorization and initiating the copy, the token may have expired. Run grantCopyAuthorization again and immediately follow it with the copy call.
If the source property is still missing after a fresh attempt — This points to a potential bug in the GA API for this resource type. Raise a support ticket with Microsoft under "Azure AI Services / Content Understanding" and include the full request and response payloads (with keys redacted). The missing source field is worth escalating as it may be a known issue being tracked internally.
If this answer helps you kindly accept the answer which will help others who have similar questions.
Best Regards,
Jerald Felix.