Prompt flow deployment of endpoint failed Registering flow as model for deployment

Question

Prompt flow deployment of endpoint failed Registering flow as model for deployment

Jason McReynolds 25

I've created a Prompt Flow in Azure AI Studio, and when I go to deploy it, the Machine Learning online endpoint successfully deploys, but then I get an error that "Registering flow as model for deployment" failed. Nothing else gets deployed besides the ML online endpoint.

pfdfail

I've followed the instructions to make sure that the ML online endpoint identity has "Storage Blob Data Contributor" access to the storage account associated with the project (even deleted, re-added, and tried granting Owner access to the storage account as well), but none of that seems to work, it always fails. I've checked the activity logs and nothing shows up in those indicating a failure. I'm not sure where else to look for logs for this or what to do/check at this point. Any help would me much appreciated. Thanks!

romungi-MSFT 48,911 Reputation points Microsoft Employee Moderator

2024-09-20T07:51:22.1+00:00
@Jason McReynolds Does your prompt flow have a connection to any other resources that need access to storage account? Ex: You can have a connection to Azure OpenAI or Azure AI search. You might want to check if those resources need the access to storage account.

Also, there are couple of more scenarios that you could check before retrying.

You should have an Azure ML workspace created with the project name since AI studio uses Hub and spoke model. This same ML workspace can be accessed from ML studio where additional logs can be available under the deployment or model tabs of ML studio. This can give a better idea on what authorization is missing during deployment.

Since you are using AI studio the AI Hub and Project also have IAM roles assigned, this can be seen from the portal by looking up the hub and project name, where you can access the IAM settings to confirm if the roles related to storage are granted.

The connected resources of Azure blob storage corresponding to your workspace or project use SAS based authentication from AI studio, you can flip this method to Entra ID based if you want to avoid SAS credential authentication while accessing the storage accounts. Go to project settings->Access Details -> Edit Access Details

Finally, there is currently an ongoing issue with endpoint deployments as mentioned in this thread. I think your issue is not related to this scenario since you have already tried using contributor access, but you can refer the same and check if this helps!!
Jason McReynolds 25 Reputation points

2024-09-20T22:35:50.5+00:00
@romungi-MSFT , thanks for the suggestions!

I dug around the ML Studio, but I'm not finding anything in there that shows any logs for this failed prompt flow deployment. It looks like I might have more info once the deployment actually succeeds, but I haven't been able to get that to work.

I assigned Storage Blob Contributor access to the AI Hub and Project, and the Azure Open AI resource it is using, but deployments still fail. If one of the resources needs higher access, or I'm missing one, I don't know (hence trying to find logs/useful error message). :(

When I check the Settings page of the project, I don't see anything about Connection details and/or Access details like you have in the screenshot you posted (poked around and didn't see that anywhere). Could that indicate a problem somewhere else?

Thanks for the link to the other issue, but I agree, I think this is different.
romungi-MSFT 48,911 Reputation points Microsoft Employee Moderator

2024-09-23T08:19:31.1833333+00:00

@Jason McReynolds On the settings page there is a tile for Connected resources, see below.

If you click on the workspace storage connections, it should show the earlier screen I mentioned and you can try to change the access method from there.
romungi-MSFT 48,911 Reputation points Microsoft Employee Moderator

2024-09-26T15:23:57.99+00:00

@Jason McReynolds I am curious to check if your prompt flow deployments are working with any of the suggestions mentioned above. Thanks!!
Jason McReynolds 25 Reputation points

2024-10-02T16:23:30.4733333+00:00

@romungi-MSFT I have a case open with Microsoft and I'm working through this issue. One thing that did help was making sure all of the storage accounts were set to use the same access method (Credential based, Account key), but now I've run into issues with an expired auth token.
Dinesh Goyal 0 Reputation points Microsoft Employee

2025-06-05T05:42:08.9866667+00:00

@Jason McReynolds
I am also facing same issue while deploying prompt flow endpoint. If you are able to solve it, please share the steps
Jason McReynolds 25 Reputation points

2025-06-05T15:33:54.6866667+00:00
@Dinesh Goyal

The error you shared is different from the one that I got, so I'm not sure how to assist with that. As an update though, here's what initially ended up resolving the issue for me:

Assign the role "Storage Blob Data Contributor Role" to the Project (AML workspace) managed identity and the managed online endpoint managed identity on the storage account.

There was a bug on the endpoint (that is hopefully fixed by now) - when combined weight on endpoint is 0, UI currently fails to do the CORS OPTIONS request successfully leading to unauthorized error. While they do not yet an ETA for a fix, they provided a mitigation step for this error: manually set traffic on the deployment to 100%.

I had some other issues as well, with some "phantom" resources (resources that still showed up in the project, but had been deleted from Azure - mostly blob storage accounts), so ultimately I ended up creating a new hub and project and manually migrating everything over, which resolved all of the issues we were having.

1 answer

Your answer

romungi-MSFT 48,911 Reputation points Microsoft Employee Moderator

2024-09-20T07:51:22.1+00:00

@Jason McReynolds Does your prompt flow have a connection to any other resources that need access to storage account? Ex: You can have a connection to Azure OpenAI or Azure AI search. You might want to check if those resources need the access to storage account.

Also, there are couple of more scenarios that you could check before retrying.

You should have an Azure ML workspace created with the project name since AI studio uses Hub and spoke model. This same ML workspace can be accessed from ML studio where additional logs can be available under the deployment or model tabs of ML studio. This can give a better idea on what authorization is missing during deployment.

Since you are using AI studio the AI Hub and Project also have IAM roles assigned, this can be seen from the portal by looking up the hub and project name, where you can access the IAM settings to confirm if the roles related to storage are granted.

The connected resources of Azure blob storage corresponding to your workspace or project use SAS based authentication from AI studio, you can flip this method to Entra ID based if you want to avoid SAS credential authentication while accessing the storage accounts. Go to project settings->Access Details -> Edit Access Details

Finally, there is currently an ongoing issue with endpoint deployments as mentioned in this thread. I think your issue is not related to this scenario since you have already tried using contributor access, but you can refer the same and check if this helps!!
Jason McReynolds 25 Reputation points

2024-09-20T22:35:50.5+00:00

@romungi-MSFT , thanks for the suggestions!

I dug around the ML Studio, but I'm not finding anything in there that shows any logs for this failed prompt flow deployment. It looks like I might have more info once the deployment actually succeeds, but I haven't been able to get that to work.

I assigned Storage Blob Contributor access to the AI Hub and Project, and the Azure Open AI resource it is using, but deployments still fail. If one of the resources needs higher access, or I'm missing one, I don't know (hence trying to find logs/useful error message). :(

When I check the Settings page of the project, I don't see anything about Connection details and/or Access details like you have in the screenshot you posted (poked around and didn't see that anywhere). Could that indicate a problem somewhere else?

Thanks for the link to the other issue, but I agree, I think this is different.
romungi-MSFT 48,911 Reputation points Microsoft Employee Moderator

2024-09-23T08:19:31.1833333+00:00

@Jason McReynolds On the settings page there is a tile for Connected resources, see below.

If you click on the workspace storage connections, it should show the earlier screen I mentioned and you can try to change the access method from there.
romungi-MSFT 48,911 Reputation points Microsoft Employee Moderator

2024-09-26T15:23:57.99+00:00

@Jason McReynolds I am curious to check if your prompt flow deployments are working with any of the suggestions mentioned above. Thanks!!
Jason McReynolds 25 Reputation points

2024-10-02T16:23:30.4733333+00:00

@romungi-MSFT I have a case open with Microsoft and I'm working through this issue. One thing that did help was making sure all of the storage accounts were set to use the same access method (Credential based, Account key), but now I've run into issues with an expired auth token.
Dinesh Goyal 0 Reputation points Microsoft Employee

2025-06-05T05:42:08.9866667+00:00

@Jason McReynolds
I am also facing same issue while deploying prompt flow endpoint. If you are able to solve it, please share the steps
Jason McReynolds 25 Reputation points

2025-06-05T15:33:54.6866667+00:00

@Dinesh Goyal

The error you shared is different from the one that I got, so I'm not sure how to assist with that. As an update though, here's what initially ended up resolving the issue for me:

Assign the role "Storage Blob Data Contributor Role" to the Project (AML workspace) managed identity and the managed online endpoint managed identity on the storage account.

There was a bug on the endpoint (that is hopefully fixed by now) - when combined weight on endpoint is 0, UI currently fails to do the CORS OPTIONS request successfully leading to unauthorized error. While they do not yet an ETA for a fix, they provided a mitigation step for this error: manually set traffic on the deployment to 100%.

I had some other issues as well, with some "phantom" resources (resources that still showed up in the project, but had been deleted from Azure - mostly blob storage accounts), so ultimately I ended up creating a new hub and project and manually migrating everything over, which resolved all of the issues we were having.

Answer 1

As an update, here's what initially ended up resolving the issue for me:

Assign the role "Storage Blob Data Contributor Role" to the Project (AML workspace) managed identity and the managed online endpoint managed identity on the storage account.
There was a bug on the endpoint (that is hopefully fixed by now) - when combined weight on endpoint is 0, UI currently fails to do the CORS OPTIONS request successfully leading to unauthorized error. While they do not yet an ETA for a fix, they provided a mitigation step for this error: manually set traffic on the deployment to 100%.

I had some other issues as well, with some "phantom" resources (resources that still showed up in the project, but had been deleted from Azure - mostly blob storage accounts), so ultimately I ended up creating a new hub and project and manually migrating everything over, which resolved all of the issues we were having

Dinesh Goyal 0 Reputation points Microsoft Employee

2025-06-05T17:31:06.63+00:00

Thanks for the response.
However, this isn't working in my case.

Share via

Prompt flow deployment of endpoint failed Registering flow as model for deployment

1 answer

Your answer