Skip to main content
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Get certified in Microsoft Fabric—for free! For a limited time, get a free DP-600 exam voucher to use by the end of 2024. Register now

Reply
redherring101
Microsoft Employee
Microsoft Employee

Unable to call AML pipeline from Fabric data pipeline

‎11-22-2024 10:53 AM

I am trying to trigger an AML pipeline from my Fabric data pipeline, but I am getting the following error:

 

 

Request sent to Azure ML Service for operation 'validateWorkspace' failed with http status code 'Unauthorized'. Error message from Azure ML Service: '{"error":{"code":"InvalidAuthenticationTokenAudience","message":"The access token has been obtained for wrong audience or resource 'https://ml.azure.com'. It should exactly match with one of the allowed audiences 'https://management.core.windows.net/','https://management.core.windows.net','https://management.azure.com/','https://management.azure.com'."}}'.

 

I am using my organizational account to connect to the AML workspace from Fabric. This account has Contributor and AzureML Data Scientist access on the AML workspace. 

 

fabric error.png

Labels:
Message 1 of 5
375 Views
0
4 REPLIES 4
v-yilong-msft
Community Support
Community Support

‎11-25-2024 06:23 PM

Hi @redherring101 ,

It looks like the error you're encountering is due to the access token being issued for the wrong audience or resource. The token should be obtained for one of the allowed audiences such as https://management.core.windows.net/ or https://management.azure.com/ instead of https://ml.azure.com./

 

I think you can do these steps below:

1. Ensure that the token you are using is requested for the correct audience. You might need to modify the resource URL in your authentication request to match one of the allowed audiences.

 

2. Navigate to Azure Active Directory > App Registrations > Your App > API Permissions. Add the necessary permissions for Azure Service Management and grant admin consent.

You can read this topic as a reference: 

Problem when i call a GET REQUEST with an AZURE Token, InvalidAuthenticationTokenAudience - Microsof...

 

3. Make sure you are using the correct authentication flow to obtain the token. For example, if you are using MSAL (Microsoft Authentication Library), ensure that the scope includes the correct resource URL.

 

 

Best Regards

Yilong Zhou

If this post helps, then please consider Accept it as the solution to help the other members find it more quickly.

Message 3 of 5
254 Views
0
redherring101
Microsoft Employee
Microsoft Employee
In response to v-yilong-msft

‎11-26-2024 09:42 AM

Hi @v-yilong-msft, thank you for your reply.

 

The thing is that I am not manually requesting a token here, in response to your suggestions 1 and 3. I am using the Azure Machine Learning Activity on the Fabric data pipeline UI to try and trigger an AML pipeline. I don't see an option to set the audience for the authentication request anywhere. The same thing works seamlessly in Synapse, so I think that this is a bug in Fabric whereby the Azure Machine Learning Activity is using the wrong audience when trying to authenticate with Azure Machine Learning.

 

In the Microsoft Entra admin center, I am unable to find this Fabric workspace under App Registrations, in response to your suggestion 2. I don't think that Fabric resources are really exposed to us like regular Azure resources.

Message 4 of 5
233 Views
0
redherring101
Microsoft Employee
Microsoft Employee
In response to redherring101

‎11-22-2024 09:58 AM

I am trying to trigger an AML pipeline from my Fabric data pipeline, but I am getting the following error:

Request sent to Azure ML Service for operation 'validateWorkspace' failed with http status code 'Unauthorized'. Error message from Azure ML Service: '{"error":{"code":"InvalidAuthenticationTokenAudience","message":"The access token has been obtained for wrong audience or resource 'https://ml.azure.com'. It should exactly match with one of the allowed audiences 'https://management.core.windows.net/','https://management.core.windows.net','https://management.azure.com/','https://management.azure.com'."}}'.


I am using my Organizational account to set up the connection and that account does have access to AML. Here is a screenshot of the error:

redherring101_0-1732298206958.png

 

Message 5 of 5
320 Views
0
v-huijiey-msft
Community Support
Community Support

‎11-24-2024 11:00 PM

Hi @redherring101 ,

 

Your question belongs to the Data Factory forum, and I have moved the post to the appropriate forum for you, where a professional will be able to help you.

 

Best Regards,
Yang
Community Support Team

Message 2 of 5
288 Views
0

Helpful resources

Announcements
November Carousel

Fabric Community Update - November 2024

Find out what's new and trending in the Fabric Community.

Live Sessions with Fabric DB

Be one of the first to start using Fabric Databases

Starting December 3, join live sessions with database experts and the Fabric product team to learn just how easy it is to get started.

November Update

Fabric Monthly Update - November 2024

Check out the November 2024 Fabric update to learn about new features.

Las Vegas 2025

Join us at the Microsoft Fabric Community Conference

March 31 - April 2, 2025, in Las Vegas, Nevada. Use code MSCUST for a $150 discount! Early Bird pricing ends December 9th.

View All