Share via

Sudden permission issue in Sweden Central between Translator and Storage Account (worked before)

Benjamin Eha 15 Reputation points
2026-04-26T08:59:03.6966667+00:00

Hello everyone,

we are seeing a sudden issue with Azure AI Translator / Document Translation in Sweden Central.

A setup that worked reliably before now fails during validation with:

{ "status": "ValidationFailed", "error": { "code": "InvalidRequest", "message": "Cannot access source document location with the current permissions.", "innerError": { "code": "InvalidDocumentAccessLevel", "message": "Cannot access source document location with the current permissions." } } }

Setup:

Service: Azure AI Translator / Document Translation

Region: Sweden Central

Authentication: system-assigned managed identity

Storage: Azure Blob Storage

RBAC: managed identity has Storage Blob Data Contributor

Failure point: validation phase, before document processing starts

The same flow worked previously and no application-side changes were made. Source files are uploaded successfully and are visible in Blob Storage before the translation job starts.

Could this indicate a current issue with Document Translation + Managed Identity + Blob Storage in Sweden Central, or a change in validation behavior?

Thanks in advance.

Best

Ben

Azure Translator in Foundry Tools
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. SAI JAGADEESH KUDIPUDI 3,215 Reputation points Microsoft External Staff Moderator
    2026-04-30T12:05:58.56+00:00

    Hi Benjamin Eha,

    Thank you for the detailed description — this helps narrow things down significantly.

    From the error message:

    "Cannot access source document location with the current permissions (InvalidDocumentAccessLevel)"

    this indicates that Azure AI Translator – Document Translation is unable to access your source container during the validation phase, even though the setup worked previously.

    Based on your configuration (system-assigned managed identity + Blob Storage + RBAC), this behavior is most commonly related to either RBAC scope, network restrictions, or access validation changes, rather than a region-specific issue in Sweden Central.

    1. Verify RBAC scope (very important)
    Even if Storage Blob Data Contributor is assigned, the scope must include the correct container or storage account.

    • If the role is mis-scoped or recently modified, validation can fail even if uploads still work.

    Reconfirm the role assignment and allow time for propagation.

    2. Check Storage firewall / networking configuration
    If your storage account has:

    • Firewall rules
    • Virtual Network restrictions
    • Private Endpoints

    then the Translator service must be explicitly allowed.

    Even small changes (policies, security updates, networking changes) can cause this to suddenly fail.
    3. Revalidate Managed Identity configuration
    As a quick remediation:

    Disable and re-enable the system-assigned managed identity

    Reassign the RBAC role

    Wait a few minutes for propagation

    This helps in cases where identity tokens or permissions are stale.
    4. Ensure correct request pattern
    When using managed identity:

    Use storage URLs (not SAS tokens)

    Ensure correct Translator endpoint is used

    Even if your application didn’t change, this issue can appear due to:

    RBAC re-evaluation or delayed propagation

    Storage firewall or network policy updates

    Backend validation becoming stricter for access checks

    At this time, there are no known public issues specific to Sweden Central affecting this scenario.

    In most cases like this, the root cause is:

    RBAC scope mismatch, or

    Storage firewall / networking restriction

    Once those are validated and corrected, the Document Translation validation step should start working again.
    Microsoft Documentation

    Hope this helps. If you have any follow-up questions, please let me know. I would be happy to help.
    Please do not forget to "Accept Answer" and "up-vote" wherever the information provided helps you, as this can be beneficial to other community members.

    Was this answer helpful?

  2. AI answer

    2026-04-26T08:59:20.9033333+00:00

    The behavior is consistent with a storage authorization/managed identity issue rather than a region‑wide outage, and recent changes in network or identity configuration can surface as “sudden” validation failures.

    For Document Translation with managed identity, validation will fail if the Translator resource can no longer read from or write to the Blob containers. The following conditions must all be true:

    1. System-assigned managed identity is enabled on the Translator resource
      • In the Translator resource, under Resource Management → Identity → System assigned, Status must be On, and changes can take up to ~5 minutes to propagate.
    2. Translator’s managed identity has the correct RBAC on the storage account
      • The Translator resource’s identity must have Storage Blob Data Contributor on the storage account (or at least on the relevant containers):
        • Scope: Storage
        • Role: Storage Blob Data Contributor
      • This role grants read, write, and delete access to blobs and is required when using managed identity instead of SAS.
    3. Storage account network and “trusted services” configuration still allow access
      • If storage networking or firewall settings were recently changed, ensure that:
        • The Translator resource is allowed through the storage firewall, and
        • “Allow trusted Microsoft services to access this storage account” remains enabled if previously used.
      • After network changes, it can take up to 5 minutes for them to propagate.
    4. If SAS was previously used and you switched to managed identity
      • When using managed identity and Allow Storage Account Key Access is disabled, container URLs can be used directly without SAS. If this setting or the identity/RBAC changed, validation will fail until corrected.
    5. Confirm job-level behavior
      • If translated files do not appear in the target container, check the job and document status using the Document Translation status APIs as recommended in troubleshooting. Failures that mention authorization or access to storage almost always point back to RBAC, identity, or networking.

    Given that the same flow worked before and no app changes were made, the most likely causes are:

    • RBAC assignment on the storage account was modified or removed.
    • Storage networking/firewall or “trusted services” setting changed.
    • Identity on the Translator resource was disabled/recreated, breaking the existing role assignment.

    Recommended actions:

    1. Re-verify that the Translator resource has System assigned identity enabled.
    2. Re-assign Storage Blob Data Contributor to the Translator’s managed identity at the storage account scope and wait a few minutes.
    3. Confirm storage network/firewall configuration still permits access from the Translator resource.
    4. Re-run the translation job and, if it fails, inspect job/document status for explicit authorization errors.

    If all of the above are correct and the issue persists only in Sweden Central while the same configuration works in another region, open a support ticket with Azure Support including job IDs and timestamps so the backend team can check for region-specific incidents.

    References:

    AI-generated content may be incorrect. Read our transparency notes for more information.

    Was this answer helpful?

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.