Azure AI Face Service: Fix Setup & API Errors
Why This Is Happening
You've spun up a new Azure resource, grabbed your API key, fired off your first call to the Azure AI Face service , and hit a wall. Maybe it's a 403 Forbidden. Maybe the SDK refuses to authenticate. Maybe you submitted the Face Recognition intake form three days ago and you're still staring at a blank approval screen. I've seen all of these. They're frustrating, especially when your project timeline is already tight.
Here's the thing: the Azure AI Face service is not like most Azure Cognitive Services resources. It operates under limited access controls tied to Microsoft's Responsible AI commitments. That means there's an extra approval layer most developers don't expect the first time they encounter it. You apply. Microsoft reviews your use case. Only then does your Azure subscription get the green light to actually call face recognition and liveness endpoints. If you skipped that step , or if your approval hasn't landed yet, you'll keep hitting errors no matter how perfect your code is.
Beyond the access approval issue, I regularly see teams run into three other categories of problems:
- Authentication misconfiguration, using the wrong endpoint format, mixing up region-specific endpoints with global ones, or passing keys in the wrong header.
- Model version mismatch, calling a detection or recognition model version that doesn't match the one your PersonGroup was built on, which quietly returns wrong results rather than a clean error.
- SDK version drift, especially with the Face liveness SDK, which is gated separately and updates frequently. An older SDK version may not even support the liveness session API at all.
Microsoft's error messages in this space are notoriously unhelpful. A generic Access Denied response doesn't tell you whether the problem is a bad key, an unapproved subscription, or a network-level block. That ambiguity is what sends developers chasing the wrong fix for hours.
This guide walks you through all of it, from verifying your access approval status to fixing SDK authentication, to troubleshooting the Azure AI Face service liveness detection feature specifically. Every fix here is grounded in what the official Azure documentation actually says, not forum speculation.
The Quick Fix, Try This First
Before you go deep on troubleshooting, run through this checklist. In my experience, the vast majority of Azure AI Face service errors, probably 70%, trace back to one of these five things:
- Your subscription hasn't been approved for Face service access. Go to the Face Recognition intake form and confirm you've submitted. Check your email (including spam) for an approval confirmation from Microsoft. No approval = no access, full stop.
- Your endpoint URL is wrong. The Face API endpoint format is region-specific:
https://<your-resource-name>.cognitiveservices.azure.com/. Using the oldhttps://<region>.api.cognitive.microsoft.com/face/v1.0format causes silent failures in newer SDK versions. - You're using the wrong API key. In the Azure portal, go to Resource Management > Keys and Endpoint. There are two keys, either works, but copy carefully. Trailing spaces or line breaks in environment variables kill authentication instantly.
- Your Face resource hasn't been created yet in the correct region. The Face service is not available in every Azure region. Double-check that your resource region supports Face. If you're hitting
ResourceNotFound, this is why. - You haven't agreed to the Responsible AI terms in the Azure portal. When creating a new Face resource, Azure now requires you to actively check a box acknowledging the Responsible AI documentation and the policy on police department usage restrictions. Miss this checkbox and the resource creation silently fails or gets stuck in a provisioning state.
If your subscription is approved and your keys are correct but you're still getting errors, keep reading, the step-by-step section has you covered.
curl before blaming the SDK. If the raw call works, the problem is in your SDK configuration. If the raw call fails, the problem is upstream, permissions, network, or resource state. This single habit saves hours of debugging.
This is the step most developers skip because they don't expect it. The Azure AI Face service, specifically the face recognition, face identification, face verification, and liveness detection capabilities, is a limited access service. Microsoft restricts it to approved customers and partners as part of its Responsible AI framework. You cannot call these APIs on an unapproved subscription, no matter how correctly your code is written.
Here's how to check your status and fix it:
First, navigate to the Face Recognition intake form on the Azure website. This form asks for your organization name, use case description, and Azure subscription ID. Fill it out completely, vague use case descriptions get rejected or delayed. Be specific: "touchless check-in for hospital reception kiosks" is better than "access control."
Once you submit, Microsoft reviews the request. The review typically completes within a few business days, though enterprise customers with existing Microsoft relationships often get faster turnaround. You'll receive an email confirmation when your subscription is approved.
After approval, verify it's active by going to the Azure portal, opening your Face resource, and checking the Overview blade. You should see the resource status as Running with no policy blocks listed. If you see a yellow warning banner mentioning "limited access" or "policy restriction," your subscription either hasn't been approved yet or the approval hasn't fully propagated.
One important note from the official documentation: if you're working with biometric data, and face images absolutely qualify, you're responsible for providing appropriate notice to data subjects, obtaining consent, and deleting biometric data when required. This isn't just a legal footnote; Azure's terms enforcement around this has teeth. Make sure your application design accounts for it before you go live.
When this step is complete, a simple test call to the Detect endpoint should return a 200 response rather than a 403.
Authentication errors with the Azure AI Face service are almost always an endpoint or header formatting issue. Let me walk you through the exact setup.
In the Azure portal, open your Face resource. Under Resource Management, click Keys and Endpoint. You'll see:
- KEY 1 and KEY 2, both are valid subscription keys
- Endpoint, this is your resource-specific base URL
Your endpoint will look like this:
https://your-resource-name.cognitiveservices.azure.com/When making REST API calls directly, pass your key in the Ocp-Apim-Subscription-Key header. Here's a working curl command to detect faces in an image URL:
curl -X POST \
"https://your-resource-name.cognitiveservices.azure.com/face/v1.0/detect" \
-H "Ocp-Apim-Subscription-Key: YOUR_KEY_HERE" \
-H "Content-Type: application/json" \
-d '{"url":"https://upload.wikimedia.org/wikipedia/commons/c/c3/RH_Louise_Lillian_Gish.jpg"}'If this returns a 200 OK with a JSON array, your keys and endpoint are fine. If you get a 401, your key is wrong. If you get a 403, your subscription isn't approved for Face access. If you get a 404, your endpoint URL is wrong or the resource doesn't exist in the region you specified.
For SDK users in C#, the initialization looks like this:
var client = new FaceClient(
new ApiKeyServiceClientCredentials("YOUR_FACE_API_KEY"))
{
Endpoint = "https://your-resource-name.cognitiveservices.azure.com/"
};Note the trailing slash on the endpoint. Missing it causes a malformed request URL in some SDK versions. When this step succeeds, your SDK calls stop throwing HttpRequestException or UnauthorizedAccessException at initialization time.
Here's one that trips up even experienced Azure developers. The Azure AI Face service has multiple detection model versions, detection_01, detection_02, and detection_03, and they're not interchangeable with recognition models. When you call the Detect API without specifying a model, you get the default, which may not be what you need and can cause downstream failures when you try to use the resulting face IDs with recognition operations.
The official documentation is clear on this: you must specify both a detection model and a recognition model version when adding faces to a PersonGroup, and you must use the same detection model when you call Detect to identify faces against that PersonGroup later. Mixing them produces errors or, worse, silently incorrect match results.
Here's how to explicitly set the detection model in a REST call:
POST https://your-resource-name.cognitiveservices.azure.com/face/v1.0/detect
?detectionModel=detection_03
&returnFaceId=true
&returnFaceLandmarks=falseAnd when creating a PersonGroup:
PUT https://your-resource-name.cognitiveservices.azure.com/face/v1.0/persongroups/{personGroupId}
Content-Type: application/json
{
"name": "MyGroup",
"userData": "optional info",
"recognitionModel": "recognition_04"
}Use recognition_04 for new projects, it's the most accurate model available as of the current documentation. If you're migrating a PersonGroup built on recognition_03, you need to rebuild it with the newer model. There's no in-place upgrade path; the face data structures are incompatible between recognition model versions.
When this is correct, you stop seeing errors like FaceNotFound during identify operations even when you know the face was enrolled. That error almost always means a model version mismatch rather than an actual missing face.
Liveness detection is the anti-spoofing feature that determines whether a face in a video stream belongs to a real, physically present person, not a photo, a recorded video, or a 3D mask. If you're building an identity verification flow or touchless access control system, you almost certainly need this. And it has its own separate access gate.
Even if your subscription is already approved for the general Face service, liveness is handled separately. You need to submit the Face Recognition intake form again and specifically request liveness access. Once approved, you can download the Face liveness SDK, it's not available on public NuGet, npm, or PyPI. You download it directly after your subscription is approved.
For the server-side session management, liveness detection works through a session model. Your backend creates a liveness session and receives a session authorization token. Your frontend client (mobile app or web app using the SDK) uses that token to run the liveness check with the user's camera. Your backend then queries the session result. The face never travels to your server; only the verification result does.
Here's the session creation REST call pattern:
POST https://your-resource-name.cognitiveservices.azure.com/face/v1.0-preview.1/detectLiveness/singleModal/sessions
Ocp-Apim-Subscription-Key: YOUR_KEY
Content-Type: application/json
{
"livenessOperationMode": "Passive",
"deviceCorrelationId": "device-unique-id-here",
"sendResultsToClient": false
}The response includes a session ID and an authToken. Pass the authToken to your frontend SDK, never the subscription key. This design ensures your main API credentials stay server-side only.
If the liveness SDK throws LivenessSessionNotFound or InvalidAuthToken, check that the token hasn't expired (default lifetime is 10 minutes) and that you're passing the token, not the subscription key, to the client SDK. This is the most common liveness setup error I see.
This one catches teams mid-project. If your application previously called the Face Detect API and requested emotion or gender attributes, those requests now return errors or empty results. Microsoft officially retired the emotion detection and gender estimation capabilities in 2023, citing the risk of misuse and stereotyping. They're gone. There's no flag to re-enable them, no workaround, no legacy endpoint that still serves them.
The limited capabilities, age estimation, smile detection, facial hair detection, hair color, and makeup detection, are still available but only to approved use cases. If your application needs any of these, email the Azure Face team directly (the address is in the official Azure Face documentation) with a description of your responsible use case.
To check which attributes you're currently requesting in your detect calls, look at your returnFaceAttributes parameter:
GET https://your-resource-name.cognitiveservices.azure.com/face/v1.0/detect
?returnFaceAttributes=age,smile,headPose,glasses,occlusion,accessories,blur,exposure,noiseIn the list above, age and smile are limited, they require approval. The others (headPose, glasses, occlusion, accessories, blur, exposure, noise) are generally available without special approval and are safe to use in production. If your detect calls are returning a 400 Bad Request with a message about unsupported attributes, remove emotion and gender from your attribute list immediately. That will unblock the call.
Going forward, architect your application around the supported attributes and design your user flows so that face data quality (blur level, head pose, occlusion) guides your enrollment process rather than inferring personal characteristics. This is both better practice and more reliable technically, the quality metrics are objective measurements, while the retired attributes were probabilistic guesses that introduced real risks.
Once you've cleaned up your attribute requests, your detect calls should return a clean 200 with a well-structured JSON face object containing the face rectangle, face ID, and the approved attributes you requested.
Advanced Troubleshooting
If the standard steps didn't fully resolve your Azure AI Face service problem, here's where to dig deeper. I'm covering the scenarios that require a bit more technical access, SDK diagnostics, enterprise network configuration, and subscription policy analysis.
Reading Face API Error Codes Correctly
The Face REST API returns structured error responses. When something fails, the response body includes a JSON object with a code and a message. Don't just look at the HTTP status code, read the error body. Common ones you'll encounter:
PersonGroupNotFound, your PersonGroup ID doesn't exist in the region you're querying. Check that your endpoint region matches where you created the group.FaceNotFound, the face ID you're referencing has expired. Face IDs from the Detect endpoint expire after 24 hours unless persisted to a PersonGroup.InvalidImage, the image doesn't meet requirements: minimum 50×50 pixels, maximum 6MB, JPEG/PNG/GIF/BMP format only.QuotaExceeded, you've hit your tier's transactions-per-second limit. The Free (F0) tier allows 20 calls per minute. Consider upgrading to Standard (S0) for production workloads.ServiceUnavailable, transient Azure service issue. Implement exponential backoff and retry logic. Three retries with 1s, 2s, 4s delays handle the vast majority of these.
Enterprise and Network-Level Issues
If you're in a corporate environment with a proxy or firewall, the Azure AI Face service endpoint needs outbound HTTPS access on port 443. Specifically, allow outbound connections to *.cognitiveservices.azure.com. Some enterprise proxy configurations strip the Ocp-Apim-Subscription-Key header, which produces a clean 401 with no obvious cause. Test from outside the corporate network to confirm whether the proxy is the issue.
For Azure Virtual Network scenarios, the Face resource supports private endpoints. If you've configured a private endpoint but your application is calling the public endpoint URL, you'll get connection timeouts rather than authentication errors. Check the Azure portal under your Face resource's Networking blade to confirm whether public access is enabled or restricted to selected networks.
SDK Diagnostics with HTTP Logging
Enable HTTP request/response logging in the Azure SDK to see exactly what's being sent and received. In Python:
import logging
logging.basicConfig(level=logging.DEBUG)
# Azure SDK will now log all HTTP traffic to the consoleIn C# with the Azure.AI.Vision.Face NuGet package:
var options = new FaceClientOptions();
options.Diagnostics.IsLoggingEnabled = true;
options.Diagnostics.LoggedRequestUriSchemePrefixes.Add("https");
var client = new FaceClient(new Uri(endpoint), new AzureKeyCredential(key), options);This raw log will show you the exact request URL, headers (with keys redacted), and the full response body. Nine times out of ten, the actual error message in the response body is far more informative than anything the SDK surfaces in its exception message.
403 Access Denied after 48 hours, open a support ticket. This usually means the approval hasn't propagated to your specific subscription ID in the backend systems, it requires manual intervention on Microsoft's side. Similarly, if you're seeing ServiceUnavailable responses consistently across multiple regions for more than 30 minutes, check the Azure Service Health dashboard first, then open a ticket if no incident is listed. For billing-related access restrictions on the Face service, you'll need to go through Microsoft Support directly, those can't be self-resolved in the portal.
Prevention & Best Practices
Getting the Azure AI Face service working is one thing. Keeping it working, especially as your application scales and Microsoft continues evolving the service, requires a bit of architectural discipline upfront.
The biggest thing I'd recommend: don't hardcode model versions. Store your detection model and recognition model version strings in application configuration. When Microsoft releases a new model version (which happens, typically with a months-long overlap period), you want to be able to update the model version across your entire application with a config change, not a code deployment. Missing a model transition is how you end up with degraded accuracy or broken PersonGroup operations six months from now.
Second: implement face ID lifecycle management. Detected face IDs from the Detect endpoint are only valid for 24 hours. If your workflow involves detecting a face and then performing identification or verification more than 24 hours later, you need to re-detect. Build this expiry logic into your data model so your application handles it gracefully rather than throwing FaceNotFound errors at runtime.
Third: monitor your quota consumption. In the Azure portal, go to your Face resource's Metrics blade and pin a chart for TotalCalls and TotalErrors to your dashboard. Set an alert at 80% of your tier's monthly limit. Hitting quota doesn't just slow down your application, on some tiers it stops it entirely until the quota resets.
Fourth: keep documentation of your approved use case. Microsoft can periodically re-verify that your usage aligns with your approved use case. Keep a record of what you submitted in the intake form and make sure your actual deployment matches it. If your use case changes significantly, submit an updated intake form proactively rather than waiting to be flagged.
- Store model version strings in app config, not hardcoded, makes model migrations a one-minute change
- Set Azure Monitor alerts at 80% quota consumption before you hit limits in production
- Cache PersonGroup training results and only retrain when new faces are added, not on every API call
- Use image quality attributes (blur, exposure, occlusion) to reject low-quality enrollment photos before they pollute your PersonGroup
Frequently Asked Questions
What exactly is the Azure AI Face service and what can it actually do?
The Azure AI Face service is a cloud API that detects, analyzes, and recognizes human faces in images and video streams. At a basic level, it finds faces in an image and returns the bounding box coordinates for each face along with a unique face ID. From there, with the appropriate approvals, you can do face verification (is this person who they claim to be?), face identification (who is this person from my enrolled group?), liveness detection (is this a real live person in front of the camera?), and touchless access control. It's available through client library SDKs in C#, Python, Node.js, and Java, or you can call the REST API directly. The key thing to understand upfront is that the recognition and liveness features require a separate access approval, it's not a standard Azure resource you can just provision and start calling.
How do I apply for Azure Face service access and how long does approval take?
You apply through the Face Recognition intake form, which is linked from the official Azure Face documentation and the Azure portal when you try to create a Face resource. The form asks for your organization name, contact information, your Azure subscription ID, and a detailed description of your use case. Be specific, generic answers like "identity verification" without context get delayed. Microsoft typically reviews applications within two to five business days for standard commercial customers, though enterprise customers with existing Microsoft agreements often see faster turnaround. You'll receive an email when your subscription is approved. For liveness detection specifically, that's a separate gated feature even after general Face access is approved, and you need to request it explicitly in the same form.
Why am I getting a 403 error even though my API key is correct?
A 403 on the Azure AI Face service almost always means your subscription hasn't been approved for Face service access, or the approval hasn't propagated yet. Check your email for an approval confirmation from Microsoft after submitting the intake form. If you received the approval but are still hitting 403 more than 48 hours later, open an Azure support ticket, this is a known backend propagation issue that requires manual intervention. A second common cause: you created the Face resource but didn't complete the Responsible AI acknowledgment checkbox in the Azure portal during resource creation. In that case, delete the resource, recreate it, and make sure you check that acknowledgment box before clicking Create.
Can the Azure Face API still detect emotions and gender?
No. Microsoft officially retired emotion detection and gender estimation from the Azure Face service. These capabilities are gone permanently, there's no flag, legacy endpoint, or workaround to re-enable them. Microsoft made this decision because these features, when misused, risk subjecting people to stereotyping or unfair treatment. If your existing code passes emotion or gender in the returnFaceAttributes parameter, remove them, otherwise your detect calls will return a 400 error. Some other attribute capabilities like age estimation and smile detection are still available but only to approved use cases; contact the Azure Face team directly with your use case if you need them.
What programming languages and SDKs does Azure Face service support?
The Azure AI Face service officially supports client library SDKs for C#/.NET, Python, Node.js/JavaScript, and Java. All four SDKs wrap the underlying REST API and handle authentication, retry logic, and response deserialization for you. For the standard Face detection and recognition features, these SDKs are available through their respective package managers (NuGet, PyPI, npm, Maven). The Face liveness SDK is the exception, it's a gated download available only after your subscription is approved for liveness access, and you get it directly from Microsoft rather than a public package registry. If you're working in a language not covered by the official SDKs, the REST API is fully documented and works with any HTTP client.
Is it true Microsoft won't sell Azure Face technology to police departments?
Yes, that's correct and it's reflected directly in the service terms. On June 11, 2020, Microsoft announced it would not sell facial recognition technology to police departments in the United States until strong human-rights-based regulation is in place. This is a binding condition of the service, when you create a Face resource in the Azure portal, you must actively acknowledge and agree that you will not use the service by or for a US police department. If your organization provides services to law enforcement and you're evaluating Azure Face, consult your legal team before proceeding. Violating this term puts your entire Azure subscription at risk, not just your Face resource access.