Microsoft Azure Cloud service management API fails with 401: Unauthorized error?
We are integrating the Role Assignments - List API from Microsoft Azure Cloud Management APIs, Link to documentation: https://learn.microsoft.com/en-us/rest/api/authorization/roleassignments/list#errordetail
We have done all of the configs mentioned:
- Registered a multi-tenant web app with Azure Active Directory for OAuth using
App Registrationsoption, - Also enabled the
https://management.azure.com/user_impersonationscope under Azure Service Management - Same scope is requested by the web app
So far OAuth succeeds but the access token received when used to call an API GET https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleAssignments?api-version=2015-07-01 it fails with 401 Unauthorized error. I have replaced the subscriptionId with the appropriate value while making actual call.
I looked at the details of access token using https://jwt.io/ and the scp element only seems to have "scp": "User.Read" scope, Missing the user_impersonation. Though the AUTH dialog from Microsoft login service shows clearly the requested user_impersonation grant. The user account I am using for the OAuth has access to the given azure subscription.
What might be the problem?
It's important to add scope with https://management.azure.com/user_impersonation when requesting for an access token.
Test using implicit grant flow in browser:
https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize?
client_id=<your-app-id>
&response_type=token
&redirect_uri=<your-redirect_uri>
&scope=https://management.azure.com/user_impersonation
&response_mode=fragment
&state=12345
&nonce=678910
Note: If you use client credentials flow, change scope to https://management.azure.com/.default.
- Unsupported version of Azure.Core in Cloud Services Extended Support?
- Authentication failure when access storage blob from Azure Service
- Terraform tasks to deploy on azure cloud
- Create KeyVault backed SecretScope for Databricks
- Microsoft Graph API fails to update user birthday and hireDate in GCC high environment
- Can't invoke server's method from client - Error: An unexpected error occurred invoking 'SignIn' on the server
- Issue Accessing Azure Cloud Services via Rest API
- Dynamic SQL query in ADF pipeline
- Create an Api connection to log analytics workspace via bicep
- KQL Query to filter duplicate entries and select top 1 from the log data
- Azure Web Role with Transient Fault Handling Block exception: The path is too long after being fully qualified
- Azure Split/Merge Service, is it still relevant?
- Using single sas token for every pipeline agent to upload on blob storage
- How do I update .csdef for Azure Cloud Service (Extended Support) when deploying via PowerShell
- I am able to ssh vm created by terraform but unable to ssh vm with same configuration FYI there is no nsg attached to both
- How to remove duplicate log entries in dynamic column through KQL Query
- Difference between update and create&delete deployment option for Azure Cloud Service
- Not able to connect to smtp from Azure Cloud Service
- What vm size that still works with cloud service definition (on Azure SDK 2.2) and at the Azure deployment?
- Minimize cost for Azure Cloud Service
- How to Ingest data in to Azure Cluster using Python
- Change 'Ingress traffic' setting for Azure Container Application through Bicep deployment
- Not able to execute jmeter script for 8 hours on azure cloud platform, as test getting completed automatically in 3 hours only
- Azure Cloud Services Classic - "Deployment could not be created"
- How to create alerts through bicep for KQL commands
- Azure "No deployments were found" error message
- "PackageUriForbidden" error when trying to deploy an Azure Cloud Service ES
- System.Net.Sockets.SocketException: 'An existing connection was forcibly closed by the remote host' with SharePoint Online low trust authentication
- Restrict/deny the allowed locations for resources
- Azure web role build error: "Unable to import module Diagnostics. No manifest was found"