Not able to connect to azure from postman application - 403 forbidden error
I'm trying to GET https://management.azure.com/subscriptions/{subscriptionId}/resourcegroups?api-version=2020-09-01 using postman application from my desktop. For Authorization I passed the bearer token acquired from the response.
However getting the below error.
{ "error": { "code": "AuthorizationFailed", "message": "The client '02d899d6-c2d5-47d3-' with object id '02d899d6-c2d5-47d3-87b' does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourcegroups/read' over scope '/subscriptions/{{subscriptionId}}' or the scope is invalid. If access was recently granted, please refresh your credentials." } }
I'm not able to find this client id in my subscription to assign the role. Where can I find this client id in the portal? Also tried to register the postman app in my subscription but the create operation is greyed out. Could anyone help on this?
I tried to reproduce the same in my environment and got below results
I registered one Azure AD application and granted API permission like below:
I generated access token via Postman using below parameters:
POST https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/token
grant_type:client_credentials
client_id:<appID>
client_secret:<secret>
scope: https://management.azure.com/.default
Response:
When I used that token to list resource groups, I got same error as you like below:
GET https://management.azure.com/subscriptions/<subID>/resourcegroups?api-version=2020-09-01
Response:
The client ID in the error is the ObjectID of service principal associated with your Azure AD application having same name that can be found here:
Go to Azure Portal -> Azure Active Directory -> Enterprise Applications -> All applications -> Select Application
To resolve the error, assign Reader role to your service principal under your subscription as below:
Go to Azure Portal -> Subscriptions -> Your Subscription -> Access control (IAM) -> Add role assignment
Note that, you need to have either
OwnerorUser Access Administratorrole on your subscription to assign RBAC roles.
After assigning the role, I generated the token again and got the list of resource groups successfully like below:
GET https://management.azure.com/subscriptions/<subID>/resourcegroups?api-version=2020-09-01
Response
- Granting Azure Application User access to PowerApps API
- Access Sharepoint Online Files from .NET Worker Service via Microsoft Graph/OAuth - Unauthorized or Access Denied error (401)
- Create Azure Key Vault backed secret scope in Databricks with AAD Token
- C# Graph api SDK V5 - Add User to multiple Groups
- Microsoft Azure doesn't return email via Oauth2 flow
- Sign in to Azure Account from VS Code
- Any luck in using AddMicrosoftIdentityWebApp in combination with IdentityServer4?
- Dotnet-Isolated Azure Functions - how to access HttpContext
- vscode-remote-ssh does not work with SSH using Azure AD authentication
- Implementing SSO for Azure AD B2C
- Office 365 Exchange Online permission is not visible for registered application in azure active directory
- "error_description":"Exception of type 'Microsoft.IdentityModel.Tokens.AudienceUriValidationFailedException' was thrown."
- Azure AD client credentials generated token does not have claims (EDITED)
- Calling an ASP.NET Core Web API integrated to EntraId app from another .NET Core console app integrated to EntraId app fails
- Correlation failed in net.core / asp.net identity / openid connect
- Generating token for Fabric Rest api using client secret
- Permission based access control using Entra ID with ASP.NET core
- How do I display Job Title in my Next Auth app
- EntraId Authentication / Authorization via .NET & React
- Azure Function app down due to wrong routing template in http trigger binding of a functions
- How can I force trigger MFA, when logging into Azure?
- Azured AD JWT authentication doesn't work for Web API hosted in docker using TestContainer
- azp Claim Missing from Azure AD JWT
- Retrieve all Users from all Groups?
- Cannot get AAD auth token in Logic Apps
- Attempting to set DisableCustomAppAuthentication to false for Azure not working from Powershell
- Using Azure Entra Id I cant see `Office 365 Exchange Online` under `APIs my organization uses`
- New tenant b2clogin URL returns error with "removed or changed"
- Azure Entra ID tokens endpoint issues an expired token
- Azure AD B2C password expiration