Error: The client does not have authorization to perform action 'Microsoft.Web/sites/config/list/action'
How does one go about translating an Azure permissions error message into the actual permissions needed to solve the problem?
I'm getting an error message when trying to run a WebJob:
The client does not have authorization to perform action 'Microsoft.Web/sites/config/list/action' over scope '/subscriptions/[redacted]/resourceGroups/[redacted]/providers/Microsoft.Web/sites/[redacted]/config/publishingcredentials'
Based on this information, how do I determine which role to add, and where?
Note: I do NOT want to grant Contributor access to my registered application. I see that such advice is provided in this answer, but I consider that to be a sloppy approach to security; I prefer the 'least privilege' rule in these matters.
My question is about how to translate the information from the error message (e.g. "Microsoft.Web/sites/config/list/action") into the actual IAM permissions I must grant to my application.
Basically I'm looking for something like this, but for Azure instead of AWS.
You can copy
Microsoft.Web/sites/config/list/actionfrom error message and search if any built-in RBAC role exists with that permission.There is one built-in RBAC role named Website Contributor having
Microsoft.Web/sites/*permission that manages websites.
As you prefer least privileges, you can assign Website Contributor role to the registered application under your App service or Resource group based on scope from error like below:
Alternatively, you can also create one custom RBAC role with Microsoft.Web/sites/config/list/action permission under your subscription like below:
You can leverage existing built-in role by cloning it like this:
In Permissions tab, you can either add or remove permissions based on your requirement like below:
In Assignable scopes tab, select scope that can be either resource group or subscription in which your App Service exists like this:
After creating the above custom role, you can assign it to the registered application under your App service or Resource group like below:
Reference: Azure custom roles - Azure RBAC | Microsoft
- Configuring spring-boot-starter-oauth2-client to authenticate with Azure AD
- Getting a token from Microsoft Intra ID with PostMan using MFA
- MSAL for non-SPA? Server side authentication?
- Error 403 User not authorized when trying to access Azure Databricks API through Active Directory
- Add Azure Active Directory User to Azure SQL Database
- How to use stored procedure parameters as dynamic content in copy activity using ADF
- Azure AD B2C error AADB2C90057 when I am NOT trying to use the implicit flow
- “That Microsoft account doesn’t exist” for Microsoft logins on Auth0
- You don’t have authorization to perform action 'Microsoft.Resources/deployments/validate/action'
- .Net Core - Use AzureAD/EntraID Authentication to Access Azure DevOps REST APIs
- Issue with Azure Automation Account and Key Vault Certificate Retrieval
- OpenAI remove key access while using AAD authentication
- Azure Tenant setup for .NET Blazor WASM calling Web API + Microsoft Graph
- Add tenant specific roles in Azure AD multitenant app
- Allow App Service to be called by just a test user and another App Service using a system assigned managed identity
- How to automatically refresh access token
- Access Token Issuer from Azure AD is sts.windows.net Instead Of login.microsoftonline.com
- How to get user's attributes from Identity in Blazor Server with organization authentication
- Correlation failed in net.core / asp.net identity / openid connect
- I'm unable to Login to VM with Azure AD user credentials
- I need to add co-organizer in teams meeting through graph api
- Entra ID - Adding actor claim to the token via client credential flow
- Roles for a SPA and API setup in Microsoft Intra ID
- Unable to patch businessPhones of Entra External ID user, Insufficient privileges to complete the operation
- How to create dynamic groups in AzureAD/EntraID from a csv import?
- Creating a user in Azure AD B2C through Microsoft SSO
- Azured AD JWT authentication doesn't work for Web API hosted in docker using TestContainer
- How do I connect locally to Azure SQL database with Microsoft Entra ID registered app in C#?
- How to fix 'Unable to Obtain Authentication Token' in Active Directory Authentication to Azure Analysis Server
- Error OrganizationFromTenantGuidNotFound and 401 Unauthorized when Sending Email via Microsoft Graph API in React App