How can I set a scope which of parameter in Azure REST API

Question

I`m trying to get a list of databases in an elastic pool.

This is my scenario.
Get a token to call REST API which get a list by elastic pool.
Call a REST API and get a list by elastic pool.
Count each Databases number, and take a target elastic pool which create new database that customers operation datas.

These are documents which I had followed.
Set Azure AD tenant, Register app or web API, Expose scopes in web API registration, Gratn scoped permission to web API
Azure REST API refernces
Databases - List By Elastic Pool

Then I had find parameters and how to call this REST API, but still trying Authorization token and I have a few question of scope which is parameter in Azure REST API

First, I tried to get a token with a following this docs
OAuth 2.0 client credentilas grant
followed In this documents, and succeded get bearer token to call Azure REST API.
but, this token still have a problem with AuthorizationFailed error. Error message is bellow.

{
"error": {
"code": "AuthorizationFailed",
"message": "The client '3xxxxxxxx-xxxx-xxxx-xxxxxxxxxxxxxxx' with object id '3xxxxxxxx-xxxx-xxxx-xxxxxxxxxxxxxxx' does not have authorization to perform action 'Microsoft.Sql/servers/elasticPools/databases/read' over scope '/subscriptions/{subcriptionId}/resourceGroups/{resourceGroupsName}/providers/Microsoft.Sql/servers/{ServerName}/elasticPools/{PoolName}' or the scope is invalid. If access was recently granted, please refresh your credentials."
}
}

These are parameter information written in Postman.

This is the result of calling by putting the token delivered as the result above into the OAuth2.0 Bearer token value along with the example below.
https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Sql/servers/{serverName}/elasticPools/{elasticPoolName}/databases?api-version=2021-02-01-preview

In this result, errors are 'over scope' or scope is invalid. So, I tried to find a set of scope or what is the scope. Then I found this documents
Set Azure AD tenant, Register app or web API, Expose scopes in web API registration, Gratn scoped permission to web API
But, There is no exact example or guide document to set the scope.
So, In this scenario, How can I set a scope or write in scope parameter?

Answer 1

Hello @김 우준 ,

Thanks for reaching out.

It seem to be the service principal that you are using doesn't have appropriate rights at your subscription level to perform action.

To fix the issue, assign any of below RBAC build role which has access to perform action at Microsoft.Sql/servers/elasticPools/databases/read by using either Portal or PowerShell as explained here and try getting new set of Azure AD token which should work.

These build-In role contains read action for SQL elastic Pools SQL Server Contributor OR Contributor OR Owner

Example:
You can also verify this by going to subscription blade and selecting each build-in RBAC role to validate as shown below:

Therefore, you don't have to set any additional scope value other than https://management.azure.com/.default in parameter which you are already passing it while getting acces_token so all you need to assign RBAC (Role Based Access Control) role for a given principal to perform action 'Microsoft.Sql/servers/elasticPools/databases/read' over your subscription as explained above .

Hope this helps.

------
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.