question

PrashantJagadale-6219 avatar image
0 Votes"
PrashantJagadale-6219 asked JamesTran-MSFT commented

Microsoft Azure Cloud service management API fails with 401: Unauthorized error?

We are integrating the Role Assignments - List API from Microsoft Azure Cloud Management APIs, Link to documentation: https://docs.microsoft.com/en-us/rest/api/authorization/roleassignments/list#errordetail

We have done all of the configs mentioned:

  • Registered a multi-tenant web app with Azure Active Directory for OAuth using App Registrations option,

  • Also enabled the https://management.azure.com/user_impersonation scope under Azure Service Management

  • Same scope is requested by the web app

So far OAuth succeeds but the access token received when used to call an API GET https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleAssignments?api-version=2015-07-01 it fails with 401 Unauthorized error. I have replaced the subscriptionId with the appropriate value while making actual call.

I looked at the details of access token using https://jwt.io/ and the scp element only seems to have "scp": "User.Read" scope, Missing the user_impersonation. Though the AUTH dialog from Microsoft login service shows clearly the requested user_impersonation grant. The user account I am using for the OAuth has access to the given azure subscription.

What might be the problem?

azure-rbac
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@PrashantJagadale-6219
Thank you for your post and I apologize for the delayed response! I just wanted to check in and see if you were able to resolve this issue?

0 Votes 0 ·

1 Answer

PrashantJagadale-6219 avatar image
0 Votes"
PrashantJagadale-6219 answered JamesTran-MSFT commented

Hey @JamesTran-MSFT I solved the issue by using scope https://management.azure.com/user_impersonation. If I use another scope with this scope it fails with 401. e.g. if I use scope array as [ "User.Read", "https://management.azure.com/user_impersonation" ] it failed with 401 but when used scope array with single scope i.e. [ "https://management.azure.com/user_impersonation" ] it worked for me.

I guess the user_impersonation scope can not be used in combination with MS Graph scopes.

Thanks for reply.

Regards,
_Prashant

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

@PrashantJagadale-6219
Thank you for the quick follow up on this and again I apologize for the delayed response. However, I'm glad that you were able to resolve your issue!

0 Votes 0 ·