Authorization Failed error for Azure Client

Tariq Salat 101 Reputation points
2021-06-04T07:22:10.753+00:00

Hi,

I have client=d0090999-c1eb-420f-b8ff-d85acdb96204 under subscription=44b014d5-4f39-469c-a532-d88771b32106. While performing any read/write operation for this client I am getting error as 'com.microsoft.azure.CloudException: Status code 403, {"error":{"code":"AuthorizationFailed","message":"The client '67751700-f35e-4c05-a825-a4b8258d65c0' with object id '67751700-f35e-4c05-a825-a4b8258d65c0' does not have authorization to perform action 'Microsoft.Storage/storageAccounts/read' over scope '/subscriptions/44b014d5-4f39-469c-a532-d88771b32106' or the scope is invalid. If access was recently granted, please refresh your credentials."}}: The client '67751700-f35e-4c05-a825-a4b8258d65c0' with object id '67751700-f35e-4c05-a825-a4b8258d65c0' does not have authorization to perform action 'Microsoft.Storage/storageAccounts/read' over scope '/subscriptions/44b014d5-4f39-469c-a532-d88771b32106' or the scope is invalid. If access was recently granted, please refresh your credentials.'.

For my User I am having below permissions -

  1. Application administrator
  2. Azure DevOps administrator
  3. Cloud App Security Administrator
  4. Cloud application administrator
  5. Compliance data administrator
  6. Contributor Role

For the client I am having below permissions -

  1. Application administrator
  2. Cloud application administrator

I have also added API permissions with Admin consent. Still, I am getting authorization failed error. Could you please help me in sorting out this issue.

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,549 questions
Accepted answer
  1. Siva-kumar-selvaraj 15,551 Reputation points
    2021-06-09T18:49:28.863+00:00

    Hello @Tariq Salat ,

    Yes, you must assign Azure roles to your application to manage azure resources as per this article.

    Azure AD roles and Azure roles are two different roles, to learn more refer this article.

    Hope this helps.

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    9 people found this answer helpful.
    0 comments

3 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Sam Cogan 10,157 Reputation points MVP
    2021-06-04T08:23:36.997+00:00

    The roles you have listed for the application are all Azure AD roles, they will not help you here. You need to grant the application the storage contributor role on the storage account in question.

    7 people found this answer helpful.
  2. Nima 31 Reputation points
    2022-07-21T18:18:30.597+00:00

    Hi
    I have encountered the same issue while adding a subscription to Azure CycleCloud. The previous posts have not helped me a lot to troubleshoot. Where we exactly need to go on Azure Portal to define the required role? Any helps is highly appreciated.

    Thanks so much

    1 person found this answer helpful.
    0 comments
  3. simon ayi geh 0 Reputation points
    2024-01-02T21:47:04.38+00:00

    I believe, you should add The Automation Contributor Role and see if you will get the same failure. I believe you will be good

    0 comments