Reputation: 600
Azure Maps 403 "Permission, capacity, or authentication issues."
I am trying to call Azure Maps with OAuth access tokens but it is throwing me 403 Forbidden with the message "Permission, capacity, or authentication issues.". I have followed procedure mentioned here: https://learn.microsoft.com/en-us/azure/azure-maps/azure-maps-authentication
- Created App Registration in AD, generated secret
- Added API permission to Azure Maps
- In Azure Maps > IAM > added the application as Map Data Reader
- Got the Access token from https://login.microsoftonline.com//oauth2/token with resource=https://atlas.microsoft.com/
- Calling https://atlas.microsoft.com/route/directions/json?api-version=1.0&query=52.50931,13.42936:52.50274,13.43872 with x-ms-client-id and Authorization=Bearer
Same procedure works correctly for my personal free subscription but not in my company's subscription. Don't know how to debug.
Upvotes: 3
Views: 1184
Answers (2)
Reputation: 600
We raised the ticket with Microsoft and they told us it was caused by:
longer synchronization times regarding the RBAC configurations worldwide
Upvotes: 1
Reputation: 216
For reference on how Azure RBAC works.
Ensure you have no deny assignments possibly enforced from management groups on the particular role.
Make sure the role assignment is applied to the correct scope. Meaning on the scope of an Azure Maps Account or a parent of the account such as the resource group or subscription.
If you have security principals assigned to the correct scope but still receiving 403. It usually means you have assigned or authenticating with the wrong security principal.
Example: "App only" token for an App Registration requires the service principal App to be assigned at the scope.
If you as user authenticate as a user to the App Registration that would mean the user security principal should be assigned to the scope; Not the app.
If you are using Azure AD groups it could mean that the security principal may not be part of the group which is assigned access.
I don't think it's common to add service principals to security groups though. But it is a possibility which should be confirmed. There is also a possibility of delay before the permissions are propagated but this usually shouldn't take more than a few minutes.
Just to be thorough but may not apply here. Certain REST APIs require S1 sku to be selected on the account. This will result in the same error response.
Upvotes: 4
Related Questions
- Azure Maps Route Directions Error Returns Bad Request
- Azure.Identity.CredentialUnavailableException problem
- Microsoft Azure Maps / Postman upload error
- Azure Maps Route Directions - Bad Request
- Azure Maps API does not return results for existing geographic entities
- Azure map drive system error 53 has occurred
- Azure Maps Get Map Image Request returns a blank map image
- Microsoft Azure Maps missing atlas.control
- Azure Appservice Bing Maps "Invalid Credendtials"
- Azure maps REST API link not working