Microsoft Azure Cloud service management API fails with 401: Unauthorized error?

Question

We are integrating the Role Assignments - List API from Microsoft Azure Cloud Management APIs, Link to documentation: https://learn.microsoft.com/en-us/rest/api/authorization/roleassignments/list#errordetail

We have done all of the configs mentioned:

• Registered a multi-tenant web app with Azure Active Directory for OAuth using App Registrations option,
• Also enabled the https://management.azure.com/user_impersonation scope under Azure Service Management
• Same scope is requested by the web app

So far OAuth succeeds but the access token received when used to call an API GET https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleAssignments?api-version=2015-07-01 it fails with 401 Unauthorized error. I have replaced the subscriptionId with the appropriate value while making actual call.

I looked at the details of access token using https://jwt.io/ and the scp element only seems to have "scp": "User.Read" scope, Missing the user_impersonation. Though the AUTH dialog from Microsoft login service shows clearly the requested user_impersonation grant. The user account I am using for the OAuth has access to the given azure subscription.

What might be the problem?

Answer 1

It's important to add scope with https://management.azure.com/user_impersonation when requesting for an access token.

Test using implicit grant flow in browser:

https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/authorize?
client_id=<your-app-id>
&response_type=token
&redirect_uri=<your-redirect_uri>
&scope=https://management.azure.com/user_impersonation
&response_mode=fragment
&state=12345
&nonce=678910

Note: If you use client credentials flow, change scope to https://management.azure.com/.default.