Not able to connect to azure from postman application - 403 forbidden error
I'm trying to GET https://management.azure.com/subscriptions/{subscriptionId}/resourcegroups?api-version=2020-09-01 using postman application from my desktop. For Authorization I passed the bearer token acquired from the response.
However getting the below error.
{ "error": { "code": "AuthorizationFailed", "message": "The client '02d899d6-c2d5-47d3-' with object id '02d899d6-c2d5-47d3-87b' does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourcegroups/read' over scope '/subscriptions/{{subscriptionId}}' or the scope is invalid. If access was recently granted, please refresh your credentials." } }
I'm not able to find this client id in my subscription to assign the role. Where can I find this client id in the portal? Also tried to register the postman app in my subscription but the create operation is greyed out. Could anyone help on this?
I tried to reproduce the same in my environment and got below results
I registered one Azure AD application and granted API permission like below:
I generated access token via Postman using below parameters:
POST https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/token
grant_type:client_credentials
client_id:<appID>
client_secret:<secret>
scope: https://management.azure.com/.default
Response:
When I used that token to list resource groups, I got same error as you like below:
GET https://management.azure.com/subscriptions/<subID>/resourcegroups?api-version=2020-09-01
Response:
The client ID in the error is the ObjectID of service principal associated with your Azure AD application having same name that can be found here:
Go to Azure Portal -> Azure Active Directory -> Enterprise Applications -> All applications -> Select Application
To resolve the error, assign Reader role to your service principal under your subscription as below:
Go to Azure Portal -> Subscriptions -> Your Subscription -> Access control (IAM) -> Add role assignment
Note that, you need to have either
OwnerorUser Access Administratorrole on your subscription to assign RBAC roles.
After assigning the role, I generated the token again and got the list of resource groups successfully like below:
GET https://management.azure.com/subscriptions/<subID>/resourcegroups?api-version=2020-09-01
Response
- REST API service when called from azure APIM returning empty response body with Status code 200
- Need help getting Azure AD B2C SSO with Azure AD
- Unable to get all users from Microsoft Graph using Python SDK
- Azure AD, AuthenticationTicket Claims
- How to resolve 'invalid hostname for this tenancy' error when accessing Microsoft Graph API for multi-tenant app registration?
- How to get a list of users from azure graph API
- Az-GetRoleAssigments Not returning Data for DisplayName, SignInName & Object Type - Azure Powershell Runbook
- Integration of SSO using MSAL in Angular project gets 401 returned error after login
- Azure Active Directory passing empty GUID for tenantId with default template
- Sign in to Azure Account from VS Code
- AKV10032: Invalid issuer error when connecting to Azure Key Vault from App Service
- Get all user properties from Microsoft graph
- ASP.NET Azure AD / Entra Authentication - App roles in token, but not being assigned to principal
- How to do azure single sign on with next.js 14 and App Router
- Azure ClientCertificateCredential - Using SNI
- Entra ID Schema Extension with custom Namespace
- MSAL Node service & The Partner Center API
- KeyCloak Integration with Azure B2C UserName Mapping Issue
- is it posible to access Azure App Configuration via URL or conected some how as enviroment setting of App Service?
- Generate token fails for Azure app which is both client and API (client credentials workflow)
- Pulling "On-premises last sync date time" Azure user property using PowerShell
- Authenticating to Sharepoint Online Site via React SPA in MS Teams personal Tab
- Login failed for user '<token-identified principal>' while authorizing to SQL Server via Service Principal from AAD group assigned
- MSAL library fails to parse token in Chromium based browsers
- Office 365 Exchange Online permission is not visible for registered application in azure active directory
- Azure B2C IdP-Access Token fails with IDX10511: Signature validation failed
- EntraID: how to pass application roles downstream
- During signIn receiving B2C error code ‘AADB2C99059’
- How can I read local MS Teams status
- How to find the tenant where a multi-tenant AAD application was registered