Error: The client does not have authorization to perform action 'Microsoft.Web/sites/config/list/action'
How does one go about translating an Azure permissions error message into the actual permissions needed to solve the problem?
I'm getting an error message when trying to run a WebJob:
The client does not have authorization to perform action 'Microsoft.Web/sites/config/list/action' over scope '/subscriptions/[redacted]/resourceGroups/[redacted]/providers/Microsoft.Web/sites/[redacted]/config/publishingcredentials'
Based on this information, how do I determine which role to add, and where?
Note: I do NOT want to grant Contributor access to my registered application. I see that such advice is provided in this answer, but I consider that to be a sloppy approach to security; I prefer the 'least privilege' rule in these matters.
My question is about how to translate the information from the error message (e.g. "Microsoft.Web/sites/config/list/action") into the actual IAM permissions I must grant to my application.
Basically I'm looking for something like this, but for Azure instead of AWS.
You can copy
Microsoft.Web/sites/config/list/actionfrom error message and search if any built-in RBAC role exists with that permission.There is one built-in RBAC role named Website Contributor having
Microsoft.Web/sites/*permission that manages websites.
As you prefer least privileges, you can assign Website Contributor role to the registered application under your App service or Resource group based on scope from error like below:
Alternatively, you can also create one custom RBAC role with Microsoft.Web/sites/config/list/action permission under your subscription like below:
You can leverage existing built-in role by cloning it like this:
In Permissions tab, you can either add or remove permissions based on your requirement like below:
In Assignable scopes tab, select scope that can be either resource group or subscription in which your App Service exists like this:
After creating the above custom role, you can assign it to the registered application under your App service or Resource group like below:
Reference: Azure custom roles - Azure RBAC | Microsoft
- Need help getting Azure AD B2C SSO with Azure AD
- Unable to get all users from Microsoft Graph using Python SDK
- Azure AD, AuthenticationTicket Claims
- How to resolve 'invalid hostname for this tenancy' error when accessing Microsoft Graph API for multi-tenant app registration?
- How to get a list of users from azure graph API
- Az-GetRoleAssigments Not returning Data for DisplayName, SignInName & Object Type - Azure Powershell Runbook
- Integration of SSO using MSAL in Angular project gets 401 returned error after login
- Azure Active Directory passing empty GUID for tenantId with default template
- Sign in to Azure Account from VS Code
- AKV10032: Invalid issuer error when connecting to Azure Key Vault from App Service
- Get all user properties from Microsoft graph
- ASP.NET Azure AD / Entra Authentication - App roles in token, but not being assigned to principal
- How to do azure single sign on with next.js 14 and App Router
- Azure ClientCertificateCredential - Using SNI
- Entra ID Schema Extension with custom Namespace
- MSAL Node service & The Partner Center API
- KeyCloak Integration with Azure B2C UserName Mapping Issue
- is it posible to access Azure App Configuration via URL or conected some how as enviroment setting of App Service?
- Generate token fails for Azure app which is both client and API (client credentials workflow)
- Pulling "On-premises last sync date time" Azure user property using PowerShell
- Authenticating to Sharepoint Online Site via React SPA in MS Teams personal Tab
- Login failed for user '<token-identified principal>' while authorizing to SQL Server via Service Principal from AAD group assigned
- MSAL library fails to parse token in Chromium based browsers
- Office 365 Exchange Online permission is not visible for registered application in azure active directory
- Azure B2C IdP-Access Token fails with IDX10511: Signature validation failed
- EntraID: how to pass application roles downstream
- During signIn receiving B2C error code ‘AADB2C99059’
- How can I read local MS Teams status
- How to find the tenant where a multi-tenant AAD application was registered
- Azure AD permissions for MS Forms