Search code examples
azureazure-active-directory

Accessing Azure Service Manager API from a function app

I need to access Azure Service Manager API from a function app. How do I authenticate using app registration?

I have created an app registration and given it delegated permission to Azure Service Manager (on API permissions tab in azure portal). However, when I fetch the access token and try to make an api call, I get a 403 response saying:

The client x with object id x does not have authorization to perform action.

Is it because the permission is delegated? Application permission seems unavailable for Azure Service Manager.

EDIT:

Query that I'm trying to send:

https://management.azure.com/subscriptions/<subscription id>/resourceGroups/<resource group>/providers/Microsoft.Web/sites/<service name>/restart?api-version=2022-03-01

I get the authentication token by sending a post request:

URL: https://login.microsoftonline.com/<tenant id>/oauth2/v2.0/token
Payload: grant_type=client_credentials&scope=https://management.azure.com/.default&client_id=<client id>&client_secret=<client secret>
Solution

  • To access Azure Service Management, create a Microsoft Entra ID application and grant API permissions like below:

    enter image description here

    Generated access token by using parameters like below:

    https://login.microsoftonline.com/TenantID/oauth2/v2.0/token

client_id:ClientID
client_secret:ClientSceret
grant_type:client_credentials
scope:https://management.azure.com/.default

    enter image description here

    When I tried to access Azure Service Manager, the API call failed with 403 error:

    POST https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Web/sites/{name}/restart?api-version=2023-12-01

    enter image description here

    To resolve the error, you need to grant required RBAC roles to the Service Principal under the subscription level.

    In this scenario, assign Contributor role or Website Contributor role to the Service principal:

    Go to Azure Portal -> Subscriptions -> Select your Subscription -> Access control (IAM) -> Add role assignment -> Select role -> Select members -> Select your Service principal -> Review+assign

    enter image description here

    Now generate the access token again and now I am able to restart the web app successfully:

    POST https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Web/sites/{name}/restart?api-version=2023-12-01

    enter image description here

    Make sure that the Service Principal is created for the Microsoft Entra ID application:

    enter image description here