AuthorizationFailed while using AZ CLI

Question

Today I have tried to perform action on Azur ADF using CLI (Portal for that subscription can be only used as "read") AZ CLI is installed on AZ VM that via Managed identity has received Contributor role on the whole subscription. Running command ended with AuthorizationFailed.

After logging into AZ CLI with AZ login -i and running command az datafactory configure-factory-repo

(AuthorizationFailed) The client 'CLIENT_ID' with object id
'CLIENT_ID' does not have authorization to perform action
'Microsoft.DataFactory/locations/configureFactoryRepo/action' over scope
'/subscriptions/SUBSCRIPTION_ID' or the scope is invalid.
If access was recently granted, please refresh your credentials.
Code: AuthorizationFailed Message: The client 'CLIENT_ID'
with object id 'CLIENT_ID' does not have authorization to
perform action 'Microsoft.DataFactory/locations/configureFactoryRepo/action' over scope
'/subscriptions/SUBSCRIPTION_ID' or the scope is invalid. If access
was recently granted, please refresh your credentials.

I have checked and VM Contributor role has Microsoft.DataFactory/locations/configureFactoryRepo/action

What else I should check?(I have no access to AZ AD)

Edit: CLIENT_ID is equal to principalId of VM from which I'm running commands.

Peter L - MSFT · Accepted Answer · 2022-07-07T14:57:24.350

0

I assume that the CLIENT_ID and SUBSCRIPTION_ID actually are real values and you have replaced them to not disclose the here, correct?

To be sure that you are in the correct context you could first issue 'az account show' after you logged in using 'az login -i'. Is the response to that what you expected?

-- Edit --

The client ID should be the client id of the managed identity, also sometimes referred to as App ID (same thing). So when you log in with -i I believe it should be the same output as when you do the az account show. So that's a good thing.

Then I kind of get the feeling that it is a scope error. It looks a lot like you run in to this and it's by design as of now. But have a look at lmicverm's comment. You might use the the other call (Create or update Factory) as a workaround?

edited Jul 07 '22 at 14:57

answered Jul 07 '22 at 14:24

Peter L - MSFT

167
4

Yes, error shows CLIENT_ID and SUBSCRIPTION_ID with real values. `az account show` provides me with the same output as I see after login in. should my "id" be the same as the client ID? – Niviral Jul 07 '22 at 14:36
I saw, yes I have a similar conclusion that it can be scope level issue. Thanks for the help. – Niviral Jul 07 '22 at 15:00

AuthorizationFailed while using AZ CLI

1 Answers1