2

I'm trying to delete one Azure Resource using RestAPI by following this document: https://learn.microsoft.com/en-us/rest/api/resources/resources/delete-by-id

I have the access token with scope as https:/management.azure.com/.default where I granted user_impersonation too.

The problem is when I used the token to delete the resource for this query:

DELETE https://management.azure.com/{resourceId}?api-version=2021-04-01

I'm getting error like:

Status Code(403): 'Forbidden', Response from server: '{"error":{"code":"AuthorizationFailed","message":"The client ' ' with object id ' ' does not have authorization to perform action over scope or the scope is invalid. If access was recently granted, please refresh your credentials."}}'

I'm the owner of the subscription and I have Global Administrator role that has high privilege. What more roles are needed to avoid the error?

Arjun
  • 31
  • 5

1 Answers1

1

I tried to reproduce the same in my environment via Postman and got the below results:

In my Azure Portal, I have one storage account in Sri resource group as below:

enter image description here

By passing access token generated with same scope as you, I ran below query and got same error:

DELETE https://management.azure.com/{resourceId}?api-version=2021-04-01

Response:

enter image description here

The error usually occurs if your service principal doesn't have required permissions or roles to perform the action.

To resolve the error, you need to assign role to your service principal based on the resource_type you are deleting.

In my case, I assigned "Storage Account Contributor" role to the service principal at resource_group level as I'm deleting storage account like below:

enter image description here

After assigning that role, I generated the access token again like below:

POST https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/token

enter image description here

When I ran the same query with above access token, I got response 200 OK as below:

DELETE https://management.azure.com/{resourceId}?api-version=2021-04-01

Response:

enter image description here

To confirm this, you can visit Sri resource group in Azure Portal and you cannot find storage account as it is deleted.

enter image description here

So, assign the role accordingly to the service principal based on your requirement.

Alternatively, you can directly assign the Contributor role to the service principal that can delete any resource.

If you want to access the Azure resource using your user account roles, you can generate access token via ROPC flow.

Reference:

Resource owner password credentials grant | Microsoft Docs

Azure built-in roles - Azure RBAC | Microsoft Docs

Sridevi
  • 10,599
  • 1
  • 4
  • 17
  • I want to access Azure resource with my account only so I tried with ROPC flow as you mentioned but it's a bit confusing. Can you help me with any working example? Thanks! – Arjun Sep 09 '22 at 11:04
  • You can refer **[this thread](https://stackoverflow.com/questions/73469640/use-my-user-id-to-access-azure-apis-non-interactive/73557774#73557774)** regarding ***ROPC flow*** that I answered previously. – Sridevi Sep 09 '22 at 11:08
  • In the end, I followed your answer as I feel exposing password of my account in ROPC flow is not best security practice. Granting role to the service principal worked! – Arjun Sep 14 '22 at 02:16