The client XXX does not have authorization to perform action over scope or the scope is invalid

Question

I created an Azure AD Application added user_impersonation permission and generated access token using the https://management.azure.com/.default scope

    https://login.microsoftonline.com/XX/oauth2/v2.0/token
    
    client_id:
    client_secret:
    scope:https://management.azure.com/.default
    grant_type:client_credentials

I am referring to this Microsoft document to delete Azure resource by mentioning its ID

Resources - Delete By Id - REST API (Azure Resource Management) | Microsoft Learn

But it threw me the error

Status Code(403): 'Forbidden', Response from server: '{"error":{"code":"AuthorizationFailed","message":"The client ' ' with object id 'XXXX ' does not have authorization to perform action over scope or the scope is invalid. If access was recently granted, please refresh your credentials."}}'

I am Global Admin and granted required permissions too what else am I missing?

Answer 1

I tried to reproduce the same in my environment and got the same error like below:

The error usually occurs if the Service Principal doesn't have the required roles to perform the action.

To resolve the error, try adding contributor role to the Azure AD Application to delete any resource like below:

You can also assign specific roles based on your requirement or resource type.

I generated access token by using parameters like below:

https://login.microsoftonline.com/4ffc5c85-c24e-4acb-b4dc-XXXXX/oauth2/v2.0/token

client_id:0e5df122-c780-4ac6-b6e9-13XXXXX
client_secret:*******
scope:https://management.azure.com/.default
grant_type:client_credentials

I assigned Virtual Machine Contributor role to the Service Principal like below:

After assigning the role, I am able to delete the resource by its ID successfully like below: