I am using Azure app service api to view server details like worker process and region etc. for management purpose. After generating token from AuthenticationContext.AcquireTokenAsync method, I am requesting following URL for server details https://management.azure.com/subscriptions/<sub ID>/resourceGroups/<resource group name>/providers/Microsoft.Web/serverfarms/?api-version=2018-02-01

In the response I am getting AuthorizationFailed error code with the detail given bellow:

The client does not have authorization to perform action 'Microsoft.Web/serverfarms/read' over scope '/subscriptions/xxxxxxxx-xxxxxxx-xxxx/resourceGroups/xxxxxxxxxxx/providers/Microsoft.Web/serverfarms/xxxx' or the scope is invalid. If access was recently granted, please refresh your credentials.

But when I try the same verification using https://learn.microsoft.com/en-us/rest/api/appservice/appserviceenvironments/get portal where I can try the APIs for testing, the request is returning expected results.

So, is there any other way to authenticate or should I have to define some permissions to achieve the functionality?

The service principal you are using doesn't have rights within that tenant.

Tenants have subscriptions and service principals belong to tenants. Azure resource manager also exposes role based authorization for a given principal, which would give it rights on Azure resources. It appears the service principal doesn't have rights to read from that subscription.

Go to portal and find your subscription, click on Access Control (IAM) and then click on Add role assignment with correspond service principal which you use to acquire token.

After you have given successful permission, refresh and try again.

I had the same error while running,

az aks get-credentials --resource-group myResourceGroup --name myAKSCluster

I did this shortly after az login. Problem was I haven't set my subscription properly so what I had to do was run,

az account set --subscription your-subscription-id

After that az aks get-credentials worked fine, the error was gone and you will get an output like,

Merged "myAKSCluster" as current context in C:\Users\UserName\.kube\config

Since Azure can be really complicated, I will try to break it down so anyone can understand.

Everyone are welcome to modify this post to the better as I am probably not 100% clear either.

Account Directories

When you create an Azure account, it creates a directory (Default Directory), a directory is called a Tenant, you can have multiple such directories, I think you can even have separate login credentials for each, it is like an entirely separate organization, each directory has its subscriptions, resource groups, resources/apps, etc.

Azure Active Directory

Each directory has its own Azure Active Directory listing all its Users, Groups, and Applications, that are the clients/objects going to be accessing or performing actions on the Resources within this Directory (tenant).

In this case it's your programmed app that's gonna execute tasks on your Azure resources, and in order to do this, the client (your app) needs to have proper permission to perform the specific action (whatever action you wanna do), directly permitted to execute it on the specific resource.

First you need to create a client - which is the process of registering your app, at Azure Active Directory > App Registrations click New Registration, here you register your program app as a client/object that you want to use for accessing your Azure resources, give it a name MyApp, click Register, you will get an Application (client) ID which you gonna use in your code as the client ID, this app is now a User/Service Principal in your Azure AD (active directory), it now remains to give it permission for the actions you wanna perform on some resource.

Go to the Resource/Resource group (App Service/Database/VM), or to the Subscription (which would give it permission to access all resources within the entire subscription), click on Access control (IAM) > Add > Add role assignment.

• In the 'Add role assignment' screen, select the role action, in your case Reader.
• Go to the Members tab and here we're going to select the Service principal (the app that you just registered).
• Click on "Select members", you'll see the AD users, but by default, you will not see AD apps that you registered, you need to search for them by their name, enter the name you've just given 'MyApp'.
• Select it from the list below and click Select at the bottom
• Finish the Assignment...

Follow the clicks by the numbers in the image below.

You should now refresh your credentials in your app, by re-executing the code that authorizes the client, make sure you use the correct client-ID of the app that you registered in Azure, for some permissions, it may take a few minutes for the permissions to be updated, once it is, you should be good to go.

If you see the AuthorizationFailed again, check if it's still the failed for same action, as there might be another action you need to assign for the principal in order to achieve your output.

I hope this is going to help somebody... Good luck!

Links that might be helpful:

• Steps to generate a new client secret and link it to key-vault
• Create an Azure Active Directory application and service principal that can access resources

I had the same problem. Initially, I went ahead and added to my user the "Web Plan Contributor" role, as it is the one that should handle those things. Nothing changed - I still had this error.

What turned actual problem turned out to be is a wrong resource group... Turns out I copied some old script where WebAppPlans were in separate RG, and I was searching the app plan there. Completely missleading error. I guess it will bring up the same error message even if the App Plan simply doesn't exist.