none
Azure AD Authorization issue with c#

    Question

  • I want to create Azure Resource Groups through C# code.

    I have followed all steps of Creating Service Principal from this link and access still i am getting error

    i have already added contributor access at subscription level. Even tried with Owner

    I am following these links

    https://docs.microsoft.com/en-us/azure/virtual-machines/windows/csharphttps://docs.microsoft.com/en-us/azure/azure-resource-manager/resource-group-create-service-principal-portal

    Below is the error

    Microsoft.Rest.Azure.CloudException occurred HResult=0x80131500 Message=The client 'XXXXXXXXXXXXXXX' with object id 'XXXXXXXXXXXX' does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourcegroups/write' over scope '/subscriptions/XXXXXXXXXX/resourcegroups/NewRG'. Source=Microsoft.Azure.Management.ResourceManager StackTrace: at Microsoft.Azure.Management.ResourceManager.ResourceGroupsOperations.d__7.MoveNext() at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.Azure.Management.ResourceManager.ResourceGroupsOperationsExtensions.d__5.MoveNext() at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) at Microsoft.Azure.Management.ResourceManager.ResourceGroupsOperationsExtensions.CreateOrUpdate(IResourceGroupsOperations operations, String resourceGroupName, ResourceGroup parameters) at AzureAD.Program.Main(String[] args) in C:\Users\nitin\Downloads\AzureAD\AzureAD\AzureAD\Program.cs:line 48

    Sunday, April 30, 2017 6:01 PM

Answers

  • I found out the issue. in the subscription i had to assign contributor access to my application which was missing. So it resolved my issue
    Wednesday, May 3, 2017 12:22 PM

All replies

  • Run the below command and check the RBAC permission of the user : 

    Get-AzureRmRoleDefinition



    Monday, May 1, 2017 9:17 AM
    Moderator
  • I wonder why this was moved under VM.. since this is AD issue.. however I have checked it has access... I can do anything from the portal and not from the code
    Monday, May 1, 2017 1:25 PM
  • To figure out where the problem is, I would suggest trying to log in as the service principal through PowerShell or Azure CLI. Have you tried:

    $creds = Get-Credential
    Login-AzureRmAccount -Credential $creds -ServicePrincipal -TenantId {tenant-id}

    And, then run any command (like Get-AzureRmResourceGroup and New-AzureRmResourceGroup) to see if the service principal has access. If the service principal works through PowerShell, then there must be an issue with getting the access token in your C# code. Have you looked at this sample app and compared the log in code?

    https://github.com/Azure-Samples/resource-manager-dotnet-resources-and-groups/blob/master/Program.cs

    Tuesday, May 2, 2017 2:57 AM
  • Yes i am able to access through PowerShell.. I saw the github example which you gave it is returning the same error.. I am able to generate the access token through code... But when i try to read the ResourceGroup i get error..

    Other strange thing i have noticed is the client Id and the object Id (in error) are same. And the client Id is not the one which i have assigned in the code. So i m unable to figure out where this client id is appearing from 

    Tuesday, May 2, 2017 7:42 AM
  • I found out the issue. in the subscription i had to assign contributor access to my application which was missing. So it resolved my issue
    Wednesday, May 3, 2017 12:22 PM
  • We are glad to know that your issue has been resolved. 
    Wednesday, May 3, 2017 6:54 PM
    Moderator