Microsoft.Management/managementGroups API call returns 403 forbidden error RRS feed

  • Question

  • When I try an API call this API returns the error:

    "System.Net.WebException : The remote server returned an error: (403) Forbidden."

    I'm using a Azure Ad App for authentication and other API calls (tenants, subscriptions, resourcegroups, etc.) works perfectly and always returns the Json data. Anyone else encounter this error when calling the managementgroups API specifically?

    The resource provider is enabled for all of my subscriptions.

    Wednesday, May 1, 2019 10:42 AM

All replies

  • Hello, Martin!

    This looks like an Active Directory issue. I know that you said that this seems to be specific to the managementgroups API, but I haven't been able to find any other instances of this being reported.  Having said that, there are a couple more generic troubleshooting steps I can recommend:

    Service Principal/Object ID


    If you get a 403 forbidden error, make sure that the correct service principal has been added to your publisher account in the Cloud Partner Portal. Follow the steps in the Prerequisites page to add your service principal to the portal.

    If the correct service principal has been added, then verify all the other information. Pay close attention to the Object ID entered on the portal. There are two Object IDs in the Azure Active Directory app registration page, and you must use the local Object ID. You can find the correct value by going to the App registrations page for your app and clicking on the app name under Managed application in local directory. This takes you to the local properties for the app, where you can find the correct Object ID in the Properties page, as shown in the following figure. Also, ensure that you use the correct publisher ID when you add the service principal and make the API call.



    Application permissions - Are used by apps that run without a signed-in user present; for example, apps that run as background services or daemons. Application permissions can only be consented by an administrator because they are typically powerful and allow access to data across user-boundaries, or data that would otherwise be restricted to administrators.

    Wednesday, May 1, 2019 8:49 PM
  • Hi!

    I've done some additional troubleshooting now. It's not an issue with the API itself but indeed related to authorization somehow. When I use the "Try it" feature for the managementgroups API it works fine and I can see the json output of course. When I then use the bearer token generated by my user login to the "Try it" feature my own code works fine and I get the json output into Visual Studio.

    So then the question is what's different for this API and why? It does say "List management groups for the authenticated user" on the mamagementgroups API's reference documentation page. That seems a bit strange since it doesn't for other API's such as "Management Locks" for example. Could it be that the "managementgroups" API is working on a level above subscriptions, which then makes it dependant on additional configuration in Azure AD?

    I'm developing an web app which will run without a signed-in user present. So the app requires long-term headless (unattended) access to Azure. I don't have access to the Cloud Partner Portal and it's unlikely that the apps users will as well. I've followed all the steps setting up the Azure AD app registration to create a service principal. So there seems to be something more required here since I can authenticate to both the regular Azure API's as well as the "Microsoft.Graph/organization" API without a problem

    One question is also how the "object ID" is used in c# to authenticate or to generate a correct bearer token? I don't use that in any way currently and it might be the issue here. I can't seem to find any information about that which isn't about adding a user in the Cloud Partner Portal as per the link you provided.


    Saturday, May 4, 2019 1:19 PM