We are integrating the Role Assignments - List
API from Microsoft Azure Cloud Management APIs, Link to documentation: https://video2.skills-academy.com/en-us/rest/api/authorization/roleassignments/list#errordetail
We have done all of the configs mentioned:
- Registered a multi-tenant web app with Azure Active Directory for OAuth using
App Registrations
option,
- Also enabled the
https://management.azure.com/user_impersonation
scope under Azure Service Management
- Same scope is requested by the web app
So far OAuth succeeds but the access token received when used to call an API GET https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Authorization/roleAssignments?api-version=2015-07-01
it fails with 401 Unauthorized error. I have replaced the subscriptionId
with the appropriate value while making actual call.
I looked at the details of access token using https://jwt.io/
and the scp
element only seems to have "scp": "User.Read"
scope, Missing the user_impersonation
. Though the AUTH dialog from Microsoft login service shows clearly the requested user_impersonation
grant. The user account I am using for the OAuth has access to the given azure subscription.
What might be the problem?