Creating a User Assigned Managed Identity using the Managed Identity REST APIs

Question

I'm trying to create a user assigned managed identity using the Azure REST APIs. The App Registration I'm using is has User.ManagedIdenties.All granted. It also has a secret generated for acquiring the tokens for the REST API calls.

In Postman, I am able to acquire a token, however when I call the 'User Assigned Identities - Create Or Update' REST API, I'm getting the following response.

I also checked to see if the Azure Policies for User Assigned Managed Identities were not being denied.

Any idea what I might be missing?

Thank you.

Answer 1

Hello @David Downing and thanks for reaching out. User.ManageIdenties.All is a MS Graph permission. Although it sounds related to Managed Identities it is not. The required Azure AD permission/scope is https://management.core.windows.net/.default. Also, the calling principal (user or application) must belong to an Azure RBAC role that contains the Microsoft.ManagedIdentity/userAssignedIdentities/write permission such as the Managed Identity Contributor.

**Additional, and as found by @David Downing himself, you will also need add a contributor role at the subscription level for the App Registration (Service Principal). ** Thanks a lot for this one @David Downing !

For information on how to assign an Azure RBAC role please take a look to Steps to assign an Azure role.

Let us know if you need additional assistance. If the answer was helpful, please accept it and complete the quality survey so that others can find a solution.