Unauthorized error using Purview API: "Not authorized to access account" (403 Forbidden)

Question

Hi. I'm using Postman to query the Purview REST API. Some operations work fine, e.g. beginning with GET https://management.azure.com where the bearer token comes from the https://management.core.windows.net resource. However operations which begin with GET https://xxx.purview.azure.com (i.e. the atlas endpoint) where the bearer token comes from the https://purview.azure.net resource all fail, typically with an 'Unauthorized' (403 Forbidden) error: "Not authorized to access account". Examples of those failing operations are Get All Type Definitions and Get Detailed Glossary.

I've followed the tutorial closely, but can't see where I'm going wrong.
I've also added the required roles to the service principal to the Purview root collection:

• Collection admin
• Data source admin
• Data curator
• Data reader

The get accounts operation also fails, but with a different error: "The client 'xxx' with object id 'xxx' does not have authorization to perform action 'Microsoft.Purview/accounts/read' over scope '/subscriptions/xxx/resourceGroups/xxx/providers/Microsoft.Purview/accounts/xxx' or the scope is invalid. If access was recently granted, please refresh your credentials."

I'm at a bit of a loss as to how to proceed. Both examples I found are to do with assigning permissions in Purview:

• https://learn.microsoft.com/en-us/answers/questions/496519/unauthorized-not-authorized-to-access-purview-acco.html
• https://learn.microsoft.com/en-us/answers/questions/861441/issue-while-executing-rest-api-for-azure-purview.html

With thanks, Drew

Answer 1

Hello @Drew Duckworth ,

Thanks for the question and using MS Q&A platform.

Seems like you have already provided the necessary permissions to the Service Principal as mentioned in the public doc: Set up authentication using service principal
Could you please make sure that you are using the correct secret value for your client_id field, I have seen users confusing between secret value and secret id hence wanted to highlight that.

Another thing I would suggest you double check is to make sure if you have provided the Purview API permissions to your registered application. If not could you please apply those permissions and see if that helps to resolve the issue.

Regarding the below error message, as per my analysis, it is a deprecated role as per below, but I will continue to investigate more on this and will share my findings. In the meantime, could you please verify the above.

keep us posted how it goes.

Thank you

Answer 2

I worked through the support ticket with Microsoft SMEs, and found that the issue was with the permissions. I had granted the Purview Service Principal access to the appropriate roles in Purview, e.g. Collection admin. But I needed to grant those permissions to the app registration instead (i.e. the other Service Principal). This isn't clear in the doco (https://learn.microsoft.com/en-us/azure/purview/tutorial-using-rest-apis) for those of us unfamiliar with the ecosystem.

Thanks for your assistance with this.
Regards, Drew

Answer 3

hi Drew Duckworth , We are facing similar issue. May I know what exactly u mean by this statement "But I needed to grant those permissions to the app registration instead (i.e. the other Service Principal)."

Answer 4

@Drew Duckworth, could you solve this issue. I am facing same thing.