What role is needed for an application to read health check API

Gosnell, Brian 21 Reputation points
2022-10-04T19:44:47.93+00:00

I have an application that we registered and assigned "Classic Virtual Machine Contributor" to. I understand this is a Azure AD Role. I get a token using client-credentials and then try to call the REST API to get Health status by resource group. I am getting "The client 'c0063266-ee6d-4887-9658-fd1c9826196a' with object id 'c0063266-ee6d-4887-9658-fd1c9826196a' does not have authorization to perform action 'Microsoft.ResourceHealth/availabilityStatuses/read' over scope '/subscriptions/5d7387d9-0e9b-45e6-8c2a-2342983168ff/resourceGroups/vitalant-mobile-dev-rg/providers/Microsoft.ResourceHealth' or the scope is invalid. If access was recently granted, please refresh your credentials.". What roles do I need to have added so that this will work. We are using it in a dashboard for the technical support team to use in case there is issues. Any help would be appreciated

Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
684 questions
{count} votes

Accepted answer
  1. Shweta Mathur 28,031 Reputation points Microsoft Employee
    2022-10-07T09:34:01.667+00:00

    Hi @Gosnell, Brian ,

    Thanks for reaching out.

    I understand you are trying to retrieve the current availability status for particular resource group in the subscription and getting the error.

    Did you decode the access token using jwt.ms to check the audience claim.

    I repro the issue in my lab and able to get the availability status for all the resources in the resource group successfully.

    1. Register the application in Azure AD.
    2. The assign the Classic virtual Machine contributor role to the service principal through the Access Control (IAM) section.

    248484-image.png

    3.Retrieve the access token using client credential flow
    248409-image.png

    4.Pass the access token in the authorization header as bearer token to call
    https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.ResourceHealth/availabilityStatuses?api-version=2018-07-01

    248449-image.png

    Make sure you are passing correct resource group name and subscription id.

    Hope this will help.

    Thanks,
    Shweta


    Please remember to "Accept Answer" if answer helped you.

    0 comments No comments

0 additional answers

Sort by: Most helpful