what role is needed for a service principal to access GET https://management.azure.com/providers/Microsoft.Management/managementGroups/{managementGroupId}/providers/Microsoft.Consumption/aggregatedcost?api-version=2021-10-01

Jason Greene 0 Reputation points
2023-03-09T07:25:53.7133333+00:00

I have Owner and Reader roles for an Azure subscription. While using learn.microsoft.com to try out consumption APIs I consistently get a 403 unauthorized error. Calling GET https://management.azure.com/providers/Microsoft.Management/managementGroups/{managementGroupId}/providers/Microsoft.Consumption/aggregatedcost?api-version=2021-10-01 where managementGroupId is the id of my Azure subscription, I get (xxxx being my service principal, nnnnn being the ID of the service principal and yyyy being the management group ID):

The client 'xxxxxxxxxxxxxx' with object id 'nnnnnnnnnnnnnnnnnnnnn' does not have authorization to perform action 'Microsoft.Consumption/aggregatedcost/read' over scope '/providers/Microsoft.Management/managementGroups/yyyyyyyyyyyyyyyyyyyyyyyy/providers/Microsoft.Consumption' or the scope is invalid. If access was recently granted, please refresh your credentials.

So... given that learn.microsoft.com is logged in as me, and I have Owner, Reader, Billing Reader, Cost Management Reader and Management Group Reader roles, what on earth do I actually need to add in order to call the API?  Grateful for advice!
Azure Role-based access control
Azure Role-based access control
An Azure service that provides fine-grained access management for Azure resources, enabling you to grant users only the rights they need to perform their jobs.
662 questions
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. James Hamil 21,546 Reputation points Microsoft Employee
    2023-03-09T20:11:20.05+00:00

    Hi @Jason Greene , you can try refreshing your credentials and see if that resolves the issue. If not, you can try assigning the User Access Administrator role to your service principal, which should give it the necessary permissions to call the API.

    You can also try checking the RBAC configuration for the tenant's subscription to see if there are any issues there.

    Please let me know if this helps. If not I can help you further!

    If this answer helped you please mark it as "Verified" so other users can reference it.

    Thank you,

    James


  2. Jason Greene 0 Reputation points
    2023-03-10T04:41:54.02+00:00

    See my comment to the original reply.

    0 comments No comments

  3. James Hamil 21,546 Reputation points Microsoft Employee
    2023-03-15T20:04:48.0266667+00:00

    Hi @Jason Greene , thank you so much for clarifying the solution to your problem. I'll reiterate it here for other users to follow.

    The issue is with the initial setup where the subscription for the tenancy was placed under the root management group.

    To resolve this issue, you can restructure the setup by creating a new management group called "All subscriptions" and placing it under the root management group. root

    Then, move the Azure subscription into the new management group. This way, a service principal with Owner or Reader access to the new management group will have RBAC permissions to all subscriptions below.

    Please note that Owner or Reader on the subscription itself does not work, but Owner or Reader on the management group works with the condition that the management group cannot be the root management group as it requires elevated privileges, which is not possible from learn.microsoft.com or via an API call using OAuth2.0 grants.

    If this answer helped you please mark it as "Verified" so other users can reference it.

    Thank you,

    James

    0 comments No comments