how to get bearer token to authorize create azure resource group by rest api and other rest apis

Question

i found two ways to get bearer token , but when use each one of them to authorize api
return error

create app registration in azure
add Role assignments
https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token

body: x-www-form-urlencoded
grant_type:client_credentials

client_id: {client id of app registration}

scope:https://graph.microsoft.com/.default

client_secret: {client_secret of app registration}

result
return success with bearer token
but when use it in create resource group
return AuthenticationFailed

---

https://login.microsoftonline.com/{tenantid}/oauth2/token
body: x-www-form-urlencoded

grant_type:client_credentials

client_id: {client id of app registration}

resource:https://management.azure.com

client_secret: {client_secret of app registration}
result

return success with bearer token
but when use it in create resource group
return AuthorizationFailed

"message": "The client '' with object id '' does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourcegroups/write' over scope '/subscriptions//resourcegroups/resGroupAzTestApinew' or the scope is invalid. If access was recently granted, please refresh your credentials."

---

please help me getting the right bearer token
which can use it in authorize
create new azure resource group
create new azure app plan
create new azure web app
create new azure database

Answer 1

Hi @Ahmed Bltagy ,

Thanks for reaching out.

I understand that you are trying to get an access token to create different resources in Azure and getting the error that your access token is not authorized to perform the action.

Access tokens enable clients to securely call APIs. (Rest API in this scenarios).

To create resource group:

If you are signing in as yourself (i.e. with a signed-in user), then the scope value you want to request is https://management.azure.com/user_impersonation. After signing in (and granting consent, if needed), access to Azure resources will be dependent on the permissions of the signed-in user. When the client requests an access token, the Microsoft identity platform also returns some metadata about the access token for the consumption of the application. This information includes the scopes for which it's valid.

If you are trying to get the access token on behalf of user (by sign-in user using their credentials), then the scope value you want to request is https://management.azure.com/user_impersonation. You can decode the access token using jwt.ms to check the audience and scopes claims of the token. Access to Azure resources will be dependent on the permissions of the signed-in user. In this scenario you need to provide delegated permissions and require getting the token using Authorization grant flow.

If instead this is server to server call (without user interaction), then you need to assign application permission to the application registered in the portal and can simply use the client credentials flow with "place-holder" scope parameter value https://management.azure.com/.default (as a way of indicating that you want an access token to https://management.azure.com). (require creating resource group using REST APIs)

Reference: https://learn.microsoft.com/en-us/rest/api/resources/resource-groups/create-or-update?tabs=HTTP

create new azure app plan:

https://learn.microsoft.com/en-us/rest/api/appservice/app-service-plans/create-or-update?tabs=HTTP

create new azure web app:

https://learn.microsoft.com/en-us/rest/api/appservice/web-apps/create-or-update

create new azure database:

https://learn.microsoft.com/en-us/rest/api/sql/rest-api-sql-create-or-update-database

Hope this will help.

Thanks,

Shweta

---

Please remember to "Accept Answer" if answer helped you.