Share via

What permissions do I need to check status of a Purview account update operation?

SnurovasAleksandras-3884 40 Reputation points
2023-12-12T15:25:45.6733333+00:00

Hi community!

I am adding a User Assigned Managed Identity to the Purview account resource using this endpoint:

https://learn.microsoft.com/en-us/rest/api/purview/accounts/update?view=rest-purview-2021-07-01&tabs=HTTP

I authenticate using a service principal that has resource group scoped Contributor role. The Purview account is in the same resource group.

When submitting an update request, I receive a status check link in the response header (location).

However, the service principal does not have read permissions to check the status via the link, and the status check request returns a 403:

The client 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' with object id 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' does not have authorization to perform action 'Microsoft.Purview/locations/operationResults/read' over scope '/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/providers/Microsoft.Purview/locations/southcentralus/operationResults/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' or the scope is invalid. If access was recently granted, please refresh your credentials.

I am guessing here, but maybe it requires resource read permission on the Purview provider itself, or it needs a subscription level permission.

Either way, it is strange that the client who initiated the update, cannot check the status of the update operation.

Microsoft Security | Microsoft Purview
Accepted answer
  1. Bhargava-MSFT 31,261 Reputation points Microsoft Employee Moderator
    2023-12-22T20:45:00.46+00:00

    Hello SnurovasAleksandras-3884,

    I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others (Opens in new window or tab)", I'll repost your solution in case you'd like to "Accept (Opens in new window or tab)" the answer.

    Issue: When submitting an update request in purview, receiving a status check link in the response header.

    Error:

    The client 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' with object id 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' does not have authorization to perform action 'Microsoft.Purview/locations/operationResults/read' over scope '/subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/providers/Microsoft.Purview/locations/southcentralus/operationResults/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' or the scope is invalid. If access was recently granted, please refresh your credentials.

    Solution:

    The service principal does not have read permissions to check the status and returned a 403 error.

    This issue was resolved by assigning the service principal to the Reader role at the subscription level.

    If you have any other questions or are still running into more issues, please let me know.
    Thank you again for your time and patience throughout this issue.

    Please remember to "Accept Answer" if any answer/reply helped, so that others in the community facing similar issues can easily find the solution.

    1 person found this answer helpful.
    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. SnurovasAleksandras-3884 40 Reputation points
    2023-12-22T17:08:04.5233333+00:00

    Assigning service principal to the Reader role on subscription level seems to have fixed the issue.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.