How to create/ delete user via API using grant type as client_credentials

Ron Weasley 0 Reputation points

How to create / delete user via API using grant type as client_credentials.
We are able generate token but not able to perform create and delete user.


"error": {

    "code": "AuthorizationFailed",

    "message": "The client 'f04c77f3-530e-416d-a165-42304fb90583' with object id 'f04c77f3-530e-416d-a165-42304fb90583' does not have authorization to perform action 'Microsoft.ApiManagement/service/users/write' over scope '/subscriptions/833affd6-00ea-43b4-903c-8a604086ced2/resourceGroups/TestResource/providers/Microsoft.ApiManagement/service/testResourceTesting' or the scope is invalid. If access was recently granted, please refresh your credentials."



Microsoft Entra
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,104 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Deepanshu katara 6,245 Reputation points

    Hi Ron ,

    Please check whether the Service principal has access to the subscription and the required Resource groups. Also, check if the Service principal has expired.

    To resolve this issue, follow these steps:

    Step-by-Step Solution:

    Identify the Client and Role Assignment:

    • Confirm the identity of the client (service principal or user) with the object ID f04c77f3-530e-416d-a165-42304fb90583.Determine the necessary role and permissions required to perform the action.
    • Assign the Appropriate Role:- Ensure the client has a role that includes the required permissions. The "API Management Service Contributor" role usually includes permissions to write to the API Management service.
    • Grant the Role Assignment: - Use the Azure Portal, Azure CLI, or an ARM template to assign the necessary role to the client.

    Using Azure Portal:

    1. Go to the Azure Portal:
    2. Navigate to the subscription or resource group containing the API Management service.
    3. Go to "Access control (IAM)".
    4. Click on "Add" and then "Add role assignment".
    5. Select the appropriate role, such as "API Management Service Contributor".
    6. Assign the role to the client with the object ID f04c77f3-530e-416d-a165-42304fb90583.

    Please accept answer , if it helps, Thanks

    0 comments No comments