How to create/ delete user via API using grant type as client_credentials

Ron Weasley 0 Reputation points

We are able to create token but unable to create and delete user.


"error": {

    "code": "AuthorizationFailed",

    "message": "The client 'f04c77f3-530e-416d-a165-42304fb90583' with object id 'f04c77f3-530e-416d-a165-42304fb90583' does not have authorization to perform action 'Microsoft.ApiManagement/service/users/write' over scope '/subscriptions/2d1e70f3-6530-480e-ab57-5c71915083af/resourceGroups/TestResorceGroupSub2/providers/Microsoft.ApiManagement/service/TestResourceSub2/users/Vivek' or the scope is invalid. If access was recently granted, please refresh your credentials."



Microsoft Entra
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
20,185 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Shweta Mathur 29,006 Reputation points Microsoft Employee

    Hi @Ron Weasley ,

    Thanks for reaching out.

    The error is not related to the user but to the application. Kindly look for application/SPN name with client ID: 'f04c77f3-530e-416d-a165-42304fb90583'.

    Make sure to add proper RBAC role to above service principal before generating token.

    Navigate to the subscription > Choose the subscription > Add Role assignment > User Access Administrator (You can assign any role you want > assign to the application SPN

    User's image

    and then generate the token using client credential flow


    Then I used this token to call Azure Management REST API.

    Hope this will help.



    Please remember to "Accept Answer" if answer helped you.

    0 comments No comments