Unable to create elastic job agent : The client 'xxxxxx8a1a67d5483' with object id 'xxx7d5483' does not have authorization to perform action 'Microsoft.Sql/servers/jobAgents/write'

Ayush Shrivastava 120 Reputation points
2024-10-16T12:41:40.74+00:00

com.azure.core.management.exception.ManagementException: Status code 403, "{"error":{"code":"AuthorizationFailed","message":"The client 'xxxxxx8a1a67d5483' with object id 'xxx7d5483' does not have authorization to perform action 'Microsoft.Sql/servers/jobAgents/write' over scope '/subscriptions/ccc-1fce-xxxaaaa5/resourceGroups/{resourceGroup}/providers/Microsoft.Sql/servers/{server}/jobAgents/{agentName}' or the scope is invalid. If access was recently granted, please refresh your credentials."}}"

Azure SQL Database
{count} votes

1 answer

Sort by: Most helpful
  1. Vinodh247 23,506 Reputation points MVP
    2024-10-16T15:25:26.91+00:00

    Hi Ayush Shrivastava,

    Thanks for reaching out to Microsoft Q&A.

    The error you are encountering, AuthorizationFailed with a 403 status code, indicates that the AAD client you're using (xxxxxx8a1a67d5483 with objectID xxx7d5483) does not have the necessary permissions to create an elastic job agent under the specified scope.

    Steps to Resolve:

    1. Check Role Assignment: Ensure that the AAD client (which could be a user, service principal, or managed identity) has the required role to perform the Microsoft.Sql/servers/jobAgents/write action. To create or manage Elastic Job Agents, the client needs one of the following roles:
      • SQL Server Contributor: This role gives sufficient permissions to manage SQL servers, including job agents.
      • Contributor or Owner at the resource group or subscription level would also work if managing various SQL resources.
      1. Refresh Credentials: After assigning the role, ensure that the client refreshes its credentials:
      • If you are using a service principal or managed identity, ensure the token is refreshed.
      • If you are using Azure CLI, execute az account clear followed by az login to re-authenticate.
    2. Verify Scope: Double-check the scope you're trying to create the job agent under. The error might also indicate that the scope (ex: subscription, resource group, or server) is incorrect or that there is a typo in the resource identifiers (like {resourceGroup}, {server}, or {agentName}).
    3. Use Portal for Role Assignment (if Needed): If you're unsure of the current roles or need more detailed access control insights, navigate to azure portal, find the SQL server or resource group, and manually inspect role assignments for more visibility.

    Once the correct permissions are assigned and credentials refreshed, you should be able to create the elastic job agent without the authorization error.Please 'Upvote'(Thumbs-up) and 'Accept' as an answer if the reply was helpful. This will benefit other community members who face the same issue.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.