Share via

Getting resources Ids by resource groups and Subscriptions through graph API

Luis Vasquez 0 Reputation points
2025-04-29T15:49:39.8233333+00:00

I am developing an RBAC with Python code using Graph API and Request library (because the MS library doesn't work on my environment), and I am collecting all the information I need:

  1. Users,
  2. Permissions/Roles
  3. Subscriptions
  4. Resource Groups
  5. Resources within resource groups

I am having issues with 4 and 5, for subscriptions I read that you cannot get them through API so I don't mind updating them manually but I can't seem to find the endpoints for those 2.I found this link: https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-list-rest

But when I try getting subscription information I get this error:

{'error': {'code': 'AuthenticationFailed', 'message': 'Authentication failed.'}}

But there is no page for App Registration or permission page - I have an App registration I already use to retrieve user information and Another AD info but not management information.. Do I need a different App? or do I need to give an additional type of permission?

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Rukmini 3,841 Reputation points Microsoft External Staff Moderator
    2025-05-01T02:01:02.3+00:00

    Hello @Luis Vasquez,

    I understand that you want access Resource Groups and Resources, this requires calling Azure Resource Management (ARM) APIs, not Microsoft Graph.

    • You don’t need a new app registration, you can reuse your existing one by adding Azure Service management API permission.
    • The application or the user calling this API must have Reader role in the subscription scope.
    • Microsoft Graph cannot list resource groups or resources. Hence make use of Azure Service management like below:

    Grant Azure Service management API permission to the Microsoft Entra ID application:

    User's image

    Assign Reader role to the Service Principal under subscription scope:

    User's image

    • To list Resource Groups, make use of GET https://management.azure.com/subscriptions/{subscriptionId}/resourcegroups?api-version=2021-04-01
    • To list resources under each resource groups, make use of GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/resources?api-version=2021-04-01

    Use the below Python code which lists resource groups with the resources in each resource group:

    
import requests

# Azure AD & App Registration details

tenant_id = "TenantID"

client_id = "ClientID"

client_secret = "Secret"

subscription_id = "SubscriptionID"

# OAuth2 token endpoint and scope for Azure Resource Manager

token_url = f"https://login.microsoftonline.com/{tenant_id}/oauth2/v2.0/token"

scope = "https://management.azure.com/.default"

# Step 1: Get access token

token_data = {

    'grant_type': 'client_credentials',

    'client_id': client_id,

    'client_secret': client_secret,

    'scope': scope

}

token_response = requests.post(token_url, data=token_data)

token_response.raise_for_status()

access_token = token_response.json().get("access_token")

# Step 2: Use token to call ARM API

headers = {

    'Authorization': f'Bearer {access_token}',

    'Content-Type': 'application/json'

}

# Step 3: Get all resource groups

resource_groups_url = f"https://management.azure.com/subscriptions/{subscription_id}/resourcegroups?api-version=2021-04-01"

response = requests.get(resource_groups_url, headers=headers)

response.raise_for_status()

resource_groups = response.json().get("value", [])

# Step 4: Print resource group names and IDs

print("Resource Groups:")

for rg in resource_groups:

    print(f"- Name: {rg['name']}, ID: {rg['id']}")

    # Step 5: Get resources for each resource group

    resources_url = f"https://management.azure.com/subscriptions/{subscription_id}/resourceGroups/{rg['name']}/resources?api-version=2021-04-01"

    res_response = requests.get(resources_url, headers=headers)

    

    if res_response.status_code == 200:

        resources = res_response.json().get("value", [])

        if resources:

            print("   Resources within this group:")

            for res in resources:

                print(f"Resource: {res['name']} (Type: {res['type']})")

        else:

            print("No resources found.")

    else:

        print(f"Failed to get resources: {res_response.status_code} {res_response.text}")

    User's image

    Output:

    User's image

    Also, you can list Azure role assignments using GET https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments?api-version=2022-04-01&$filter={filter}

    • If you are making use of user interactive flow to call the API then make sure the user is assigned with Reader role.

    References:

    Resource Groups - List - REST API (Azure Resource Management) | Microsoft

    Resources - List By Resource Group - REST API (Azure Resource Management) | Microsoft

    Hope this helps!

    If this answers your query, do click Accept Answer and Yes for was this answer helpful, which may help members with similar questions.

    User's image

    If you have any other questions or are still experiencing issues, feel free to ask in the "comments" section, and I'd be happy to help.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.