Share via

How to resolve the "Forbidden" Error issue while creating the Service Connection in Azure DevOps

Sai kiran Bonthu 45 Reputation points
2025-11-17T10:20:05.5533333+00:00

In the Azure DevOps, I am trying to create an service connection in the project. We have an dedicated app registration and it's client secret.

The Steps I have followed are :

Identity type : App registration or managed identity (manual)

Credential : Secret

Environment: Azure Cloud

Scope Level : Subscription

Provided these details: Subscription ID, Subscription name, Application (client ID), Directory (tenant) ID, Client Secret.
While verifying the Client secret, getting error as follows :

Failed to query service connection API: 'https://management.azure.com/subscriptions/681e5bae-0abhabdjsa-asdjbdjA-ee?api-version=2016-06-01'. Status Code: 'Forbidden', Response from server: '{"error":{"code":"AuthorizationFailed","message":"The client 'c9dc1639-98YT-2E43-b096-bc1a388e731b' with object id '01145240-023v-975y-8871-23849ni2h34' does not have authorization to perform action 'Microsoft.Resources/subscriptions/read' over scope '/subscriptions/681e5bae-0abhabdjsa-asdjbdjA-ee' or the scope is invalid. If access was recently granted, please refresh your credentials."}}'

Need Assistance in resolving the issue

Azure DevOps
Answer accepted by question author
  1. Siddhesh Desai 655 Reputation points Microsoft External Staff Moderator
    2025-11-17T11:22:17.9733333+00:00

    Hello Sai kiran Bonthu,

    Thank you for reaching out to Microsoft Q&A.

    From the Error message you posted in your query, it shows that your Service Principal does not have at least Reader role assigned at the subscription level.

    Even I faced the same error, When I tried creating Service connection without adding at least Reader role to the Service Principal, Refer below:

    image

    To resolve this Error, please add the Reader role to the Service Principal like below:

    Visit your Subscription > Access Control (IAM) > Add Role Assignment > Select Reader role > In Members > Select your Service principal.

    Assign access to – User, Group, Service Principal> In Members Select your Service Principal > Click on Next > Review and Assign > After the role is assigned try creating the Service Connection again.

    Refer below: -

    Note- Make sure you add the Reader role in the subscription which you will add while creating the Service Connection. User's image

    User's image

    User's image

    After the role is added, try creating/verifying the Service Connection and it will be created successfully like below:

    Visit your Azure DevOps Project Settings > Service Connection > New Service Connection > Azure Resource Manager > Identity Type: App registration or managed identity (manual) > Credential: Secret > Scope Subscription> Add the Subscription ID and Subscription Name of the Subscription where your Service principal has Reader role assigned > Add your Client ID, Tenant ID and Client Secret > Click on Verify > once it shows Verification Succeeded > Click on Verify and Save > The Service Connection will be created like below:

    User's image

    User's image

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.