question

Peter-7553 avatar image
0 Votes"
Peter-7553 asked SwathiDhanwada-MSFT commented

Azure Authorization failed error for the 'Microsoft.Capacity/reservationOrders/read' REST API call

Hi there,
When I try to get the reservationOrders list via oauth2 API call I get the authorization failed error as you can see on the attached screenshot:
("message": "The client '545de9ec-53d5-4169-bf0d-55b6caeed4bc' with object id '545de9ec-53d5-4169-bf0d-55b6caeed4bc' does not have authorization to perform action 'Microsoft.Capacity/reservationOrders/read' over scope '/providers/Microsoft.Capacity' or the scope is invalid. If access was recently granted, please refresh your credentials.")
199253-authorization-failed-reservations-api.jpg


I properly created a custom role which includes the permission for the 'Microsoft.Capacity/reservationOrders/read' resource. After this in the Tenant Root IAM I add this custom role assignment for my above mentioned 545de... Azure app. I also can use the REST API with other resources (for example get the VM list).

Could you please help me what else could cause this authorization failed error for the reservation orders?

azure-monitor
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

SwathiDhanwada-MSFT avatar image
0 Votes"
SwathiDhanwada-MSFT answered

@Peter-7553 Welcome to Microsoft Q & A Community Forum. By default, the following users can view and manage reservations:

  • The person who buys a reservation and the account administrator of the billing subscription used to buy the reservation are added to the reservation order.

  • Enterprise Agreement and Microsoft Customer Agreement billing administrators.

  • Users with elevated access to manage all Azure subscriptions and management groups

  • A Reservation administrator for reservations in their Azure Active Directory (Azure AD) tenant (directory)

  • A Reservation reader has read-only access to reservations in their Azure Active Directory tenant (directory)

Currently, the reservation administrator and reservation reader roles are only available to assign using PowerShell. They can't be viewed or assigned in the Azure portal. Try assigning Reservation Reader role at tenant scope and revert if you have further questions.

To view the reservations, you can use below PowerShell Script to assign the role.

 Import-Module Az.Accounts
 Import-Module Az.Resources
    
 Connect-AzAccount -Tenant <TenantId>
    
 New-AzRoleAssignment -Scope "/providers/Microsoft.Capacity" -PrincipalId <ObjectId> -RoleDefinitionName "Reservations Reader"

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.