Share via

Azure Authorization failed error for the 'Microsoft.Capacity/reservationOrders/read' REST API call

Peter 1 Reputation point
2022-05-05T12:03:49.727+00:00

Hi there,
When I try to get the reservationOrders list via oauth2 API call I get the authorization failed error as you can see on the attached screenshot:
("message": "The client '545de9ec-53d5-4169-bf0d-55b6caeed4bc' with object id '545de9ec-53d5-4169-bf0d-55b6caeed4bc' does not have authorization to perform action 'Microsoft.Capacity/reservationOrders/read' over scope '/providers/Microsoft.Capacity' or the scope is invalid. If access was recently granted, please refresh your credentials.")
199253-authorization-failed-reservations-api.jpg

I properly created a custom role which includes the permission for the 'Microsoft.Capacity/reservationOrders/read' resource. After this in the Tenant Root IAM I add this custom role assignment for my above mentioned 545de... Azure app. I also can use the REST API with other resources (for example get the VM list).

Could you please help me what else could cause this authorization failed error for the reservation orders?

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
3,211 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. SwathiDhanwada-MSFT 18,756 Reputation points
    2022-05-09T11:11:29.95+00:00

    @Peter Welcome to Microsoft Q & A Community Forum. By default, the following users can view and manage reservations:

    • The person who buys a reservation and the account administrator of the billing subscription used to buy the reservation are added to the reservation order.
    • Enterprise Agreement and Microsoft Customer Agreement billing administrators.
    • Users with elevated access to manage all Azure subscriptions and management groups
    • A Reservation administrator for reservations in their Azure Active Directory (Azure AD) tenant (directory)
    • A Reservation reader has read-only access to reservations in their Azure Active Directory tenant (directory)

    Currently, the reservation administrator and reservation reader roles are only available to assign using PowerShell. They can't be viewed or assigned in the Azure portal. Try assigning Reservation Reader role at tenant scope and revert if you have further questions.

    To view the reservations, you can use below PowerShell Script to assign the role. 

    Import-Module Az.Accounts  
Import-Module Az.Resources  
  
Connect-AzAccount -Tenant <TenantId>  
  
New-AzRoleAssignment -Scope "/providers/Microsoft.Capacity" -PrincipalId <ObjectId> -RoleDefinitionName "Reservations Reader"
    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.