Azure Active Directory authorization - REST API reference

When you use Azure Active Directory (Azure AD) authentication, authorization is handled by role-based access control (RBAC). RBAC requires users to be assigned to roles in order to grant access to resources. Each role contains a set of actions that users assigned to the role are able to perform.


The following roles are available in Azure subscriptions by default:

  • Azure App Configuration Data Owner: This role provides full access to all operations.
  • Azure App Configuration Data Reader: This role enables read operations.


Roles contain a list of actions that users assigned to that role can perform. Azure App Configuration supports the following actions:

  • Microsoft.AppConfiguration/configurationStores/keyValues/read: This action allows read access to App Configuration key-value resources, such as /kv and /labels.
  • Microsoft.AppConfiguration/configurationStores/keyValues/write: This action allows write access to App Configuration key-value resources.
  • Microsoft.AppConfiguration/configurationStores/keyValues/delete: This action allows App Configuration key-value resources to be deleted. Note that deleting a resource returns the key-value that was deleted.


HTTP/1.1 403 Forbidden

Reason: The principal making the request doesn't have the required permissions to perform the requested operation. Solution: Assign the role required to perform the requested operation to the principal making the request.

Managing role assignments

You can manage role assignments by using Azure RBAC procedures that are standard across all Azure services. You can do this through the Azure CLI, PowerShell, and the Azure portal. For more information, see Assign Azure roles using the Azure portal.