Forum Discussion
Gatewayauthenticationfailed/objectid does not have authorization to perform on scope.
Hello, this is about activating the eligible role using the ARM API. Created a custom role (only with admin login action) no read action- coz we do not want user to see the machines in the portal. W...
Check on below:
- Check Role Permissions:
- Ensure that the custom role includes all necessary permissions for the action being performed. Since the error mentions Microsoft.Resources/subscriptions/resourcegroups/write, you may need to add this permission to the custom role, even if it's not intended for regular use.
- Scope Validation:
- Verify that the scope specified in the API request is correct and matches the level at which the role is assigned. For example, if the role is assigned at the subscription level, ensure the scope reflects this.
- Token Expiry or Refresh:
- The error message suggests refreshing credentials. Ensure that the token used in the API request is valid and has not expired. If you're using a script, implement a mechanism to refresh the token before making the API call.
- Inheritance Issues:
- Since the role is assigned at the subscription level and activated at the resource level, confirm that the inheritance is functioning as expected. Check if there are any changes in Azure policies or configurations that might have disrupted inheritance.
- Random User Issues:
- For users experiencing the issue, verify their access and permissions. Use the Access Control (IAM) section in the Azure portal to check their effective permissions at the resource level.
- API Version:
- Ensure that the API version (2020-10-01) used in the request is still supported and aligns with the latest Azure updates.
- Azure Logs:
- Review Azure Activity Logs and Sign-In Logs for more details about the failed requests. These logs can provide insights into why the authorization is failing.
