Forum Discussion

NKC25's avatar
NKC25
Brass Contributor
Mar 05, 2025

Gatewayauthenticationfailed/objectid does not have authorization to perform on scope.

Hello, this is about activating the eligible role using the ARM API. Created a custom role (only with admin login action) no read action- coz we do not want user to see the machines in the portal.

We have a ps script that is used inside the virtual machine to activate the eligible role using ARM API

the role is assigned on subscription level and activated on resource level, using inheritance.

It was working great, but from couple of weeks, we get this errors.

  1. "code":"GatewayAuthenticationFailed","message":"Gateway authentication failed for 'Microsoft.Authorization'
  2. AuthorizationFailed Message: The client '******@xxx.com' with object id 'xxxxa' does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourcegroups/write' over scope '/subscriptions/xxxa/resourcegroups/ResGrp0213' or the scope is invalid. If access was recently granted, please refresh your credentials

rest api used- PUT https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignmentScheduleRequests/{roleAssignmentScheduleRequestName}?api-version=2020-10-01

it's a random issues on the random users.. 

 

#Azure #AVD #AzureVirtualMachines.

  • Kidd_Ip's avatar
    Kidd_Ip
    MVP
    Mar 09, 2025

    Check on below:

     

    • Check Role Permissions:
      • Ensure that the custom role includes all necessary permissions for the action being performed. Since the error mentions Microsoft.Resources/subscriptions/resourcegroups/write, you may need to add this permission to the custom role, even if it's not intended for regular use.
    • Scope Validation:
      • Verify that the scope specified in the API request is correct and matches the level at which the role is assigned. For example, if the role is assigned at the subscription level, ensure the scope reflects this.
    • Token Expiry or Refresh:
      • The error message suggests refreshing credentials. Ensure that the token used in the API request is valid and has not expired. If you're using a script, implement a mechanism to refresh the token before making the API call.
    • Inheritance Issues:
      • Since the role is assigned at the subscription level and activated at the resource level, confirm that the inheritance is functioning as expected. Check if there are any changes in Azure policies or configurations that might have disrupted inheritance.
    • Random User Issues:
      • For users experiencing the issue, verify their access and permissions. Use the Access Control (IAM) section in the Azure portal to check their effective permissions at the resource level.
    • API Version:
      • Ensure that the API version (2020-10-01) used in the request is still supported and aligns with the latest Azure updates.
    • Azure Logs:
      • Review Azure Activity Logs and Sign-In Logs for more details about the failed requests. These logs can provide insights into why the authorization is failing.

Resources