Resource Health Events List by Tenant Id 403 Forbidden #4471
Description
Link to sample
Library name and version
@azure/arm-resourcehealth, @azure/identity
Language of the Sample
- C#/.NET
- Java
- JavaScript/TypedScript
- Python
- Golang
- Other - Please specify in Issue details field
Sample Issue Type
- Sample not working
- Sample missing
- Do not understand sample
Issue details
Node app when accessing service health events List by Tenant Id, get 403 forbidden error
https://management.azure.com/providers/Microsoft.ResourceHealth/events
Has the following configured:
- access using AzureDefaultCredential with AZURE_CLIENT_ID, AZURE_TENANT_ID and AZURE_CLIENT_SECRET exist in env vars.
- registered App is assigned with tenant role: "Global Admin" and "Security Admin"
- registered App is assigned with custom role at management group with all "MicrosoftResourceHealth" permissions
- registered App has granted "Azure Service Management - user_impersonation" scope
{
"error": {
"code": "AuthorizationFailed",
"message": "The client '06bc32ab-5ab5-4b8d-9f6c-95d0a420eb95' with object id '06bc32ab-5ab5-4b8d-9f6c-95d0a420eb95' does not have authorization to perform action 'Microsoft.ResourceHealth/events/read' over scope '/providers/Microsoft.ResourceHealth' or the scope is invalid. If access was recently granted, please refresh your credentials."
}
}
Expected behavior
expects a successful response with HTTP code 200
Actual behavior
API responded 403 forbidden
{
"error": {
"code": "AuthorizationFailed",
"message": "The client '06bc32ab-5ab5-4b8d-9f6c-95d0a420eb95' with object id '06bc32ab-5ab5-4b8d-9f6c-95d0a420eb95' does not have authorization to perform action 'Microsoft.ResourceHealth/events/read' over scope '/providers/Microsoft.ResourceHealth' or the scope is invalid. If access was recently granted, please refresh your credentials."
}
}
Reproduction Steps
No response
Environment
Node 20.x
Windows 11