I'm unable to setup alerts in my Application Insights instance on Azure from portal.
This is the error I receive:
Failed to create alert rule 'XWRANotification'. The client
'sk#org.com' with object id 'xxx-3525-48c6-97ad-xxx' does not have
authorization to perform action
'microsoft.insights/scheduledqueryrules/write' over scope
'/subscriptions/xxx-d404-4748-a3e8-09afe0bbea49/resourceGroups/RG-XWRA-01/providers/microsoft.insights/scheduledqueryrules/XWRANotification' or the scope is invalid. If access was recently granted, please
refresh your credentials..
I've following access configured for my user on this App Insights instance:
Contributor
Application Insights Component Contributor
Monitoring Contributor
Based on our comments, in addition to the 3 roles you listed, you need another Contributor role for the resource group which you will create your action group in.
If you already have this role, you should be able to setup the alerts. As it suggested: If access was recently granted, please refresh your credentials.
Related
I've been added to a RG as owner in a subscription outside på company. Navigating to the Access contol (IAM) of the RG and clicking "View my access". clearly says "Grants full access to manage all resources, including the ability to assign roles in Azure RBAC.":
But I can not create any resources w/o getting:
The client 'mikael.hakansson#xxx.com' with object id 'xxx' does not have authorization to perform action 'Microsoft.Storage/register/action' over scope '/subscriptions/xxx' or the scope is invalid. If access was recently granted, please refresh your credentials. (Code: AuthorizationFailed) (Code: AuthorizationFailed)
Neither can I view Role assignments: "You do not have permissions to read this directory. Contact a Global Administrator and have them assign you the Directory Readers role in Azure Active Directory."
Thank you for any input
As I have mentioned in comments , The Owner Role that you have assigned to is in for the resource Group as its showing This Resource. If it was assigned to Subscription then it would have been seen as Subscription(Inherited) in the resource group level.
Example:
The client 'mikael.hakansson#xxx.com' with object id 'xxx' does not
have authorization to perform action
'Microsoft.Storage/register/action' over scope '/subscriptions/xxx' or
the scope is invalid. If access was recently granted, please refresh
your credentials. (Code: AuthorizationFailed) (Code:
AuthorizationFailed)
Coming to the above error , its because you have permission on only resource group level. You need to have access on Subscription level which may be Owner/Contributor to create resources. As When you are creating resources Azure API registers that resource provider on subscription and gets a token on your user to create a resource for that resource provider in any resource group on the subscription , if you don't have proper permissions on subscription then it fails to register the resource provider and get the token on your name and returns an error.
Every type of resource you should be able to create at the subscription level has to have its resource provider registered. This is done in the subscription level (in the resource providers tab in portal; see https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/resource-providers-and-types)
When the resource provider is registered, Owner or Contributor to a resource group can create that type of resource in the resource group.
However, only the subscription owner can register the resource. It complains about Microsoft.Storage/register/action not being permitted when you try to create a storage account, but the Microsoft.Storage provider is not registered. Once the subscription administrator registers Microsoft.Storage, you should be able to create storage accounts in that resource group with only permissions to that resource group.
My end goal is to register my API to receive notifications of leads generated by LinkedIn for my business's Company Page. The docs here say I need to register at https://api.linkedin.com/v2/leadNotificationUrls using the r_ads_ge_automation permission. I'm trying to acquire this type of access token by using a web browser to hit https://www.linkedin.com/oauth/v2/authorization?response_type=code&client_id=client_id_for_my_application&redirect_uri=https://my.company.net/api/oauth/linkedin&state=Testing12345&scope=r_ads_leadgen_automation, then logging in as a user that is an admin for the respective company page, then acquiring authentication code, and finally requesting an access token.
The problem is that when I try to hit https://www.linkedin.com/oauth/v2/authorization (with the query params above), I get an error response stating "r_ads_leadgen is not authorized for your application". I can't find any kind of application configuration that is supposed to give this permission to my application.
Can anyone help? Thank you
Permissions are offered to select Partners only. Have you applied to a Partner Program https://business.linkedin.com/marketing-solutions/marketing-partners/become-a-partner?
Asking the question here as the linkedin help forum directed to post things related to API on stackoverflow.
I am developing a feature on our org website to show the top 5 company page feeds setup in linkedin. Ive already setup the required access in developer.linkedin and the whole flow works in the developer.linkedin REST console to fetch the feed.
I am currently recieving this error when i try from my machine to fetch the auth token with a valid client id and secret created.
https://www.linkedin.com/oauth/v2/accessToken?grant_type=client_credentials&client_id=OMITTED&client_secret=OMITTED
{
"error": "access_denied",
"error_description": "This application is not allowed to create application tokens" }
The documentation also mentions that this flow isn't available by default and the users will need to contact linkedin.
https://developer.linkedin.com/docs/v2/oauth2-client-credentials-flow
"By default, your application will not have the ability to use LinkedIn's client credentials flow. Contact us to have your application granted permission to use this flow."
What would be the next steps in requesting access to this flow for my org?.
As outlined here:
By default, your application will not have the ability to use LinkedIn's client credentials flow. Contact us to have your application granted permission to use this flow.
The next step would be to contact them directly or Apply to become a Partner
and if accepted you'll be granted access to additional data outside of the scope of the user authentication flow (which basically means you'll be able to make calls directly from your application to access certain information)
I think the answer is well explained by API-University, since the creation of an application in order to get the access_token, will solve the communication issue.
Link to the explanation: https://api-university.com/blog/api-usage/how-to-use-the-linkedin-api-and-oauth/
So I'm trying to create custom roles in Azure AD for an Asp.net mvc5 web app. I did a lot of reading up, but basically it fails due to lack of auth. I issue the PowerShell command New-AzureRmRoleDefinition -InputFile myNewRole.json but it fails saying that my (current logged on user) does not have authorization to perform action 'Microsoft.Authorization/roleDefinition/write" over scope...
Well, the error message is clear. At the same time, if I list my user's roles I am 'owner'. What privileges is needed to create custom roles in Azure AD if owner doesn't suffice?
Hi in your assignable scopes section can you confirm that there aren't any typos and the scope is your subscription GUID. We have come across this scenario where there was something awry with the scopes section.
I want to be able to access other users Google Calendars through a service account so I am not prompted for authorization. I am doing this in a simple .net c# console app. When I attempt to create my credentials in the Google API Manager, it gives me the following alert when I specify I am using a non UI app and I want to access User Data. Isn't the purpose of using the service account to access other users data without a UI?
"User data cannot be accessed from a platform without a UI because it requires user interaction for sign-in."
You may have misunderstood the meaning of using a service account to impersonate a user. To help you with Authentication, you might want to check this tutorial : Google Calendar API Authentication with C# by Daimto.
Things to take note of :
To be able to access other calendars by service account, users who own the calendar should share it to the service account.
To impersonate a user, you must know the email address.
From the tutorial:
If you are only accessing data that you own there is no reason to ask a user for permission to access it. You can use a Service account. (Privacy)
If you want to be able to access data owned by someone else you will need to be authenticated.
Hope this helps!