Adding write permission for creating Resource Groups to an Azure Active Directory Application

Question

I have a C# application that will create Resource Groups. I'm using the ResourceManagementClient to create the resource group (which I assume is just a wrapper for their REST API). I'm using an Azure AD application's Client ID and Client Secret to authenticate.

I'm getting this error:

{"The client 'xxxx' with object id 'xxxx' does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourcegroups/write' over scope '/subscriptions/xxxx/resourcegroups/test-resource-group'."}

Is there a way I can give this permission at the subscription level to an Azure AD application?

Answer 1

The steps to configure this are:

1. Register application in Azure AD (sounds like you've already done this)
2. Create corresponding service principal for your application (this may or may not have been done automatically when you registered the application - it depends on the method you used for registration)
3. Assign the service principal RBAC access to the subscription(s).

The steps are described in detail here.

I believe you'll need to assign your service principal the Contributor role to enable resource group creation.