Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
23,523 questions
authorization error sometimes and gateway authentication failed for microsoft authroization
Kumar Chary, Naveen
116
Reputation points
Hello, this is about activating the eligible role using the ARM API.
- Created a custom role (only with admin login action) no read action- coz we do not want user to see the machines in the portal.
- We have a ps script that can be used inside the virtual machine to activate the eligible role (admin- custom role) steps are connect-azaccount, retreive scope,sub create gid and invokes the rest api (reference- https://learn.microsoft.com/en-us/entra/id-governance/privileged-identity-management/pim-resource-roles-activate-your-roles#activate-a-role-with-azure-resource-manager-api)
- the custom role is assigned to entraid group in pim as eligible on subscription level, users will be added to the group.
- the step 2, though the role is assigned on sub level, using inheritance the role is activated on resource level.
- it was working great, however, from couple of weeks it's throwing errors. error1- "code":"GatewayAuthenticationFailed","message":"Gateway authentication failed for 'Microsoft.Authorization' error 2- The client '' with object id '' does not have the authorization to perform action 'Microsoft.Resources/subscriptions/resourceGroups/read' over scope 'x' or the scope is invalid. If access was recently granted, please refresh your credentials.'
Rest api used- PUT https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignmentScheduleRequests/{roleAssignmentScheduleRequestName}?api-version=2020-10-01
{count} votes
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(176, 40%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKA%3C/text%3E%3C/svg%3E)
Khadeer Ali 3,750 Reputation points Microsoft External Staff2025-03-05T13:06:27.71+00:00 It seems that the issue with activating the eligible role using the ARM API started in the last two weeks, even though it was working fine before. The errors you are encountering:
- "GatewayAuthenticationFailed" – This indicates an issue with authentication, possibly due to expired credentials or recent security policy changes.
- "The client '' with object id '' does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourceGroups/read'" – This suggests a missing permission, role inheritance issue, or scope validation problem.
Since this was working fine earlier, we should check for recent changes that might be causing the issue.
Potential Causes
Ensure PIM Role Assignment & Group Membership Are Intact
- The role is assigned at the subscription level, so it should inherit at the resource level.
- If inheritance was modified, it could be causing failures.
Check for Expired Service Principal or Credentials
- If authentication is done using a Service Principal, check if its client secret/certificate has expired.
Scope or Resource Inheritance Issue
- Even though the role is assigned at the subscription level, verify that inheritance is still applying correctly at the resource level.
Refresh Credentials to Avoid Token Expiry Issues
- Cached or expired tokens might be causing authentication failures.
- Try refreshing credentials and getting a new token.
Would you like to validate these checks and confirm if any recent changes were made?
-
Kumar Chary, Naveen 116 Reputation points
2025-03-05T13:19:37.4066667+00:00 Thank you for your response - Yes, I will verify if there are any policies or security changes applied recently on the environment, between it's a random with few users/machines not with all..
I don't use spn, it's the user credentials that I use.. user will connect to azaccount and trigger the api to activate eligible role, I will also verify if there any cached token.
between the role is custom role, doesn't have read access, as said we do not want to display machines in portal.
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(166.4, 27%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERP%3C/text%3E%3C/svg%3E)
Raja Pothuraju 15,630 Reputation points Microsoft External Staff2025-03-06T10:22:17.6333333+00:00 Hello @Kumar Chary, Naveen,
Thank you for your response.
Based on the description, this issue requires a deeper investigation to understand the behavior. I would like to discuss this with you offline for better clarity. Could you please share your email details via private message?
Sign in to comment
Sign in to answer