HTTP 403 Error with Azure Managed Identity for SignalR listKeys Action

Question

HTTP 403 Error with Azure Managed Identity for SignalR listKeys Action

Adrian Stauffer 20

Why is the System-Assigned Managed Identity of our Azure App Service (backend-api-application) receiving an HTTP 403 AuthorizationFailed error when attempting to perform the Microsoft.SignalRService/signalR/listKeys/action via the Azure Management API against our Azure SignalR Service (sigr-teamschat-realtime), despite the Managed Identity having the SignalR Service Owner role assigned directly on the SignalR resource? This blocks proper authentication and results in my inability to use SignalR!

Details:

Subscription ID: 8f6f524b-8d79-465b-9cb9-b16110407db7
Resource Group: rg-teams-chat-proxy
App Service Name: backend-api-application
App Service Managed Identity Object ID: d2648609-d417-4ad9-9bc5-b33aac48ca70
SignalR Service Name: sigr-teamschat-realtime
Attempted Action: Microsoft.SignalRService/signalR/listKeys/action (via azure-mgmt-signalr Python SDK, calling the ARM API .../listKeys)
Error Received: HTTP 403 Forbidden
Code: AuthorizationFailed
Message: "The client 'd2648609-d417-4ad9-9bc5-b33aac48ca70' with object id 'd2648609-d417-4ad9-9bc5-b33aac48ca70' does not have authorization to perform action 'Microsoft.SignalRService/signalR/listKeys/action' over scope '/subscriptions/8f6f524b-8d79-465b-9cb9-b16110407db7/resourceGroups/rg-teams-chat-proxy/providers/Microsoft.SignalRService/signalR/sigr-teamschat-realtime' or the scope is invalid. If access was recently granted, please refresh your credentials."
Timestamp of Failure: Approximately 2025-04-01T12:28:09 Z (and subsequent retries)
ARM Request ID (Example): 27ec2f34-2b6c-4656-a95a-179ef294bbfd (from the 403 response logs)
Verification Done:
Confirmed via Azure Portal IAM that the Managed Identity d264... has the SignalR Service Owner role assigned directly on the sigr-teamschat-realtime resource.
Confirmed via Azure AD Sign-in Logs that the Managed Identity successfully authenticates and acquires tokens for Azure Resource Manager (https://management.azure.com) without Conditional Access issues at the time of failure.
App Service has been restarted multiple times after role verification.

Could you please investigate why the Azure Resource Manager authorization check is failing for the listKeys action, despite the RBAC configuration appearing correct in the portal and successful authentication by the Managed Identity?Managed Identity Authorization Failure for SignalR listKeys Action Despite Correct RBAC Role

Question:

Why is the System-Assigned Managed Identity of our Azure App Service (backend-api-application) receiving an HTTP 403 AuthorizationFailed error when attempting to perform the Microsoft.SignalRService/signalR/listKeys/action via the Azure Management API against our Azure SignalR Service (sigr-teamschat-realtime), despite the Managed Identity having the SignalR Service Owner role assigned directly on the SignalR resource?

Details:

Subscription ID: 8f6f524b-8d79-465b-9cb9-b16110407db7
Resource Group: rg-teams-chat-proxy
App Service Name: backend-api-application
App Service Managed Identity Object ID: d2648609-d417-4ad9-9bc5-b33aac48ca70
SignalR Service Name: sigr-teamschat-realtime
Attempted Action: Microsoft.SignalRService/signalR/listKeys/action (via azure-mgmt-signalr Python SDK, calling the ARM API .../listKeys)
Error Received: HTTP 403 Forbidden
Code: AuthorizationFailed
Message: "The client 'd2648609-d417-4ad9-9bc5-b33aac48ca70' with object id 'd2648609-d417-4ad9-9bc5-b33aac48ca70' does not have authorization to perform action 'Microsoft.SignalRService/signalR/listKeys/action' over scope '/subscriptions/8f6f524b-8d79-465b-9cb9-b16110407db7/resourceGroups/rg-teams-chat-proxy/providers/Microsoft.SignalRService/signalR/sigr-teamschat-realtime' or the scope is invalid. If access was recently granted, please refresh your credentials."
Timestamp of Failure: Approximately 2025-04-01T12:28:09 Z (and subsequent retries)
ARM Request ID (Example): 27ec2f34-2b6c-4656-a95a-179ef294bbfd (from the 403 response logs)
Verification Done:
Confirmed via Azure Portal IAM that the Managed Identity d264... has the SignalR Service Owner role assigned directly on the sigr-teamschat-realtime resource.
Confirmed via Azure AD Sign-in Logs that the Managed Identity successfully authenticates and acquires tokens for Azure Resource Manager (https://management.azure.com) without Conditional Access issues at the time of failure.
App Service has been restarted multiple times after role verification.

Could you please investigate why the Azure Resource Manager authorization check is failing for the listKeys action, despite the RBAC configuration appearing correct in the portal and successful authentication by the Managed Identity?

Adrian Stauffer 20 Reputation points

2025-04-01T13:09:12.0366667+00:00
to clarify:

Our Azure App Service (backend-api-application) is using its Managed Identity.

It needs to call the Azure Resource Manager (ARM) API (specifically, the listKeys action for the SignalR resource).

ARM is denying this call with a 403 AuthorizationFailed, despite the App Service MI having the correct SignalR Service Owner role assigned in IAM.

Our Azure App Service (backend-api-application) is using its Managed Identity.

It needs to call the Azure Resource Manager (ARM) API (specifically, the listKeys action for the SignalR resource).

ARM is denying this call with a 403 AuthorizationFailed, despite the App Service MI having the correct SignalR Service Owner role assigned in IAM.
Prabhavathi Manchala 2,480 Reputation points Microsoft External Staff Moderator

2025-04-01T15:45:21.04+00:00
Hi Adrian Stauffer,

The HTTP 403 AuthorizationFailed error likely occurs because the SignalR Service Owner role assigned to the Azure App Service’s Managed Identity may not be propagating properly, or the scope of the role assignment might be incorrect.

Authorization may fail for several reasons, even with the correct role assignment. Role assignments can take time to apply, even if the SignalR Service Owner role is correct. Make sure the role is assigned directly to the SignalR resource, not just the resource group or subscription. The listKeys action needs specific permissions, so verify if Azure Resource Manager is authorized and if additional permissions are required. Also, ensure the Managed Identity’s tokens are valid and have the right permissions, as expired tokens can cause a 403 error.

Here are the points to resolve this issue:

Role assignments can take a few minutes to apply, so wait 15-20 minutes or retry after a short while to ensure they have fully propagated.

Please check that the SignalR Service Owner role is assigned directly to the SignalR resource, not at a higher level like the Resource Group or Subscription, as permissions may not propagate correctly. Use Azure CLI or PowerShell to confirm the correct assignment.

Check for Azure Policies or Conditional Access rules that might block access, especially for the listKeys action. Review the Azure AD Sign-in Logs for any policy-related errors.

If the SignalR Service Owner role lacks the required permissions, create a custom role that includes the listKeys action.

If the error continues, restart the App Service to refresh the credentials and get a new token. Also, ensure tokens are properly acquired and not expired or cached.

Kindly refer to the documents below for troubleshooting role assignments and Azure Managed Identity.

https://v4.hkg1.meaqua.org/en-us/azure/role-based-access-control/troubleshooting?tabs=bicep#azure-role-assignments

https://v4.hkg1.meaqua.org/en-us/azure/azure-signalr/howto-use-managed-identity#use-a-managed-identity-in-serverless-scenarios
Adrian Stauffer 20 Reputation points

2025-04-01T18:56:11.0466667+00:00

thank you!
Prabhavathi Manchala 2,480 Reputation points Microsoft External Staff Moderator

2025-04-02T07:03:53.04+00:00

Hi Adrian Stauffer,

Thanks for your response. Could you please confirm if my last response helped you to resolve your issue and let me know if you have any further Queries.
Prabhavathi Manchala 2,480 Reputation points Microsoft External Staff Moderator

2025-04-03T09:13:32.4966667+00:00

Hi Adrian Stauffer,

Thanks for your response. Could you please confirm if my last response helped you to resolve your issue and let me know if you have any further Queries.

Your answer

Adrian Stauffer 20 Reputation points

2025-04-01T13:09:12.0366667+00:00

to clarify:

Our Azure App Service (backend-api-application) is using its Managed Identity.

It needs to call the Azure Resource Manager (ARM) API (specifically, the listKeys action for the SignalR resource).

ARM is denying this call with a 403 AuthorizationFailed, despite the App Service MI having the correct SignalR Service Owner role assigned in IAM.

Our Azure App Service (backend-api-application) is using its Managed Identity.

It needs to call the Azure Resource Manager (ARM) API (specifically, the listKeys action for the SignalR resource).

ARM is denying this call with a 403 AuthorizationFailed, despite the App Service MI having the correct SignalR Service Owner role assigned in IAM.
Adrian Stauffer 20 Reputation points

2025-04-01T18:56:11.0466667+00:00

thank you!
Prabhavathi Manchala 2,480 Reputation points Microsoft External Staff Moderator

2025-04-02T07:03:53.04+00:00

Hi Adrian Stauffer,

Thanks for your response. Could you please confirm if my last response helped you to resolve your issue and let me know if you have any further Queries.
Prabhavathi Manchala 2,480 Reputation points Microsoft External Staff Moderator

2025-04-03T09:13:32.4966667+00:00

Hi Adrian Stauffer,

Thanks for your response. Could you please confirm if my last response helped you to resolve your issue and let me know if you have any further Queries.

Share via

HTTP 403 Error with Azure Managed Identity for SignalR listKeys Action

Your answer