Forum Discussion
Azure Labs Services user has not enough permissions
Hi All,
I login to the portal Azure Labs Services and I can list the user of specified labs, but when I use this operations using API Azure Labs Services, I get this error
"error": {
"code": "AuthorizationFailed",
"message": "El client \"xxxxxx@.onmicrosoft.com\" with object id \"XXXXXX-XXXX-XXXX-XXXX-XXXXXXXX\" does not have authorization to perform action \"Microsoft.LabServices/users/listLabs/action\" over scope \"/providers/Microsoft.LabServices/users/user9E172B8798321F4B4A2407BF604385325063A940F9CB74EEDDF108B962C28E39\"
https://docs.microsoft.com/en-us/rest/api/labservices/global-users/list-labs
please help me, I don't known what permission I require
Ah, gotcha.
The API you are calling is one of the global api, not attached to a specific subscription. It's meant to be called by a user to get their own information. So a call to
would list all the info for the VMs (including lab name) that are assigned to the user describe in the Auth bearer token passed in with the call to the API.
If you are trying to get the labs for a specific user that is not you, it's a little trickier. If possible for your situation I would recommend trying out PowerShell module for Azure Lab Services - Azure Lab Services | Microsoft Docs. For example
Get-AzLabAccount | Get-AzLab | Get-AzLabUser -email 'email@contoso.com'would get the info for the user associated with the email 'email@contoso.com' including labs the user has registered for.
Get-AzLabAccount | Get-AzLab | Get-AzLabUser -email 'email@constoso.com' | select -expand 'id' | %{ $_.Substring(0,$_.IndexOf("/users"))}would get the resource id for each lab the user is registered for.
If you have to use the Lab Services API directly, you'll need to get all the labs, then all the users for each of your labs and then match the email address.
Hope that helps,
Elizabeth
planetmaherMicrosoft
The permission you need is 'Microsoft.LabServices/users/listLabs/action' as noted in the error message. To check what permissions you have on a particular asset see https://docs.microsoft.com/en-us/azure/role-based-access-control/check-access. This comes with roles like owner, contributor, lab creator.
If you are trying to create a custom role that can access labs, I would suggest reading Use Custom Role to Tailor Teachers' Lab Management Permissions - Microsoft Tech Community. It lists all the permissions and what they do. Also, Lab Liaison Custom Role - Microsoft Tech Community might be helpful. It is a how-to for creating custom roles and covers the minimum roles needed for using the Labs Portal.
If these articles are not able to solve your issue, could you please respond back with an overview of what your are trying to accomplish? It sounds like you trying to create a tool that uses the Lab Services api?
Thanks,
Elizabeth Maher
Thks for your answer planetmaher
I am using the API of LabServices to list the users and their corresponding labs. It is in this action where I get this error. Other operations like list account lab or labs work fine.
But the way, the user that I use is owner at the subscription level and I also see that I have activated the Microsoft.LabServices resource provider.Do you think that if I have the owner role at the subscription level, I still need some custom role.
- planetmaher
Ah, gotcha.
The API you are calling is one of the global api, not attached to a specific subscription. It's meant to be called by a user to get their own information. So a call to
would list all the info for the VMs (including lab name) that are assigned to the user describe in the Auth bearer token passed in with the call to the API.
If you are trying to get the labs for a specific user that is not you, it's a little trickier. If possible for your situation I would recommend trying out PowerShell module for Azure Lab Services - Azure Lab Services | Microsoft Docs. For example
Get-AzLabAccount | Get-AzLab | Get-AzLabUser -email 'email@contoso.com'would get the info for the user associated with the email 'email@contoso.com' including labs the user has registered for.
Get-AzLabAccount | Get-AzLab | Get-AzLabUser -email 'email@constoso.com' | select -expand 'id' | %{ $_.Substring(0,$_.IndexOf("/users"))}would get the resource id for each lab the user is registered for.
If you have to use the Lab Services API directly, you'll need to get all the labs, then all the users for each of your labs and then match the email address.
Hope that helps,
Elizabeth
