Yes I know, the title is not exactly catchy.

The issue

My issue was this: A business user needs access to tracking info in a Logic App in order to help with finding solutions to issues. There is a very nice built in role for that called Logic App Operator. Adding that user as an operator is easy using the portal.

However, the user received an error when he wanted to look at tracking data for the APIm-connector. The Logic App was using the standard Azure API management connector in order to connect to our instance of APIm. Normally this works fine as other users tend to have, at least read access, in the connected APIm.

In this case, the user was a business user, and as such, had no other access at all.

The answer to the question is really easy because it is right there in the error message: The user does not have read access for the API you are calling.

So how do you assign access on this level. You could make the business user a reader for the whole APIm instance, but that is too much.

The solution

You can use Azure CLI in order to assign that specific access level. My assumption is that you know how to install and run Azure CLI. If not, just follow the link.

I usually run Azure CLI from the terminal in VS Code.

First off, you need the access level to assign roles. If you don’t have that, this will not work.

If you have access, you need to login. Run this command:

az login

Then simply run this command from the terminal:

az role assignment create --assignee user@company.com --role "Reader" --scope "/subscriptions/[subscription GUID]/resourceGroups/[RG name]/providers/Microsoft.ApiManagement/service/[Apim instance name]/apis/[api name]"

For Frank at the contoso company that needs read access to the orders api it might look like this.

az role assignment create --assignee frank@contoso.com --role "Reader" --scope "/subscriptions/e8b5e5a6-4b7d-4f8e-9b2d-8c6d7e5a4b7d/resourceGroups/contoso-apim-prod-RG/providers/Microsoft.ApiManagement/service/contoso-apim-prod/orders"

Hope this helps.