AZURE

Unauthorized - Unauthorized: Missing or Invalid Authentication

Your request lacks authentication or uses an unsupported method—ARM requires OAuth 2.0 Bearer token authentication, and the Authorization header is missing or invalid. This 401 client-side error occurs before token validation; ARM checks for authentication presence first, so this fails earlier than AuthenticationFailed (which means invalid token). Unlike InvalidAuthenticationInfo (wrong header format), Unauthorized means authentication is missing entirely or uses unsupported schemes (ARM doesn't support basic auth or API keys). Common in VM operations, AKS cluster API calls, Azure SQL database connections, and App Service deployments when authentication isn't configured properly.

#Common Causes

  • Missing Authentication Header: The request lacks an Authorization header or uses an invalid authentication method. ARM requires valid authentication credentials before processing any resource operations. This is persistent—retrying without adding authentication always fails.
  • Expired Token: The access token has passed its expiration timestamp. Tokens typically expire after 1 hour, but duration isn't guaranteed and varies by token type. This is transient—refreshing the token and retrying helps.
  • Invalid Authentication Method: The request uses an unsupported authentication scheme. ARM requires OAuth 2.0 Bearer token authentication. Other methods (basic auth, API keys) are not supported and cause Unauthorized errors. This is persistent—you must use the correct authentication method.

Solutions

  1. 1Step 1: Diagnose - Check if Authorization header is present in your request. Verify the header format is "Authorization: Bearer <token>".
  2. 2Step 2: Diagnose - Check if token is expired by decoding it (jwt.io) and checking the exp claim against current Unix timestamp.
  3. 3Step 3: Diagnose - Verify authentication method is OAuth 2.0 Bearer token. ARM doesn't support basic auth or API keys.
  4. 4Step 4: Fix - Add valid credentials to your request. Use @azure/identity credential classes which handle authentication automatically.
  5. 5Step 5: Fix - Refresh expired tokens using your credential library's getToken() method. @azure/identity credential classes handle token refresh automatically.
  6. 6Step 6: Fix - Use OAuth 2.0 Bearer token authentication. Ensure your request includes "Authorization: Bearer <token>" header with a valid token.
  7. 7Step 7: Verify - Retry your operation. It should succeed with HTTP 200/201 instead of 401 Unauthorized.

</>Code Examples

Authentication Verification
1# This script helps diagnose Unauthorized errors by checking authentication
2
3# Step 1: Check if Azure CLI is authenticated
4echo "Checking Azure CLI authentication..."
5if az account show --output table 2>&1; then
6  echo "Azure CLI is authenticated"
7else
8  echo "ERROR: Azure CLI is not authenticated"
9  echo "Run: az login"
10  exit 1
11fi
12
13# Step 2: Get current account information
14echo "Getting current account information..."
15az account show --query "{subscriptionId:id, name:name, tenantId:tenantId, user:user.name}" --output table
16
17# Step 3: Get access token
18echo "Getting access token..."
19TOKEN=$(az account get-access-token --query accessToken -o tsv 2>/dev/null)
20if [ ! -z "$TOKEN" ]; then
21  echo "Access token obtained successfully"
22  echo "Token preview (first 50 chars): ${TOKEN:0:50}..."
23  
24  # Step 4: Check token expiration (requires jq or manual decoding)
25  echo "To check token expiration, decode at https://jwt.io"
26  echo "Or use: echo $TOKEN | cut -d'.' -f2 | base64 -d | jq .exp"
27else
28  echo "ERROR: Failed to obtain access token"
29  echo "Run: az login"
30  exit 1
31fi
32
33# Step 5: Test authentication by making a simple API call
34echo "Testing authentication with a simple API call..."
35if az group list --output table 2>&1; then
36  echo "Authentication test: SUCCESS"
37else
38  echo "Authentication test: FAILED"
39  echo "Check the error message above"
40fi
41
42# Step 6: Check for service principal authentication
43echo "Checking for service principal authentication..."
44SP_INFO=$(az account show --query "{type:user.type, name:user.name}" -o tsv 2>/dev/null)
45if [ ! -z "$SP_INFO" ]; then
46  echo "Authentication type: $SP_INFO"
47fi
48
49# Step 7: Instructions for fixing authentication issues
50echo ""
51echo "Common fixes for Unauthorized:"
52echo "  1. Run 'az login' to authenticate with Azure CLI"
53echo "  2. For service principals, use 'az login --service-principal -u <app-id> -p <password> --tenant <tenant-id>'"
54echo "  3. For managed identities, ensure the identity has proper permissions"
55echo "  4. Refresh expired tokens using credential library's getToken() method"
56echo "  5. Ensure Authorization header format is: 'Authorization: Bearer <token>'"

Related Errors

AuthenticationFailedInvalidAuthenticationInfo

Provider Information

This error code is specific to AZURE services. For more information, refer to the official AZURE documentation.

Unauthorized - Unauthorized: Missing or Invalid Authentication | AZURE Error Reference | Error Code Reference