When working with the Azure REST API you need to provide the scope in all API requests, so Azure knows where you are looking. However, throughout their documentation that although they ask for the scope they do not explain or link to an explanation of what a scope is and what the formats are. Therefore, I have collected them and got a simple explanation for each of them.
As mentioned above, the scope is like a search filter and also part of the permissions. For example, if you was getting a list of Resources you might use the Resource Group scope to get only them Resources, or you might go for the Subscription scope to get all Resources in the requested Subscription. This might also be due to permissions, if the Service Principle account you are using doesn’t have access to the whole Tenant, but does to specific Subscriptions.
Scopes
Subscription scope
subscriptions/{subscriptionId}
Example:
subscriptions/d7f90b53-af20-4061-8206-f05e31852a44
Resource Group scope
subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}
Example:
subscriptions/d7f90b53-af20-4061-8206-f05e31852a44/resourceGroups/my-rg-2020
Providers scope
These scopes can vary depending on what the scope is for. For example this is the scope for the Billing Account:
providers/Microsoft.Billing/billingAccounts/{billingAccountId}
You can find all of the scopes by following https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
Tenant scope
The Tenant scope is easist, as you just don’t put anything. For example getting a list of Role Definitions
The official URL is:
GET https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleDefinitions?api-version=2015-07-01
But to get the Role Definitions from the Tenant Level and below, you just remove the scope segment:
GET https://management.azure.com/providers/Microsoft.Authorization/roleDefinitions?api-version=2015-07-01