I created an Azure AD Service Principal and to generate token I am using Client Credential Flow:
POST https://login.microsoftonline.com/tenantID/oauth2/token
&client_id = redacted
&grant_type = client_credentials
&resource = https://storage.azure.com
&client_secret = redacted
Token generated successfully but when I tried to list the containers in my storage account, it threw me Authorization Permission Mismatched error.
To list containers, I used below query
GET https://storageaccname.blob.core.windows.net/?comp=list
Error Details:
<?xml version="1.0" encoding="utf-8"?>
<Error>
<Code>AuthorizationPermissionMismatch</Code>
<Message>This request is not authorized to perform this operation using this permission.
RequestId:
Time:2022-11-20T08:12:24.9827677Z</Message>
</Error>
I am not sure what permissions I am missing after some Google search I found Storage Blob Data Contributor Role is required. I assigned this role to the Service Principal I created.
But still the same error, any workaround to resolve my issue??
I tried to reproduce the same in my environment and got the same error as below:
GET https://StorageAccName.blob.core.windows.net/?comp=list
Check whether you have assigned Storage Blob Data Contributor Role to the Service Principal and like below:
Go to Azure Portal -> Storage Accounts -> Your Storage Account -> Access Control (IAM) -> Add role assignment
To resolve the error try generating the token using v2.0 token endpoint like below:
POST https://login.microsoftonline.com/Tenant_ID/oauth2/v2.0/token
&client_id = Client_ID
&grant_type = client_credentials
&resource = https://storage.azure.com
&client_secret = Client_Secret
Using the above generated access token, I am able to get the list of containers successfully like below:
Related
I understand the process of assigning Microsoft Graph permissions to a service principal. I can take the object id of the Microsoft Graph app, then use the https://graph.microsoft.com/v1.0/servicePrincipals/<id>/appRoleAssignedTo MSGraph endpoint, like described here.
My question is: can I do the same with a regular user? That is, when calling appRoleAssignedTo, specify the object id of a user in the principalId field. Can a regular user have application permissions (like MSGraph permissions), and how do I use them afterwards?
I tried to do the above and assign the RoleManagement.ReadWrite.Directory to a user. Then I logged in with az login and ran az account get-access-token --resource-type ms-graph.
With this token I tried to do an operation that requires the RoleManagement.ReadWrite.Directory permission, like assigning a role to another user, but it fails with Insufficient privileges to complete the operation..
Users can request the scope they need when using Connect-MgGraph, for example:
Connect-MgGraph -Scopes "RoleManagement.ReadWrite.Directory"
Which is the recommended approach, as it means that for that session they will only have access to the scopes that are necessary rather than any they've previously requested
I tried to reproduce the same in my environment and got the same error as below:
Note that: Microsoft Graph API permissions can be assigned only to Service principals not users directly.
When I tried to Connect-MgGraph as a normal user, I got the error like below:
Connect-MgGraph -Scopes "RoleManagement.ReadWrite.Directory"
I created an Azure AD Application and granted API permission as below:
I generated access token by using below parameters:
GET https://login.microsoftonline.com/1810a95e-99f3-46e0-84e8-8a2aee05d830/oauth2/v2.0/token
client_id:ClientID
client_secret:*****
scope:RoleManagement.ReadWrite.Directory
grant_type:authorization_code
redirect_uri:RedirectUri
code:code
By using the above access token, I am able to assign directory role to the user successfully as below:
POST https://graph.microsoft.com/v1.0/directoryRoles/roleTemplateId=88d8e3e3-8f55-4a1e-953a-9b9898b8876b/members/$ref
Content-type: application/json
{
"#odata.id": "https://graph.microsoft.com/v1.0/directoryObjects/UserID"
}
Reference:
Add graph api permission to user account by Harpreet Singh Matharoo
I register a new app to my Azure tenant and then use the Subscription REST API below to get my subscription id. But, it returns an empty value.
Is this a bug of the REST API, or the app is missing some required configurations?
https://learn.microsoft.com/en-us/rest/api/resources/subscriptions/list?tabs=HTTP
I tried to reproduce the same in my environment and got below results:
I registered one Azure AD application and granted API permission like below:
I generated the access token via Postman using below parameters:
POST https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/token
grant_type:client_credentials
client_id:<appID>
client_secret:<secret>
scope: https://management.azure.com/.default
Response:
When I used the above token to get subscriptions, I got same response as you like below:
GET https://management.azure.com/subscriptions?api-version=2020-01-01
Authorization: Bearer <token>
Response:
To get the desired results, make sure to assign required role like Reader to the service principal under your subscription like below:
Go to Azure Portal -> Subscriptions -> Your Subscription -> Access control (IAM) -> Add role assignment
Now I generated token again and got the subscription details like ID successfully with below API call:
GET https://management.azure.com/subscriptions?api-version=2020-01-01
Authorization: Bearer <token>
Response:
If you want to list all subscriptions, then assign Reader role to your service principal under management group level instead of specific subscription.
I want to do operations in Azure datalake gen2 using rest operations. I have a service principal with client secret and having owner access on storage account.
I am confused how to construct the request for operations. I can't find any proper example demonstrating it.
The way which I want is to:
Get access token
Make a put request with bearer authentication method
Below are documents which I am referring
Access token
Put blob operation
I want to do it through postman. It would be really helpful if someone can suggest it
I tried to reproduce the same in my environment and got below results:
I created one service principal named DataLake and added API permissions as below:
Now, I granted Storage Blob Data Contributor role to that service principal at storage account level like below:
Go to Azure Portal -> Storage Accounts -> Your storage account -> Access Control (IAM) -> Add role assignment -> Storage Blob Data Contributor
To generate the access token via Postman, I used below parameters:
POST https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/token
client_id:<appID>
grant_type:client_credentials
client_secret:<secret>
scope: https://storage.azure.com/.default
Response:
When I ran the below query by including above Bearer token, I got Status 201 Created like below:
PUT https://<storageaccname>.blob.core.windows.net/<container_name>/test.txt
Authorization:Bearer <token>
x-ms-version:2017-11-09
x-ms-blob-type:BlockBlob
Response:
You need to attach the file in Postman before running the query like below:
When I checked the same in Azure Portal, file uploaded to storage account successfully like below:
I want create APIM subscriptions through rest api, And was able to do it successfully by following this Microsoft doc, https://learn.microsoft.com/en-us/rest/api/apimanagement/current-ga/subscription.
And for Authentication I am generating a bearer token using ROPC grant type(My UserName & Password). Everything works fine with this flow.
But i dont want to configure my username & password in a application to get a bearer token, instead i followed Client-Credentials grant type(get token by client id & secret), i am able to generate token, but when i use that token to create subscription in APIM, i am getting a exception
The client '0--e' with object id '0--e' does not have authorization to perform action 'Microsoft.ApiManagement/service/subscriptions/write'
Is it possible to add a AAD application inside APIM AccessControl(IAM) to grant permission.
Or is this any other way to do this? or ROPC is the only way?
Can someone please help.
Yes, you can grant permission to AAD application (service principal) in APIM Access Control (IAM) by assigning it API Management Service Contributor role.
I tried to reproduce the same in my environment and got the below results:
I have generated one access token using Client-Credentials grant type like below:
When I used the above token to create APIM subscription with below query, I got the same error:
PUT https://management.azure.com/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.ApiManagement/service/apimService1/subscriptions/testsub?api-version=2021-12-01
{
"properties": {
"ownerId": "/subscriptions/subid/resourceGroups/rgname/providers/Microsoft.ApiManagement/service/servicename/users/xxxxxxxxxxx",
"scope": "/subscriptions/subid/resourceGroups/rgname/providers/Microsoft.ApiManagement/service/servicename/products/xxxxxxxxxxx",
"displayName": "testsub"
}
}
Response:
To resolve the error, you need to grant API Management Service Contributor role for that application like below:
Go to Azure Portal -> APIM Services -> Your APIM -> Access control (IAM) -> Add role assignment
After granting the above role, I generated the access token again and ran the same query as below:
PUT https://management.azure.com/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.ApiManagement/service/apimService1/subscriptions/testsub?api-version=2021-12-01
Response:
When I checked the Portal, APIM subscription got created successfully like below:
Reference:
How to use Role-Based Access Control in Azure API Management | Microsoft Docs
I am trying to retrieve the web job history of an Azure web job via REST using a .NET backend and the OAuth2 credentials flow (as described here
https://learn.microsoft.com/en-us/rest/api/appservice/web-apps/get-triggered-web-job-history-slot)
How do I need to authenticate correctly?
I retrieve the token as follows:
POST https://login.microsoftonline.com/{MySubscription}/oauth2/v2.0/token
client_id={MyApp}
&grant_type=client_credentials
&scope=https://management.azure.com/.default
&client_secret={myclient_secret}
I get a token back, however I get a 403 error message when I try to retrieve the resource:
GET https://management.azure.com/subscriptions/{MySubscription}/resourceGroups/{MyResource}/providers/Microsoft.Web/sites/{MyApp}/slots/{MySlot}/triggeredwebjobs/{MyWebjob}/history?api-version=2021-02-01
Authorization: Bearer {MyToken}
Client '{MyApp}' with object ID '{MyApp}' is not
authorized to perform the action
'Microsoft.Web/sites/slots/triggeredwebjobs/history/read' using the
scope
'/subscriptions/{MySubscription}/resourceGroups/{MyResource}/providers/Microsoft.Web/sites/{MyApp}/slots/{MySlot}/triggeredwebjobs/{MyWebjob}'
or the scope is invalid. If access was granted recently, please update
your credentials.
What am I doing wrong?
I already added the API-Permission
The "403 Token invalid" error usually occurs if you missed giving permissions to particular scope (Azure Service Management).
By giving this scope it enables you to access https://management.azure.com
To resolve this error, please follow below steps:
Go to Azure Ad ->your application -> API permissions -> Add permission -> Azure Service Management -> delegated permissions ->User impersonation -> Add
After giving these permissions try to retrieve the resource again, there won't be any error.
Since I didn't find a solution that worked with OAuth2 and the Credentials flow, I got it working with Basic Authentication. The username (userName) and password (userPWD) can be taken from the publishing profile of the respective app service.
GET https://{appservicename}.scm.azurewebsites.net/api/triggeredwebjobs/{jobName}/history
Authorization Basic ....