I am trying to call an Azure function that is protected by AAD from Power BI.
In Power BI I go to "Home -> Get Data -> Web" then paste function app URL and try login with "Organizational account". This is what I get:
I have added the following permissions to my application in Azure Portal:
And this is the Authentication setup for the application
Any ideas how to get past the error?
Please check the AAD authentication config in the function app and check if the function url is present in the allowed token audiences.
i would also try to assign admin consent to the application by using the url bellow: changing the fields
https://login.microsoftonline.com/[tenant_name_in_onmicrosoft.com-form]/oauth2/authorize?client_id=[appId]&response_type=code&redirect_uri=http://your-uri-here&nonce=1234&resource=https://graph.windows.net&prompt=admin_consent
Related
I have a backend in Azure (.NET 7 Api App) secured by Azure AD and organizational accounts. To access this backend with a, say, web application is fairly straight forward and I understand that flow.
But how do I access the API from Excel ("Import Data from Web")?
I have added the challenge to the JWT bearer in the application (options.Challenge=$"Bearer authorization_uri=\"https://login.microsoftonline.com/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/oauth2/v2.0/authorize\"";)
I enter the URL to the API in Excel and then select "Organizational account" in the next step. When I try to log in to my account in that step, Excel queries my API and accepts the challenge, but then I get the dreadful AADSTS500011 message
invalid_resource: AADSTS500011: The resource principal named https://... was not found in the tenant named (Directory ID).
I guess this is a matter of how I configure my "App registration" in Azure AD, but I can't figure out how...
The error "invalid_resource: AADSTS500011: The resource principal named https://... was not found in the tenant named (Directory ID)." usually occurs if the Application ID is not been added as a verified ID in the Azure AD Application.
I tried to reproduce the same in my environment and got the results like below:
I created an Azure Web App and registered an Azure AD Application.
To resolve the error, Configure the Azure AD Application like below:
Grant the admin consent for user.read API permission:
Expose an API and add a scope like below:
Now add an Authorized Client Application (ID of MS Office) like below:
After making the above changes I am able to connect to Excel using web app successfully like below:
If still the issue persists, grant O365 API permissions like below:
Reference:
Connecting Excel to OAuth API on Azure by ARN
I have Azure Functions which i want to authenticate using access token.
I have following things set up
Azure App which is being used by Angular SPA to authenticate user
Access token which is used to invoke graph APIs, Permissions are set in Azure app (point 1)
Azure Function which is having http triggers (APIs) which are being used by SPA
Currently, APIs are anonymous and can be invoked from anywhere. i want to secure these apis using access token which is being used by graph api (point 2)
I think the best approach for me is AAD multi tenant authentication. However, When i click on "Authentication (classic)" it gives me This app is configured using the new authentication experience. Click here to access Authentication (preview).
Also, if i keep authenticated with following options, i get "You do not have permission to view this directory or page." error
Most of the articles which i find online are talking about AAD. for me that option is not enabled.
I have tried following articles to make it work but somehow its not happening. can anyone suggest. how can i achieve this.
https://medium.com/medialesson/protecting-azure-function-apps-with-azure-ad-authentication-authorization-fd167ce4fe33
https://medium.com/geekculture/easyauth-in-functions-app-with-azure-active-directory-29c01cad8477
is there something i need to do in my existing Azure app to make it work ?
Per my understanding, your Azure function is protected by AAD using Authentication(Easy auth). And now, your angular SPA would like to access this function. Pls follow the steps below:
Go to Azure AD => App registrations => The App you created to protect your Azure function=> Expose an API to add a scope, for instance, access_as_user so that your SPA could require an access token for this scope:
Got to Azure AD => App registrations => The App you created for your SPA app=> API permissions => Add a permission => My APIs to grant the scope we just created:
Click the grant admin consent button to finish the process.
In your SPA app, use MsalService to acquire an access token with scope: api://<your azure function app id>/access_as_user, by this token, you can access your Azure function. For a quick test, I just test it in post man and it works perfectly:
Not use this access token
Bring this access token
UPDATE
Basically, your app request diagram as below:
SPA (request with access token)==> Easy Auth of Azure function (valideate token,if pass,goes into Azure function code logic,if not, return 401)==> code logic of Azure function (obo flow to get access token for Graph API) ==> call Microsoft Graph API
By now, we have finished steps 1 and 2: get access token for easy auth and pass easy auth goes into Azure function code logic.
So in the Azure function code logic, we need to do 2 things:
Get the access token in the request header
Use the access token and OBO flow to exchange a new access token for Microsoft Graph API. Just refer to request below to use OBO flow to exchange an access token for Microsoft Graph API:
BTW, pls make sure that your Azure function app has been granted with permission user.read and Calendars.Read:
So that you can get a new access token to call Microsoft Graph API:
May be this will help someone, I have tried using above suggestions but could not achieve 😠instead i am using Key for each Azure function. and storing those keys in azure Key/Vault and retrieving those keys within App settings of the application using managed identity. This may be not be the ideal situation but i think it will do for me at the moment. I really hope MS will improve their documentation some day along with sample code/steps
I have configured Azure Function with Azure AD auth, follow this doc - Enable Azure Active Directory in your App Service app.
After the configuration, it will add the function app url e.g. https://appname.azurewebsites.net to the Allowed Token Audiences like below automatically, then we can easily use the client credential flow to get the token to call the e.g. http trigger in my function app.
If I add the Azure AD Graph resource url https://graph.windows.net to the Allowed Token Audiences, I can also use this flow to get the token to call my function.
But if I add the Microsoft Graph resource url https://graph.microsoft.com and get the token to call the function, I will get the error.
You do not have permission to view this directory or page.
How to solve this issue? Is this correct usage of Allowed Token Audiences? If not, why the https://graph.windows.net work fine?
Any ideas are appreciated.
Can you please check in your app registration in azure AD under api permissions if Microsoft graph has been added ? If not please add it as a delegated permission and give it a try.
According to the document you need to provide Application ID URI in Allowed Token Audiences. Please refer to the document
If this is a cloud or server app and you want to allow authentication tokens from a web app, add the Application ID URI of the web app here. The configured Client ID is always implicitly considered to be an allowed audience.
I've a requirement of refreshing the Power BI dataset from Azure data factory. I want to do it by calling the Power BI Rest API service. For authentication process I need a access token which I can get using a Client ID and secret. So, while registering the app I was wondering what type of redirect URI should I select? And how does it link with my task because I'm neither creating any web app or native app.
Regarding MS docs about creating Daemon application for authorization:
"During application registration, the reply URI isn't needed. You need to share secrets or certificates or signed assertions with Azure AD. You also need to request application permissions and grant admin consent to use those app permissions."
Please, read a whole documentation over here: https://learn.microsoft.com/en-gb/azure/active-directory/develop/scenario-daemon-overview
I've created a sample MVC app using VS 2015 and used Azure AD Auth wizard. When I launch this web application, it asked me to register app with Azure AD (first time only) and then userid/password. I have entered Office 365/Azure AD account and successfully logged in. Everything is working perfectly fine and at the top right, I can see Hello "myname".
Now I tried to make REST call to Office 365 using RestSharp. It is giving me 403 error (access denied).
When I tried to use graph api url https://graph.windows.net/testname.com/groups?api-version=1.6, I am getting error unauthorized access.
Here is my test code with graph API call:
string url = "https://graph.windows.net/testname.com/groups?api-version=1.6";
var client = new RestClient(url);
client.ClearHandlers();
var jsonDeserializer = new JsonDeserializer();
client.AddHandler("application/json", jsonDeserializer);
var request = new RestRequest(Method.GET);
var queryResult = client.Execute(request);
I am using same code with O365 REST url for Office 365 call.
Why I am getting access denied in both cases if my app is already authenticated against Azure AD which is the base authentication. Also Request.IsAuthenticated is always true.
Isn't a single identity provider (AAD) used for Azure, Office 365 and related resources?
It's possible your app isn't configured to call the /groups endpoint of graph. While the end user is authenticated and you have gotten tokens for the Azure AD Graph (graph.windows.net), this access token needs to have a certain set of permissions to call the endpoints.
To configure these graph permissions, you can go to the Azure Portal, select Azure Active Directory, then App Registrations, and finally Required Permissions. The resource your calling is Windows Azure Active Directory and then you can look through the list of scopes for what you want to call.
Another great resource I'll recommend is the Azure AD Graph Explorer. This can help understand the type of data the graph can provide.
Edit: Checkout comments for answer. OP had used the OpenID Connect middleware (OWIN) and needed help getting an access token for a resource. In order to do this, you must use a combination of OWIN + ADAL. OWIN gets an auth code, and ADAL can exchange this auth code for an access token.