Cannot to ARM Azure Video Indexer as a daemon app - azure

I have troubles acquiring an azure video indexer (ARM based) token as a deamon app.
(I am able to upload a video using the portal generated token ). So I started by creating a registered App with with a client_secret I will use to request a token on the video indexer /generateAccessToken enpoint.
This registered app has the scope 'https://management.azure.com/user_impersonation' image description and added the registered app as Contributor on the video indexer RBAC (don't think it's necessary, but I did it to be sure)
When I get the token from '*https://login.microsoftonline.com/fbe3354f-$$$$-404a-8d93-da9b01b57c28/oauth2/v2.0/token*' an use it to request a video indexer token on '*https://management.azure.com/subscriptions/665eef5b-$$$$-43ad-9ec5-4afc5cd0a0e5/resourceGroups/ween-global/providers/Microsoft.VideoIndexer/accounts/ween-video-indexer/generateAccessToken?api-version=2022-04-13-preview*' I get this response :
{
"error": {
"code": "ResourcePostActionFailed",
"message": "ResourcePostActionFailed: Access Denied"
}
Does any one have an idea on how to proceed ?! Don't even know if what I did do far is right or not... : (
What Id did step by step
First round :
Created an ARM Video Indexer account through the portal,
I created a User managed identity for the Video Indexer to connect to Media Services (system managed identities were having issues)
Added this managed identity as a contributor for Media services.
Generated a "Contributor/Account" Video Indexer token using the portal
I uploaded a video using this token. Round successful ! 👍
Round 2 :
I need now a way to generate this "portal generated" video indexer token, because it lasts for 1h. In order to do that as a deamon app :
I created a App registration on the active directory,
I Set up a client secret for this app,
I added an Api persmision 'https://management.azure.com/user_impersonation' image description
I added this Registered App as a contributor on the video indexer resource,
I can now retrieve an Azure basic credential token with the scope 'https://management.azure.com/.default' for this app on this endpoint : https://login.microsoftonline.com/fbe3354f-$$$$-404a-8d93-da9b01b57c28/oauth2/v2.0/token
When I try to use this credential to generage a "Contributor/Account" video indexer token on the endpoint : https://management.azure.com/subscriptions/665eef5b-$$$$-43ad-9ec5-4afc5cd0a0e5/resourceGroups/ween-global/providers/Microsoft.VideoIndexer/accounts/ween-video-indexer/generateAccessToken?api-version=2022-04-13-preview I got the following error
{
"error": {
"code": "ResourcePostActionFailed",
"message": "ResourcePostActionFailed: Access Denied"
}
}
It's like the Registered app is not allowed to access the video indexer api. Don't know why, because what I understood is that the access to the video indexer is now managed by RBAC policies and I added the registered app as a contributor of the video indexer resource. I must have done something wrong, or missed somehting important... 😟
✔️ Resolution
I was sending an additionnal header 'Ocp-Apim-Subscription-Key' that was not expected and this was causing the this error response. Removing this additional header permit me to retrieve the video indexer token ! : )

After 2 days of suffering and long tailed email exchange with Microsoft support I got the sequence which will work. At least to this current date 7 July 2022.
You'd have to do a generic HTTP call to fetch an access token. You can test this call in the browser via this link: https://learn.microsoft.com/en-gb/rest/api/videoindexer/generate/access-token#code-try-0, but it uses your login and password in order to pass Authentication bearer in the header
So, if you are doing it in logic app or a function you need to have an identity to pass which is AD OAuth token
You can either generate it for system-assigned managed identity or in which case it would your own App registrations identity, below you can see an example of form details who they are in Logic apps https://i.stack.imgur.com/EyUqJ.png
If you decide to go with your own App registrations identity you would need to give it Contributor permissions on Video Indexer and associated Media Service, but mainly you'd have to create and assign a custom role that will have
Microsoft.VideoIndexer/accounts/generateAccessToken/action permission
Once you have the access token you then can upload and index a video file without any issues.

Related

Customize token in Azure AD

I am trying to customize id token in Azure AD ..
I did the following steps :
1-Registered Azure AD application
2-Post extension:
https ://graph.microsoft.com/v1.0/applications/Object ID/extensionProperties
Payload : {"name":"test","dataType":"string","targetObjects":["User"]}
3-Create claim Mapping Policy
https ://graph.microsoft.com/v1.0/policies/claimsMappingPolicies
Payload
{"definition":[{"ClaimsMappingPolicy":{"Version":1,"IncludeBasicClaimSet":"true","ClaimsSchema": [{"Source":"user","ExtensionID":"extension_Application (client)ID_test","JwtClaimType":"test"}]}}],"displayName":"test","isOrganizationDefault":true}
4-Post service principal
https: // graph.microsoft.com/v1.0/servicePrincipals/Object ID of the Managed application /claimsMappingPolicies/$ref
Payload : {"#odata.id":"https: //graph.microsoft.com/v1.0/policies/claimsMappingPolicies/(The policy Id I got from step 4"}
5- I patched a user
https: // graph.microsoft.com/v1.0/users/usreID
{"extension_Application (client)ID_test":"test"}
6- I edited the Mainifest
See Mainifest
6- I tired to get the ID token for the user I patched in step 5
https://login.microsoftonline.com/**tenant Id**/oauth2/v2.0/token
with headers(client_id,client_secret,scope:https://graph.microsoft.com/.default,usernam,password)
7- I decoded the token , I don't see "test" as part of the token
Not sure what I am missing here to customize the token
Screenshot to show that I am missing token configuration in the blade
Missing token configuration in the blade
Screenshot to show that I can't find permission : Directory.AccessAsUser.All
missing API permission
Once the extension claim setup is done, it can be used to store and retrieve data via graph as extension properties may not passed in id tokens, but can be retrieve by querying the user profile from the Graph. or The application can make use of graph client to pass the extension claims which are not taken from available optional claims from azure ad.
Please make sure to have the Directory.AccessAsUser.All ,Directory.Read.All,openId permissions granted.
Also please check with optional claims set in manifest .
Then check in token configuration, if it is valid claim.
References :
Emitting claims with data from directory schema extension attributes created for an application using Graph
azure-ad-custom-attributes-and-optional-claims-from-an-asp-dot-net-application
Edit:update 13/4/2022
Like you said in comments:
Like the Most obvious difference now ( Token configuration is not
available and api permssion for Directory.AccessAsUser.All is not
there)
I tried to check in which way i cannot be able to see those features in Overview blade of AAD portal.
I had all those features as i was using organizational Azure AD premium 2 licensed tenant.
But when i tried to create another tenant with same account and switched tenant to work on it and created an app registration. App registration blade doesn't have the token configuration and api permissions like Directory.AccessAsUser.All as you mentioned.
Then i realized its license is azure ad free account.
So from my point of view please try to utilize the pay as you go account or which the organization had been subscribed to premium license which would give a better experience .
Also you can check the ongoing issue here
Q&A missing-features-in-my-azure-ad-tenant.
active-directory-optionalclaims-example

The client 'XXX' with object id 'XXX' does not have authorization to perform action 'Microsoft.Media/mediaServices/transforms/write'

I am trying to use the following git repo in order to connect to azure ams, upload a video and stream it:
https://github.com/Azure-Samples/media-services-v3-node-tutorials/blob/main/AMSv3Samples/StreamFilesSample/index.ts
For some reason I am keep getting the following error:
The client 'XXX' with object id 'XXX' does not have authorization to perform action 'Microsoft.Media/mediaServices/transforms/write' over scope '/subscriptions/XXX/resourceGroups/TEST-APP/providers/Microsoft.Media/mediaServices/TESTAMP/transforms/ContentAwareEncoding' or the scope is invalid. If access was recently granted, please refresh your credentials
The AD user is owner but I understand it is a permission issue.
I searched all over the web for hours what permission do I need to grant and where but could not find any solution
The error get thrown here:
let encodingTransform = await mediaServicesClient.transforms.createOrUpdate(resourceGroup, accountName, encodingTransformName, {
name: encodingTransformName,
outputs: [
{
preset: adaptiveStreamingTransform
}
]
});
of course, I have updated the .env file to the correct data of my azure account.
Can anyone point out what am I missing and how to grant this permission?
Thanks!
The error message is referring to your Service Principal that is being used to authenticate against the AMS SDK.
Double check that you entered the GUID values for the service principal ID and Key, and make sure you did not use the friendly name in there.
AADCLIENTID="00000000-0000-0000-0000-000000000000"
AADSECRET="00000000-0000-0000-0000-000000000000"
Also, double check in IAM Access control in the portal that the service principal exists under the Role Assignments for your Media Services account and has Contributor or Owner permission Role first.
If you are in an Enterprise that locks down AAD access - you may need to work with your AAD owner/admin to make these changes and grant the service principal the right roles for your account. That's a bit outside of Media Services, and is just general Azure AAD application creation rights, and role assignments.
If you are still hitting issues, I would file a support ticket and also ask your AAD administrator to assign the role permisssion to your service principal.
As an aside, we are also working on updated Node.js SDK samples for the upcoming (soon!) release of the 10.0.0 Javascript SDK.
See the beta samples here - https://github.com/Azure-Samples/media-services-v3-node-tutorials/tree/10.0.0-beta.1

Does Azure trial version support , REST api for event query?

I have created trail account with Azure (Default directory).
For authentication I'm using the below endpoint-1 ,after authentication when I was trying for an access for activity logs of Azure using REST API mentioned below endpoint-2.
So I'm getting an error :
ERROR : { "error": { "code": "AuthorizationFailed", "message": "The client '52822c14-3f4a-4273-ad38-b1c746f1fbd9' with object id '52822c14-3f4a-4273-ad38-b1c746f1fbd9' does not have authorization to perform action 'microsoft.insights/eventtypes/values/read' over scope '/subscriptions/0b618ac0-b3e7-49f3-9205-07660b77252d' or the scope is invalid. If access was recently granted, please refresh your credentials." } }
Auth URL(endpoint-1) : https://login.windows.net/****************/oauth2/token
ActivityLog API (endpoint-2) : https://management.azure.com/subscriptions/*******************/providers/microsoft.insights/eventtypes/management/values?api-version=2015-04-01&$filter=eventTimestamp ge '2020-01-01T20:00:00Z'
Based on your exception info, it is obvious that your app: 52822c14-3f4a-4273-ad38-b1c746f1fbd9 has no permission to pull activity logs of your Azure subscription. I can repro this issue on my side too.
To solve this issue, you should assign a proper Azure subscription Role which has permission to pull logs. For instance, if you just want to pull logs using this app , you can assign Reader Role to it on Azure portal:
With this step is done, get a new access token and you can pull the logs you need :
If you have any further concerns , pls feel free to let me know .

Azure usage details API shows "Authentication failed" after sign in with azure active directory v1 connection

I completely followed this link https://learn.microsoft.com/en-us/azure/bot-service/bot-builder-authentication?view=azure-bot-service-4.0&tabs=aadv1%2Ccsharp%2Cbot-oauth and created a Azure AD app registration and used Azure Active Directory v1 for my web app bot.
After sign in, I view the token but with that token I cannot access the Azure API's, as it shows below response in Postman:
{
"error": {
"code": "AuthenticationFailed",
"message": "Authentication failed."
}
I called the Azure API below:
https://management.azure.com/subscriptions/${subscriptionId}/providers/Microsoft.Consumption/usageDetailsapi-version=2018-10-01
In my app registration in Azure AD, I have given these permission to access the Azure API:
In my Web App Bot -> Settings -> OAuth Connection Settings, I select:
ClientId -> My application client id
ClinetSecret -> My application client secret
GrantType -> I does not know what to give so I just typed "authorization_code" (If this wrong then Where I need to find my grantType)
LoginURL -> https://login.microsoftonline.com
TenantId -> common (To allow any user)
ResourceURL -> https://graph.microsoft.com/
Scopes -> I just left blank
Why am I not able to access the Azure API with that token?
Any Help. Thanks
An access token issued by Azure AD will always be for a specific resource. Which service a token is intended for is identified in the token's "audience" (in the aud claim). When using the v1 endpoint, the resource for which an app requests an access token is identified in the resource parameter of the authorization request. In the v2 endpoint, the resource is identified as part of the scope parameter.
In your case, the resource you've configured your bot to get a token for is Microsoft Graph (https://graph.microsoft.com), but then you're trying to use the resulting token to call the Azure Management API. The first thing the Azure Management API does is check if the access token it received is actually intended for it. If the audience does not match, it will immediately respond with an error.
Instead of trying to get a token for Microsoft Graph, you need to configure your bot to get a token for the Azure Management API. You should use https://management.azure.com, which is the resource URI for the Azure Management API, instead of https://graph.microsoft.com which is the resource URI for Microsoft Graph.

Getting an "unauthorized_client" when tryging to get a new access token, why?

I'm developing an API using VS 2017, which I'm testing using Postman. I've been following this blog post Getting started with Windows Azure AD Authentication using Postman. I finally got it to give me an access token and a refresh token. About 3 quarters of the way through the post I came across this:
resource : https://management.core.windows.net
which has to be put into Postman (I'm using the Windows app version of Postman). I wasn't sure what that was for, so I left it off. I eventually got an access token and a refresh token, but when I when to get more info for all subscriptions, I got errors saying that I had specified a valid resource. So, I thought what I'd have to do was start over again, but re-authenticating and getting a code from Azure. I did so, and put that into Postman, as the blog post instructs. However, issuing this POST results in this error:
"error": "unauthorized_client",
"error_description": "AADSTS70002: Error validating credentials. AADSTS65005: Invalid resource. The client has requested access to a resource which is not listed in the requested permissions in the client's application registration. Client app ID: d37abf69-42ce-4571-b146-f3422e73f041. Resource value from request: https://management.core.windows.net. Resource app ID: 797f4846-ba00-4fd7-ba43-dac1f8f63013. List of valid resources from app registration: 00000002-0000-0000-c000-000000000000.\r\nTrace ID: 9f028899-6d03-409e-8db4-4e9905000300\r\nCorrelation ID: ec253a1b-9fdc-495f-9310-6b40a42e5d93\r\nTimestamp: 2018-11-19 22:20:02Z",
"error_codes": [
70002,
65005
]
I don't understand why nor what I could have done wrong. I've prespecified the resource as the tutorial instructed, so what have I done wrong?
Looking at the error message, it seems you could have missed adding relevant permissions for "Windows Azure Service Management API" to your app registration.
Steps:
Go to Azure Portal > Azure AD > App registrations > Your app (with app id: d37abf69-42ce-4571-b146-f3422e73f041)
Go to Settings > Required permissions > Add > Select "Windows Azure Service Management API"
Select the relevant permission under Delegated permissions section. Click on select and then "Done". You should get a notification in portal that successfully added permissions. You should see Windows Azure Service Management API listed under required permissions as well.
After these steps, continue as per the blog post you've mentioned with Postman steps to get the access token again.
I found myself in the same situation when i was trying to setup Postman. Its not as complicated as most blogs make seem. I created a tutorial to try to make the process easy.
http://hazelnest.com/blog/blog/2018/11/17/azure-postman-configuration/
https://youtu.be/2bfgeBKRxl4
Hope this helps.

Resources