Authentication error when requesting FHIR resource from Azure FHIR Services - azure

I have deployed Healthcare Workspace and HFIR Service to Azure.
I successfully get capability statement and access token.
I'm failing with Get FHIR resource request to get Patient list by Postman.
I can see that this request connects to right App registration by correct secret.
I wonder if API permission of App Registration is correct:
I have given "Azure Healthcare APIs", which has url https://fhir.azurehealthcareapis.com
However Postmain is requesting: https://healthcareworkspace-my123demo.fhir.azurehealthcareapis.com
I wonder where is problem?
https://learn.microsoft.com/en-us/azure/healthcare-apis/fhir/using-postman
Get: {{fhirurl}}/Patient
{
"resourceType": "OperationOutcome",
"id": "1111d698deb63c41b7b0a6731a527b15",
"issue": [
{
"severity": "error",
"code": "forbidden",
"diagnostics": "Authorization failed."
}
]
}

You will also need to assign an application role such as "FHIR Data Contributor" to the client app to access the FHIR service. More info at https://learn.microsoft.com/en-us/azure/healthcare-apis/fhir/configure-azure-rbac-for-fhir

Related

Using MS Graph API to add more app roles to an app registration

Is there any way I can create additional app role using MS Graph API. I already have one app role in my app registration, but required to create additional app roles. PATCH does not work to create additional app roles and gives error:
Doing a patch in the postman as:
https://graph.microsoft.com/v1.0/applications/11e8abb0-zzzz-4a5d-bf02-zzzzzzzzz
{
"appRoles": [
{
"allowedMemberTypes": [
"Application"
],
"description": "TestRole",
"displayName": "TestRole",
"id": "{{$guid}}",
"isEnabled": true,
"origin": "Application",
"value": "TestRole"
}
]
}
Getting a response:
{
"error": {
"code": "CannotDeleteOrUpdateEnabledEntitlement",
"message": "Permission (scope or role) cannot be deleted or updated unless disabled first.",
"innerError": {
"date": "2021-10-27T08:18:30",
"request-id": "5e8b5997-bd4f-4716-a090-10e22f50c49d",
"client-request-id": "5e8b5997-bd4f-4716-a090-10e22f50c49d"
}
}
}
I was expecting a new app role to be added to the app registration.
Hope this code helps.
image:
screenshot
Microsoft Graph is a RESTful web API that enables you to access Microsoft Cloud service resources. After you register your app and get authentication tokens for a user or service, you can make requests to the
Microsoft Graph API.

Unable to get response from Microsoft Graph API endpoint

I set up a new Application in microsoft azure and got the admin to consent application permissions for this app ( files.ReadWriteAll). I am able to get the access_token through POSTMAN. I am trying to get drive information using this endpoint
https://graph.microsoft.com/v1.0/drives/{drive-id}
But I get an error response :-
{ "error": { "code": "AccessDenied", "message": "Either scp or roles claim need to be present in the token.", "innerError": { "request-id": "905c7701-8b89-4711-9204-b00c4a09a921", "date": "2019-03-28T15:56:29" } } }
I used this link to get info on my access token.
http://jwt.calebb.net/
Files.Readwrite permissions don't seem to be listed anywhere in the info ( not sure why) . The azure site shows that consent was granted.
Azure permissions set up for my app:
Check the steps as below.
Register your app following this document, and Grant permissions.
get access token like this.
Check the token
Call graph api

Http request failed as there is an error getting AD OAuth token: 'AADSTS50001: The application named https://management.azure.windows.net

I would like to change the price tier of my azure analysis service via rest API in logic APP.
To do this job I have founded this API
In logic APP I have set such a request
{
"uri": "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.AnalysisServices/servers/{serverName}?api-version=2017-08-01",
"method": "PATCH",
"authentication": {
"tenant": "GUID, which I get from Azure AD for AzureAS",
"audience": "https://management.azure.windows.net",
"clientId": "GUID, which I get from AzureAD for AzureAS",
"secret": "*sanitized*",
"type": "ActiveDirectoryOAuth"
},
"body": {
"sku": {
"capacity": 1,
"name": "S4",
"tier": "Standard"
},
"tags": {
"testKey": "testValue"
}
}
}
After sending this request I get this message:
BadRequest. Http request failed as there is an error getting AD OAuth token: 'AADSTS50001: The application named https://management.azure.windows.net was not found in the tenant named xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.
In AzureAD I see the following:
My question is now for this API which API-Permission should I add in AzureAD?
As mentioned in the comments, the resource (audience) for which the code/token should be acquired is https://management.core.windows.net/.
Moreover you need to have following delegated permission to execute Azure API: Execute Windows Azure Service Management API.
Once you do that, you should be able to perform the operation.

"Access Token missing or malformed" error while accessing Azure AD Graph API

I have an account on Azure where we run various applications in docker containers.
I would like to connect to Active Directory on this account and be able to manage various aspects such as creating new users, etc.
I found following API browser:
https://learn.microsoft.com/en-us/rest/api/graphrbac/users/list
Unfortunately when I log in as a user with admin rights (Global Administrator) and provide tenant ID, when I call users/list endpoint, I get following error with 401 status:
{
"odata.error": {
"code": "Authentication_MissingOrMalformed",
"message": {
"lang": "en",
"value": "Access Token missing or malformed."
},
"date": "2018-07-20T14:01:24",
"requestId": "9f070c46-a949-41bf-85c9-f1ccf97975db",
"values": null
}
}
What is interesting - if I use any other random endpoint, for example: https://learn.microsoft.com/en-us/rest/api/servermanagement/node/list - it works fine. In this case it returns empty set, but at least it doesn't fail with strange authentication error.
I also can reproduce the issue that you metioned if I test Users - List Rest API directly from the site.
https://learn.microsoft.com/en-us/rest/api/graphrbac/Users/List
According to exception, the root cause of the issue is token audience. You could check the actual access token in the JWT.io.
You could get that the audience is https://management.core.windows.net/. The token that is acquired will work for other Azure Services like webapps, compute, ResourceManager, etc. but not for Graph.
You could test it with Azue AD graph explorer, then it will work for you.
The audience should be https://graph.windows.net

Azure AD B2C - Using Azure AD Graph API

I am calling the Azure AD Graph API using a local administrator token. I keep getting the following error messages, no matter what endpoint I call.
How do I get access to the Azure AD Graph API?
{
"odata.error": {
"code": "Authorization_RequestDenied",
"message": {
"lang": "en",
"value": "Insufficient privileges to complete the operation."
}
}
}
My URL
https://graph.windows.net/>tenant>/users/821d91b8-36e1-4b89-bd3a-4caecc40e4c9/memberOf?api-version=1.6
The Azure Graph API needs a special application registration alongside the application registration that users log in with.
Follow the guide below:
https://azure.microsoft.com/documentation/articles/active-directory-b2c-devquickstarts-graph-dotnet/

Resources