I am using the below REST API to enable azure PIM at the moment.
API endpoint : https://api.azrbac.mspim.azure.com/api/v2/privilegedAccess/azureResources/roleAssignmentRequests
Body:
{
"roleDefinitionId":"sdfsa4324-7b46-sdfa234-8db9-c32423354",
"resourceId":"243-4a58-4sdf1e-a0f4-234234dfds",
"subjectId":"sdfasd-9af3-42f5-9699-dfasd243",
"assignmentState":"Active",
"type":"UserAdd",
"reason":"Evaluate Only",
"ticketNumber":"Evaluate Only",
"ticketSystem":"Evaluate Only",
"schedule":{"type":"Once","startDateTime":null,
"endDateTime":null,"duration":"PT0M"},
"linkedEligibleRoleAssignmentId":"2423asdf-c271-4342342-8859-11243dfsaf",
"scopedResourceId":null
}
The problem I am facing at the moment is I am not sure how to generate the bearer token automatically to pass as an authorization header. Currently, I am just fetching the token from the Chrome developer console. Can anyone help me to point an API in which I can use my creds and generate a bearer token which I can use for PIM?
Thanks,
Tintu
According to your description, I assume that you'd like to call an API to enable PIM, so you need an access token, here an official doc recommend you to use MSAL to obtain the token you need.
we recommend you use the supported Microsoft Authentication Libraries
(MSAL) instead to acquire tokens and call secured web APIs. Also take
a look at the sample apps that use MSAL.
I have another answer which used msal.js to generate access token for calling graph api for azure key vault, the difference is the scopes, and according to this document, it says the api soope is :
Directory.AccessAsUser.All Directory.Read.All Directory.ReadWrite.All PrivilegedAccess.ReadWrite.AzureAD
So you need to create an azure ad application and add above api permissions and change the 'scope' in the code. And if you need a sample in other program language, you can refer to this doc to choose another sample.
Before you compose the code, I think you can generate a test token to test if this token could help you to call the api, using tools like postman.
Related
I have developed SharePoint (online) SPFx Webpart (using TypeScript/JavaScript) that calls the Azure Function. Upon calling the Azure Function, the AzureAD forwarded some headers, such as:
..
authorization: "Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ii1LSTNRO.........",
..
..
x-ms-client-principal: "eyJhdXRoX3R5cCI6ImFhZCIsImNsYWltcyI6W3sidHlwIjoiYXVkI..........",
x-ms-client-principal-id: "588301bd-048a-XXXX-XXXX-XXXX-XXXX",
x-ms-client-principal-idp: "aad",
x-ms-client-principal-name: "me#example.com",
..
So that I have access to those headers from the Azure Function App (point of view).
Questions
What exactly is the above-mentioned authorization (bearer) token for?
Is the above-mentioned authorization (bearer) token a "delegated token"? Which would then be usable as the valid token of the "signed-in user" so that I'd be able to make "delegated" calls to Microsoft Graph. Such as calling https://graph.microsoft.com/v1.0/me
If the q.2 answer is no, then which of those above-mentioned user tokens/principles (forwarded by AAD) can be used to make "delegated" calls to Microsoft Graph?
If NONE of those AAD forwarded user tokens/principles can be used for "delegated" calls, does it mean that, the ONLY (ONLY) way to call Microsoft Graph API from the Azure Function is by "application permissions" approach?
Appreciate the helps on my confusions.
Note that: The Bearer token can be used to call Microsoft Graph API if the token contains aud as Graph.
I agree with juunas, that the token you are passing is ID token and cannot be used to call API.
To call Microsoft Graph API, you need to retrieve the access token generated and check if the aud and scp value.
For sample I generated the access token and when decoded it the aud and scp value is like below:
By using the access token, I am able to get the signed-in user details successfully like below:
https://graph.microsoft.com/v1.0/me
To make delegated calls to Microsoft Graph API, make sure to retrieve access token and try.
References:
SPFx: Calling Microsoft Graph API from an AAD secured Azure Function on behalf of a user by Vardhaman Deshpande
I have an secured API student API which I am able to access via OAuth2.0 client credentials flow which creates an access token using IConfidentialClientApplication app and accesses secured app.
Now comes to access the secured API using OAuth 2.0 Resource Owner Password credentials. I have mostly used the code in microsoft github page.
https://github.com/azure-samples/active-directory-dotnetcore-console-up-v2
I am able to sign in using username and password, able to generate access token as well. But this access token is not able to access my secured student API. Though the sample code is able to access the Microsoft graph API, it is not able to access my secured API.
I tried to allow public client flow for my secured student API as well and decrypted both the access tokens to see the difference. There is a lot of difference. What I noticed here is in ROPC flow are using IPublicClientApplication where I am not able to give the ResourceId while acquiring token. So "aud" is different in ROPC token and other fields as well.
Can anyone tell where I may be going wrong or how to fix the above scenario?
I think you may need to perform these 2 steps to get a token valid for your own API:
Expose an API scope in your Azure AD API Configuration
Add an API permission in your Azure AD Password Client Configuration
See step 6 of my Azure AD Blog Post for how this looks. The article also explains some token differences.
I'm coding a project composed by an SPA and an API.
On the SPA, I have a button to link Google or Microsoft accounts to the user's account.
The API can whenever it wants call google/microsoft apis.
I've succeeded with google using the Authorization code flow:
From the SPA redirecting the user to https://accounts.google.com/o/oauth2/v2/auth with query parameters response_type=code and access_type=offline
Send the returned code to the API
The API call https://oauth2.googleapis.com/token to get an access_token and a refresh_token
Tokens are saved in the database, and can be used whenever the API wants.
==============
Microsoft has a similar authorization flow (https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow) but I can't use the authorization_code retrieved from an SPA into the API because of CORS policies.
I'm not using PKCE codes because tokens are retrieved from the API that use client_id and client_secret.
=============
Am I missing something ? Is it even possible to get an authorization_code from an SPA and use it to generate access_tokens and refresh_tokens from an external API ?
Thank you so much, sorry for my english !
In the SPA, many authorization servers and identity providers do not support CORS requests, in such case, your option is to use the Azure AD Implicit grant flow rather than the auth code flow, you can get the access token directly via the /authorize endpoint. This flow does not provide refresh tokens, so your app must be prepared to refresh these tokens periodically.
Reference - Microsoft identity platform and Implicit grant flow
I wanted to use IoT Central REST API call.
But for using any REST API calls, we need an Authorization token.
So I want a way how we can create a new API Token in IoT Central programmatically.
From the below tutorial, found two ways :
https://learn.microsoft.com/en-us/learn/modules/manage-iot-central-apps-with-rest-api/2-authorize-api
In the Administration section in your application's web UI on the IoT Central portal.
Using the IoT Central REST API.
To generate an API token using the REST API, you must already have an Application administrator API token or a bearer token to authorize the call.
Now for getting bearer token, we have to use az cli which is not a feasible option for our approach. So instead of manually creating API token, we want a way to generate it programatically
Could you please give me some references on how to achieve this
A bearer token is associated with an Azure Active Directory user account, therefore you need to be authenticated to retrieve it.
With the bearer token you can generate an IoT Central Api Token programatically. The REST GET call is described here: https://learn.microsoft.com/en-us/rest/api/iotcentral/apitokens/get
See also: Authentication vs authorization doc
We are about to run D365 CRM in Azure and now we are trying to find out how to authorize a call to our onprem api.
The scenario is simplified like; A user is saving an annotation in D365 CRM and when that happens we also want to make a call to our onprem api.
We want to make the call using the Azure ID Token (to be specific NOT Access Token). This is to authorize the user when accessing the api.
Is it possible to get the ID Token and send that with the call? We have so far only managed to pick up the Access Token which is not good enough. How should we do to retrieve the ID Token?
You are mixing fundamental concepts of OAuth / OpenID Connect. You must use an access_token when calling an API. The purpose of id_token is not make authorization decision in an API, but to obtain basic information about the user in Client App.
You can find a really good formulated and compact article on the subject here.
When you have the access_token and when it is the proper one, it includes all the information you need:
Which is the calling application
Who is the acting end user
What authorizations (application roles or scopes) are granted
Any additional information (that could be part of the id_token) can be obtained using the Microsoft Graph on the back-end side of your API.
Here are some more references that will be helpful:
Microsoft Identity Platform id_token reference
Microsoft Identity Platform access_token reference
Pay attention to the claims references in both token types.