I have an application (AWX) with a script that is trying to perform an action in Azure (add tags to a vm). In AWX, I get the following error, apparently from Azure: msg: "Error retrieving resource group usw-sys-rg-001 - The client '9d...27' with object id '9d...27' does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourcegroups/read' over scope '/subscriptions/83...4a/resourcegroups/usw-sys-rg-001' or the scope is invalid. If access was recently granted, please refresh your credentials."
Seems like straightforward message. The account/identity/principal being used is not authorized. The problem, is, the client id in the error message does not correlate with any credential object I have in AWX. And specifically it doesn't correlate with the Microsoft Azure Resource Manager credential I have in AWX. Not being the author of this AWX playbook, I'm a bit puzzled by all of this.
Since the error appears to come from Azure, and Azure doesn't seem to say that the client id doesn't exist, this makes me think that I should be able to find that identity in Azure (presumably it's a service principal) and inspect its permissions. However, when I filter through the app registrations, I can find no entry with a client id matching the one from the error message above.
How do I find the service principal in Azure Portal? Or is it something else?
I must be looking at this wrong. Does anyone have any pointers? Many thanks.
First, make sure you logged in to the correct Azure AD tenant in the portal.
Secondly, navigate to the Enterprise applications(not App registrations, because some service principals will not have corresponded App registration in your AAD tenant, e.g. Managed Identity, etc) in Azure Active Directory.
Then filter with All Applications like below, input the client id, then you will find it.
Related
I am attempting to use Microsoft Graph API to manage Azure AD B2C users from an application, but I have been unable to authenticate using my client id / secret.
First, I followed the steps here to register an application:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/microsoft-graph-get-started?tabs=app-reg-ga
At the end of that article, I was directed here to learn how to get an access token: https://learn.microsoft.com/en-us/graph/auth-v2-service#4-get-an-access-token
They suggest using the endpoint https://login.microsoftonline.com/mytenant/oauth2/v2.0/token, but when I use my tenant in that URL, I get the error "Tenant 'mytenant' not found. This may happen if there are no active subscriptions for the tenant. Check to make sure you have the correct tenant ID. Check with your subscription administrator."
Makes sense, that's not the kind of url I've been using anyway. But what the heck endpoint should I use? So I tried a few.
There are some endpoint suggestions in my application overview, in the format of
https://mytenant.b2clogin.com/mytenant.onmicrosoft.com/policy-name/oauth2/v2.0/token
But what is the policy name? There was nothing in the instructions about setting up a policy.
I have some user flows that might be what they're talking about, so I tried a few, like
if I use https://mytenant.b2clogin.com/mytenant.onmicrosoft.com/b2c_1_sign_in/oauth2/v2.0/token,
I get "The supplied grant_type [client_credentials] is not supported."
There are also endpoints suggested in my workflows, in the format
https://mytenant.b2clogin.com/mytenant.onmicrosoft.com/oauth2/v2.0/token?p=b2c_1_sign_in
This gives the same client_credentials error.
I also tried with a b2c_1_ropc user flow instead of b2c_1_sign_in, with similar results.
What am I doing wrong? Are the instructions incomplete? Have I not guessed the appropriate endpoint?
All of your assumed suggestions are incorrect.
The doc says to use the endpoint https://login.microsoftonline.com/mytenant/oauth2/v2.0/token, this is wholly correct.
If your B2C tenant has tenant name contoso.onmicrosoft.com, or contoso.b2clogin.com, then endpoint is https://login.microsoftonline.com/contoso.onmicrosoft.com/oauth2/v2.0/token
In my case, my B2C tenant name (see under Tenant Properties in Azure) was Company Customers, so all my user flow endpoints were showing as:
https://Company Customers.b2clogin.com/mytenantdev.onmicrosoft.com/...
I had to update the tenant name, removing the space and then re-create my application registration and things started working. I didn't have to redo the user flows however.
So the final endpoints looked something like this: https://mytenant.b2clogin.com/mytenantdev.onmicrosoft.com/<policy-name>...
Should also note, I had to logout of Azure and back in to get the tenant name to start appearing correctly in the console.
What I'm doing:
My machine learning developer is trying to manually provision a ML Workspace in Azure.
Error:
{"message":"The client 'name#company.com' with object id 'xxxxxxx-xxxxxx-xxxxx-xxxxxxetc.' does not have authorization to perform action 'Microsoft.MachineLearningServices/register/action' over scope '/subscriptions/'xxxxxxx-xxxxxx-xxxxx-xxxxxxetc.'' or the scope is invalid. If access was recently granted, please refresh your credentials. (Code: AuthorizationFailed)"}
What I've tried:
I see two existing discussions on this error from azure here and here. In both cases the users are using a service account with an API, and the gist of the solutions offered are to grant the service account the proper role assignments in access control. In my case, however, the user is trying to create the resource manually via the portal, and the user already has 'owner' role over the resource group. What more could I grant them? How does she refresh her credentials? Any pointers? THANKS!
Definitely looks like a permission issue. spitball ideas, maybe you also have to add the account to the subscription??
edit:
definitely seems like a bug!
https://github.com/MicrosoftDocs/azure-docs/issues/61114#issuecomment-677703149
I am working on documenting integration with Azure for later use by colleagues. This is for obtaining an AAD bearer token (done) and using it to get a Logic Apps callback URL. There is the problem, which is to correctly permit the client application. I am not finding documentation on the correct scope to set in the Portal. Also, I don't have the admin permissions myself to try and, so trial-and-error is not an option.
Right now, I have registered in Azure an app with only default permissions. So, when I try the desired action, I get back the error response:
{
"error": {
"code": "AuthorizationFailed",
"message": "The client '{Client Id}' with object id '{object id}' does not have authorization to perform action 'Microsoft.Logic/workflows/triggers/listCallbackUrl/action' over scope '/subscriptions/{subscription id}/resourceGroups/{resourceGroup Name}/providers/Microsoft.Logic/workflows/{workflow name}/triggers/manual'."
}
}
In trying to get the app the right permissions, I am encountering the error in Azure portal:
You are adding permission(s) that require an admin to consent, users will not be able to use the application until an admin grants permissions to the application.
Which I expect, so I am seeking to tell my admins the exact permission(s) that need to be granted or delegated.
Possibly this can be done in PowerShell and easier than in Portal, or even CLI. I am not wedded to a particular method, just looking for direction or documentation on how to correctly configure the client app. I figure I need to give our app at least Contributor access to the resource group via the Access Control (IAM) tab. However, in this subscription, I do not have the "Add" option there, suggesting I do not have permission to do it.
Right now, I am using the documentation at register your client application with azure ad but am not finding the steps toward correctly permitting the registered client when I am unable to try it out before explaining it to someone else. Maybe there is more detailed documentation, or a blog post someone knows of that I have not found?
Thank you
Getting the callback url at runtime requires permission to invoke the API action Microsoft.Logic/integrationAccounts/assemblies/listContentCallbackUrl/action. You can do this a couple of ways:
create a custom role with the required API access. This is nice from a least-privilege perspective, but you're limited to 200 custom roles and you'd need to document what the role is for and track that going forward
You could leverage the built in role of logic app contributor which has carte blanche on logic app apis.
Which ever you choose, the next step is to assign the service principal associated to your application (or the user or group account defined in AD) to the role. Here is a great walkthrough for the role assignment process using the portal or using the CLI, if you prefer
I want to get the health and other resource details of a particular Azure Account or Subscription using these API's
https://learn.microsoft.com/en-us/rest/api/resourcehealth/availabilitystatuses/listbysubscriptionid
When i do TryIt on the web page it works, but If i want to do it using say PostMan or programatically, how do i generate the Authorization key, I have seen docs to create Authorization Key using "App Registrations", but i dont have any WebApp here, All i want to do is get the details of a particular account or subscription using Azure provided API calls and using any AD user with proper roles for authentication.
This link provides some details but then i dont have a clientid here, since i dont have any webapp
https://msdn.microsoft.com/en-gb/library/azure/dn645543.aspx
Please let me know if anyone has tried doing this.
Thanks
You have to register an app in Azure AD.
This does not need to be an actual "Web app".
You are registering a service principal (you can think of it as a service account).
After registering the app (with type Web App/API), generate a Key for it.
Write down the Application Id (Client Id) and the key (Client Secret).
Then give the service principal access through the Access Control (IAM) section on the subscription/resource group/resource where you want to give the app access to.
You can then follow the instructions here to generate the access token: https://msdn.microsoft.com/en-gb/library/azure/dn645543.aspx.
Remember to use https://management.azure.com/ as the resource since you are calling the ARM API.
I am trying to implement KeyVault managed Storage Account in Azure to rotate storage keys using KeyVault. I did follow the documentation, which uses both "ServicePrincipalID" and "UserPrincipalID", but in my case i am provisioning my resources and implementing all the steps involved using my service principal (as we deploy using VSTS with service principal) and using "ServicePrincipalID" as ObjectID in place of "UserPrincipalID" (as there is no user intervention during provisioning and post-provisioning process). I did give my service principal "Owner" role and all required permissions for keyvault to access storage. But when i do "Add-AzureKeyVaultManagedStorageAccount" i get the below error which says "KeyVault is unable to perform the action on behalf of the caller". So i am not sure what access i am still missing, even after making my principal as Owner. Please find my screenshots below for more details. Would be glad to hear any suggestions to cross this hurdle.
Error
KeyVault details
Thanks
Chaitanya Alladi.
i get the below error which says "KeyVault is unable to perform the action on behalf of the caller". So i am not sure what access i am still missing, even after making my principal as Owner.
Unfortunly, we can't do that with service principle now.
AAD doesn't support get OBO(OnBehalfOf) token for service principle caller tokens.
We need to use the user credentials instead of Service Principal credentials. There are some operations that are only possible on behalf of the user and not Service Principal when it comes to storage account keys as of now.