I have been trying to run a log analytics query using Azure API but its returns some error
{
"error": {
"message": "Valid authentication was not provided",
"code": "AuthorizationRequiredError",
"correlationId": "27301475d-cc29-4288-ae61-29e77d6d05cb"
}
}
this was the request I have been trying
https://api.loganalytics.io/v1/workspaces/34567824-3432rewfsdewt435-3424jhh-dsa-/query?query=search in (ContainerLog) "search_data"| where TimeGenerated > datetime("2020-09-03")| project LogEntry & Authorization=Bearer 0000000000000000000000000000
if you guys know anything please help me
Thank you
When we use Azure Log Analytics REST API to do a query, we need to user Authorization=Bearer {token} as request Headers. For more details, please refer to here.
For example
Register Azure AD application
Configure API permissions for the AD application
Give the AAD Application access to our Log Analytics Workspace. Please assign Log Analytics Reader role to the AD application
Get access token
POST /<your tenant id>/oauth2/token HTTP/1.1
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
grant_type =client_credentials
&client_id=<>
&client_secret=<>
&resource=https://westus2.api.loganalytics.io
Call the api
a. POST method
POST https://api.loganalytics.io/v1/workspaces/{workspaceId}/query
Authorization: Bearer {access_token}
Content-Type: application/json
{
"query": ""
}
b. Get method
GET https://api.loganalytics.io/v1/workspaces/{workspaceId}/query?query={query}
Authorization: Bearer {access_token}
See also Valid authentication was not provided thread's answer:
Use API key
You may also create API key and use it for your request:
Go to Application Insights in Azure Portal
Click on API Access blade under Configure section
Create new API key
Use it in REST API calls in a header with Key = x-api-key
Related
I am trying to investigate file uploads to see if they are matched by File Scan policies in Microsoft Defender for Cloud Apps (aka MCAS). I can see them fine at the portal but I need to automate the process via API.
As per documentation, I did create Azure AD application and provided the permissions. This is needed to get access token which is needed to make api calls.
I am getting Insufficient role based permissions error when I call https://aspnet4you2.us3.portal.cloudappsecurity.com/api/v1/files/.
I get same error if I use https://portal.cloudappsecurity.com/cas/api/v1/files/
Any idea how to solve this Insufficient permission issue?
I tried to reproduce the same in my environment and got below results
I registered one Azure AD application and granted API permissions as below:
Now I generated access token via Postman with below parameters:
POST https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/token
client_id:appID
grant_type:client_credentials
client_secret:secret
scope:05a65629-4c1b-48c1-a78b-804c4abdd4af/.default
Response:
When I used the above token to get files with both URLs, I got same error as below:
GET https://portal.cloudappsecurity.com/cas/api/v1/files/
Authorization: Bearer <token>
GET https://mytenantname.us3.portal.cloudappsecurity.com/api/v1/files/
Authorization: Bearer <token>
With the same token, I'm able to call all other APIs like alerts, activities etc. like below:
GET https://mytenantname.us3.portal.cloudappsecurity.com/api/v1/alerts/
Authorization: Bearer <token>
Note that, calling file APIs is not available in application
context.
Alternatively, you can make use of Legacy Method by generating one API token like below:
Go to Defender for Cloud Apps portal -> Settings -> Security extensions -> API tokens -> Add a token
Now, enter Token name and select Generate as below:
API token will be generated successfully and copy the token to use in Postman:
When I used the above API token to call files API with both URLs, I got response successfully as below:
GET https://portal.cloudappsecurity.com/cas/api/v1/files/
Authorization: Token <token>
GET https://mytenantname.us3.portal.cloudappsecurity.com/api/v1/files/
Authorization: Token <token>
You can try the same in your environment by generating API token instead of Bearer token to call Files API.
Reference:
Defender for Cloud Apps file API “Insufficient role based permissions” by Sangho Cho
I have an API which has Authorization has bearer token. I tested in post man and it's working. However, it's not working when I used web activity in the ADF.
I am passing the url in the URL section. Created new header, typed Authorization and gave value "Bearer token"
Getting below error
Error
Troubleshoot activity failures
{
"errorCode": "2108",
"message": "{\"error\":{\"type\":\"invalid_request_error\",\"message\":\"Request forbidden by administrative rules. Please make sure your request has an acceptable User-Agent header.\",\"documentation_url\":\"https://developer.dentally.co\"}}",
"failureType": "UserError",
"target": "Web1",
"details": []
}
Can anyone please advise?
I reproduced the same in my environment. I successfully generated a bearer Token with Postman.
To solve the above error code:2200. Please follow the below approach.
I used the same URL with web Activity and generated a bearer Token in the Azure data factory.
Generate bearer Token as shown below:
Connect Web activity 2 with newly created Web1 activity
Add dynamic expression : Bearer #{activity('Web2').output.data.Token}
Output:
Reference:
Sample Rest API URL for testing with authentication by Ashok Patel
I am trying to register an application on the azure ad using the Graph API calls.
I am using the postman to hit the APIs and I have admin access in Azure.
So Far I have tried the following things:
I registered an application manually on Azure AD using this doc- https://learn.microsoft.com/en-us/azure/databricks/dev-tools/api/latest/aad/service-prin-aad-token. (I gave all the required permissions to my application)
I am fetching the token using the service to service call client credentials- https://learn.microsoft.com/en-us/azure/active-directory/azuread-dev/v1-oauth2-client-creds-grant-flow.
After getting the token I pass it in the Authorization and hit the MS graph Create Application endpoint. https://learn.microsoft.com/en-us/graph/api/application-post-applications?view=graph-rest-1.0&tabs=http.
But In the postman, I am not getting any response body. I have checked my Azure Tenant but I am not able to find any newly Registered App.
For Token service(Get)
Endpoint- https://login.microsoftonline.com/{my-tenant-id}/oauth2/token
body-
grant_type:client_credentials
client_id:{app-id}
scope:https://graph.microsoft.com/.default
client_secret:{secret}
//resource:https://graph.microsoft.com
Response success(200) with token
For Create App(POST)
https://graph.microsoft.com/v1.0/applications
body: {
"displayName": "Created with MS Graph API"
}
Authorization: Bearer {token}
Response: Nothing is showing in response
Response from API
You can register the application using the Create Application API
POST https://graph.microsoft.com/beta/applications
You need to have enough permissions first to be able to register an application with Azure AD. This sample shows how to register and create an application to target the Graph API. https://github.com/microsoftgraph/aspnet-snippets-sample
I found the solution, In the API Header, I was specifying the Content-Length= 67 which was not required. Now I am able to get the Success response.
https://learn.microsoft.com/en-us/graph/api/application-post-applications?view=graph-rest-1.0&tabs=http
If we look at the MS documentation, They have provided the below example
POST https://graph.microsoft.com/v1.0/applications
Content-type: application/json
Content-length: 67
{
"displayName": "Display name"
}
We don't need to pass the Content-Length in headers.
I want to call an azure function. The authentication for this function is enabled by Azure AD.
I want to call this function from an azure web job or internal tool that may use HTTP and connect the function automatically. In this case, there is no way to prompt a login page and then login.
Can I get a token for the function where AAD is enabled, and then while calling the function will send the token as bearer token?
How to accomplish that or any better idea?
Regarding how to call the Azure function projected by Azure AD, please refer to the following steps
Configure Azure AD for Azure Function
Get the details of AD application used to project Azure function
a. Get application ID
b. Create client secret
c. Get Application Id Url
Use client credentials flow to get Azure AD access token
POST /<your tenant id>/oauth2/token HTTP/1.1
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
grant_type =client_credentials
&client_id=<your application id>
&client_secret=<your client secret>
&resource=<your application id url>
Call Azure function
<function url>
Authorization: Bearer <access token>
I've been trying to use the Azure Service Management API in order to list the Hosted Services with no success.
In the first place, I was able to set up the authentication using PowerShell as the Microsoft documentation states here: https://msdn.microsoft.com/en-us/library/azure/dn790557.aspx
My first step was to request an access token using OAuth2 making a POST request to this URL:
https://login.windows.net/<MY_TENANT_ID>/oauth2/token
and passing these parameters:
grant_type: client_credentials
client_id: <THE_CLIENT_ID_OF_THE_APP_REGISTERED_THROUGH_POWERSHELL>
client_secret: <THE_PASSWORD_OF_APP_REGISTERED_THROUGH_POWERSHELL>
resource: https://management.core.windows.net
so, I receive a valid response and an access_token included in the response. So far so good.
Then, I want to make a simple call to the Management API; I would like to list my Hosted Services (Cloud Services), so I make a GET request to this URL:
https://management.core.windows.net/<MY_SUBSCRIPTION_ID>/services/hostedservices
Including the following headers:
Authorization: Bearer <THE_ACCESS_TOKEN_RECEIVED_IN_THE_PREVIOUS_STEP>
x-ms-version: 2014-10-01 (I've also tested with different versions)
but, what I get is a 401 Unauthorized error, with the following message:
The JWT token does not contain expected audience uri 'https://management.core.windows.net/'
I also tried with a Native Application registered directly in the Azure Portal (with Permissions set to use the Service Management API) and requesting a token using the grant_type = authorization_code. I get the access_token correctly and a refresh_token, but when I try to make a request to the above URL, I get the same error message.
On a side note, I am able to use the Azure Insights API successfully; the issue above is with the Azure Service Management API.
Anyone knows what I am missing?
I faced the same problem today. Complete the resource url with '/' https://management.core.windows.net
See the mismatch between the url in your resource and the one in the error message 'https://management.core.windows.net/'