I would need to start an Azure Data Factory pipeline from REST API as per https://learn.microsoft.com/en-us/rest/api/datafactory/pipelines/createrun#code-try-0
I have created an AAD app, and given it the Azure Service Management API Permission. However when the client through the OAuth2 Implicit flow receives an id_token and invokes that API to start a pipeline I get
{
"error": {
"code": "InvalidAuthenticationToken",
"message": "The access token is invalid."
}
}
Am i using proper API pemrission? thanks.
If you just want to use OAuth2 flow to get the token to call the REST API, the client credentials flow is more suitable than the Implicit flow in this case.
Please follow the steps below.
1.Get values for signing in and create a new application secret.
2.Navigate to the data factory -> Access control (IAM) -> Add -> add your AD App as an RBAC role e.g. Contributor, Owner, Data Factory Contributor, details follow this.
3.In the postman, follow the screenshot below, fix the request body got from step 1, then use the token to call REST API, it will work fine.
POST https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token
client_id=<client_id>
&scope=https://management.azure.com/.default
&client_secret=<client_secret>
&grant_type=client_credentials
I cant test it right now but I would assume that having Data Factory Contributor should be enough for this.
https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#data-factory-contributor
Related
I want create APIM subscriptions through rest api, And was able to do it successfully by following this Microsoft doc, https://learn.microsoft.com/en-us/rest/api/apimanagement/current-ga/subscription.
And for Authentication I am generating a bearer token using ROPC grant type(My UserName & Password). Everything works fine with this flow.
But i dont want to configure my username & password in a application to get a bearer token, instead i followed Client-Credentials grant type(get token by client id & secret), i am able to generate token, but when i use that token to create subscription in APIM, i am getting a exception
The client '0--e' with object id '0--e' does not have authorization to perform action 'Microsoft.ApiManagement/service/subscriptions/write'
Is it possible to add a AAD application inside APIM AccessControl(IAM) to grant permission.
Or is this any other way to do this? or ROPC is the only way?
Can someone please help.
Yes, you can grant permission to AAD application (service principal) in APIM Access Control (IAM) by assigning it API Management Service Contributor role.
I tried to reproduce the same in my environment and got the below results:
I have generated one access token using Client-Credentials grant type like below:
When I used the above token to create APIM subscription with below query, I got the same error:
PUT https://management.azure.com/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.ApiManagement/service/apimService1/subscriptions/testsub?api-version=2021-12-01
{
"properties": {
"ownerId": "/subscriptions/subid/resourceGroups/rgname/providers/Microsoft.ApiManagement/service/servicename/users/xxxxxxxxxxx",
"scope": "/subscriptions/subid/resourceGroups/rgname/providers/Microsoft.ApiManagement/service/servicename/products/xxxxxxxxxxx",
"displayName": "testsub"
}
}
Response:
To resolve the error, you need to grant API Management Service Contributor role for that application like below:
Go to Azure Portal -> APIM Services -> Your APIM -> Access control (IAM) -> Add role assignment
After granting the above role, I generated the access token again and ran the same query as below:
PUT https://management.azure.com/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.ApiManagement/service/apimService1/subscriptions/testsub?api-version=2021-12-01
Response:
When I checked the Portal, APIM subscription got created successfully like below:
Reference:
How to use Role-Based Access Control in Azure API Management | Microsoft Docs
I am trying to retrieve the web job history of an Azure web job via REST using a .NET backend and the OAuth2 credentials flow (as described here
https://learn.microsoft.com/en-us/rest/api/appservice/web-apps/get-triggered-web-job-history-slot)
How do I need to authenticate correctly?
I retrieve the token as follows:
POST https://login.microsoftonline.com/{MySubscription}/oauth2/v2.0/token
client_id={MyApp}
&grant_type=client_credentials
&scope=https://management.azure.com/.default
&client_secret={myclient_secret}
I get a token back, however I get a 403 error message when I try to retrieve the resource:
GET https://management.azure.com/subscriptions/{MySubscription}/resourceGroups/{MyResource}/providers/Microsoft.Web/sites/{MyApp}/slots/{MySlot}/triggeredwebjobs/{MyWebjob}/history?api-version=2021-02-01
Authorization: Bearer {MyToken}
Client '{MyApp}' with object ID '{MyApp}' is not
authorized to perform the action
'Microsoft.Web/sites/slots/triggeredwebjobs/history/read' using the
scope
'/subscriptions/{MySubscription}/resourceGroups/{MyResource}/providers/Microsoft.Web/sites/{MyApp}/slots/{MySlot}/triggeredwebjobs/{MyWebjob}'
or the scope is invalid. If access was granted recently, please update
your credentials.
What am I doing wrong?
I already added the API-Permission
The "403 Token invalid" error usually occurs if you missed giving permissions to particular scope (Azure Service Management).
By giving this scope it enables you to access https://management.azure.com
To resolve this error, please follow below steps:
Go to Azure Ad ->your application -> API permissions -> Add permission -> Azure Service Management -> delegated permissions ->User impersonation -> Add
After giving these permissions try to retrieve the resource again, there won't be any error.
Since I didn't find a solution that worked with OAuth2 and the Credentials flow, I got it working with Basic Authentication. The username (userName) and password (userPWD) can be taken from the publishing profile of the respective app service.
GET https://{appservicename}.scm.azurewebsites.net/api/triggeredwebjobs/{jobName}/history
Authorization Basic ....
I am trying to add a user role to a subscription in Azure using REST API following this documentation.
I got a bearer token with my login and passed it as a header Authorization parameter.
Gave all the values as described in the doc
PFA REST API call I performed.
API response says below;
{
"error": {
"code": "AuthenticationFailed",
"message": "Authentication failed."
}
}
Please let me know if any one successfully used this API and performed operations. Also is there any Azure .NET API to this operation?
REST API Postman request
The error means your user account does not have the permission to create the role assignment, specifically Microsoft.Authorization/roleAssignments/write.
To solve the issue, you need to ask the admin who is the Owner or User Access Administrator(or custom RBAC role with Microsoft.Authorization/roleAssignments/write permission) of your subscription to assign the Owner or User Access Administrator or custom role with the permission above for you at the subscription scope first, follow this link, then get a new token, you will be able to assign the role to others like the admin assign the role to you i.e. create role assignment.
Update:
If you want to get the access token via your user credential, you could use the auth code flow, please follow the steps below.
1.In your App registration, add the user_impersonation Delegated permission of Azure Service Management API.
2.Hit the URL below in the browser, change the tenant-id, client-id, redirect_uri to yours, login your user account.
https://login.microsoftonline.com/tenant-id/oauth2/v2.0/authorize?
client_id=xxxxxxxx
&response_type=code
&redirect_uri=http://localhost
&response_mode=query
&scope=https://management.azure.com/.default
&state=12345
Then you will get a code like below, copy it.
Don't forget to remove the state and session_state.
3.In the postman, use the query below, then you can get the token.
I am trying to use the Microsoft Graph API to configure an Azure B2C instance. Specifically, I need to create UserFlows and IdentityProviders. For this purpose, I have created an AppRegistration with IdentityProvider.ReadWrite.All and IdentityUserFlow.ReadWrite.All API application permissions for the Microsoft Graph. I am able to call the APIs for creating new user flows and identity providers without a problem, but I am unable to link flows to an identity provider. Whenever I use any of the linking API's, I get an error:
AADB2C (User Authorization: Access is denied)
As an example, I get this when trying to list registered identity providers for specific user flow, i.e.
GET https://graph.microsoft.com/beta/identity/b2cUserFlows/B2C_1_{flowId}/identityProviders
The response for this request is a 403 with
{
"error": {
"code": "AADB2C",
"message": "User Authorization: Access is denied.",
"innerError": ...
}
}
I am using the Beta API as described in the docs here: https://learn.microsoft.com/en-us/graph/api/b2cuserflows-list-identityproviders?view=graph-rest-beta&tabs=http. I get the samme error when trying to link a user flow with an identity provider as described in the documentation here: https://learn.microsoft.com/en-us/graph/api/b2cuserflows-update-identityprovider?view=graph-rest-beta&tabs=http
Any idea why I keep getting this authorization block?
Update: I have tried expanding the .IdentityProviders property on a userflow when reading it from the graph api. This does not give a 403, but the identity providers list, on the returned user flow, is empty even when providers have been manually added to the flow in the Azure Portal.
Please ensure to comply with this:
The work or school account needs to belong to one of the following
roles:
Global administrator External Identity User Flow administrator
I completely followed this link https://learn.microsoft.com/en-us/azure/bot-service/bot-builder-authentication?view=azure-bot-service-4.0&tabs=aadv1%2Ccsharp%2Cbot-oauth and created a Azure AD app registration and used Azure Active Directory v1 for my web app bot.
After sign in, I view the token but with that token I cannot access the Azure API's, as it shows below response in Postman:
{
"error": {
"code": "AuthenticationFailed",
"message": "Authentication failed."
}
I called the Azure API below:
https://management.azure.com/subscriptions/${subscriptionId}/providers/Microsoft.Consumption/usageDetailsapi-version=2018-10-01
In my app registration in Azure AD, I have given these permission to access the Azure API:
In my Web App Bot -> Settings -> OAuth Connection Settings, I select:
ClientId -> My application client id
ClinetSecret -> My application client secret
GrantType -> I does not know what to give so I just typed "authorization_code" (If this wrong then Where I need to find my grantType)
LoginURL -> https://login.microsoftonline.com
TenantId -> common (To allow any user)
ResourceURL -> https://graph.microsoft.com/
Scopes -> I just left blank
Why am I not able to access the Azure API with that token?
Any Help. Thanks
An access token issued by Azure AD will always be for a specific resource. Which service a token is intended for is identified in the token's "audience" (in the aud claim). When using the v1 endpoint, the resource for which an app requests an access token is identified in the resource parameter of the authorization request. In the v2 endpoint, the resource is identified as part of the scope parameter.
In your case, the resource you've configured your bot to get a token for is Microsoft Graph (https://graph.microsoft.com), but then you're trying to use the resulting token to call the Azure Management API. The first thing the Azure Management API does is check if the access token it received is actually intended for it. If the audience does not match, it will immediately respond with an error.
Instead of trying to get a token for Microsoft Graph, you need to configure your bot to get a token for the Azure Management API. You should use https://management.azure.com, which is the resource URI for the Azure Management API, instead of https://graph.microsoft.com which is the resource URI for Microsoft Graph.