GET List of Privileged Role Assignments fails with "UnknownError" - azure

I've got an app registration in Azure with the required permission - Directory.AccessAsUser.All (delegated) and that registration has Security Reader over all of my subscriptions.
When I GET https://graph.microsoft.com/beta/privilegedRoles/{id}/assignments with my access token (bearer auth), I get the following response:
{
error: {
code: 'UnknownError',
message: '',
innerError: {
'request-id': 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx',
date: '2020-03-13T11:53:41'
}
}
}
The {id} in this case is the ID of the permission I want check the assignments of.
I'm using this as a reference: https://learn.microsoft.com/en-us/graph/api/privilegedrole-list-assignments?view=graph-rest-beta&tabs=http

This is a beta version API, the current endpoints of AAD roles have been disabled for your tenant for migration purpose, see this link.
When customers have the updated version rolled out to their Azure AD organization, the existing graph API will stop working. You must transition to use the Graph API for Azure resource roles. To manage Azure AD roles using that API, swap /azureResources with /aadroles in the signature and use the Directory ID for the resourceId.
So you need to use this API currently, swap /azureResources with /aadroles, test it in the Graph Explorer.
GET https://graph.microsoft.com/beta/privilegedAccess/aadRoles/resources/<tenant-id>/roleAssignments?$filter=RoleDefinitionId+eq+'RoleDefinitionId'

Related

Microsoft Azure OAuth Client Credentials Token gets "AuthorizationFailed" response

I want create APIM subscriptions through rest api, And was able to do it successfully by following this Microsoft doc, https://learn.microsoft.com/en-us/rest/api/apimanagement/current-ga/subscription.
And for Authentication I am generating a bearer token using ROPC grant type(My UserName & Password). Everything works fine with this flow.
But i dont want to configure my username & password in a application to get a bearer token, instead i followed Client-Credentials grant type(get token by client id & secret), i am able to generate token, but when i use that token to create subscription in APIM, i am getting a exception
The client '0--e' with object id '0--e' does not have authorization to perform action 'Microsoft.ApiManagement/service/subscriptions/write'
Is it possible to add a AAD application inside APIM AccessControl(IAM) to grant permission.
Or is this any other way to do this? or ROPC is the only way?
Can someone please help.
Yes, you can grant permission to AAD application (service principal) in APIM Access Control (IAM) by assigning it API Management Service Contributor role.
I tried to reproduce the same in my environment and got the below results:
I have generated one access token using Client-Credentials grant type like below:
When I used the above token to create APIM subscription with below query, I got the same error:
PUT https://management.azure.com/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.ApiManagement/service/apimService1/subscriptions/testsub?api-version=2021-12-01
{
"properties": {
"ownerId": "/subscriptions/subid/resourceGroups/rgname/providers/Microsoft.ApiManagement/service/servicename/users/xxxxxxxxxxx",
"scope": "/subscriptions/subid/resourceGroups/rgname/providers/Microsoft.ApiManagement/service/servicename/products/xxxxxxxxxxx",
"displayName": "testsub"
}
}
Response:
To resolve the error, you need to grant API Management Service Contributor role for that application like below:
Go to Azure Portal -> APIM Services -> Your APIM -> Access control (IAM) -> Add role assignment
After granting the above role, I generated the access token again and ran the same query as below:
PUT https://management.azure.com/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.ApiManagement/service/apimService1/subscriptions/testsub?api-version=2021-12-01
Response:
When I checked the Portal, APIM subscription got created successfully like below:
Reference:
How to use Role-Based Access Control in Azure API Management | Microsoft Docs

The client 'XXX' with object id 'XXX' does not have authorization to perform action 'Microsoft.Media/mediaServices/transforms/write'

I am trying to use the following git repo in order to connect to azure ams, upload a video and stream it:
https://github.com/Azure-Samples/media-services-v3-node-tutorials/blob/main/AMSv3Samples/StreamFilesSample/index.ts
For some reason I am keep getting the following error:
The client 'XXX' with object id 'XXX' does not have authorization to perform action 'Microsoft.Media/mediaServices/transforms/write' over scope '/subscriptions/XXX/resourceGroups/TEST-APP/providers/Microsoft.Media/mediaServices/TESTAMP/transforms/ContentAwareEncoding' or the scope is invalid. If access was recently granted, please refresh your credentials
The AD user is owner but I understand it is a permission issue.
I searched all over the web for hours what permission do I need to grant and where but could not find any solution
The error get thrown here:
let encodingTransform = await mediaServicesClient.transforms.createOrUpdate(resourceGroup, accountName, encodingTransformName, {
name: encodingTransformName,
outputs: [
{
preset: adaptiveStreamingTransform
}
]
});
of course, I have updated the .env file to the correct data of my azure account.
Can anyone point out what am I missing and how to grant this permission?
Thanks!
The error message is referring to your Service Principal that is being used to authenticate against the AMS SDK.
Double check that you entered the GUID values for the service principal ID and Key, and make sure you did not use the friendly name in there.
AADCLIENTID="00000000-0000-0000-0000-000000000000"
AADSECRET="00000000-0000-0000-0000-000000000000"
Also, double check in IAM Access control in the portal that the service principal exists under the Role Assignments for your Media Services account and has Contributor or Owner permission Role first.
If you are in an Enterprise that locks down AAD access - you may need to work with your AAD owner/admin to make these changes and grant the service principal the right roles for your account. That's a bit outside of Media Services, and is just general Azure AAD application creation rights, and role assignments.
If you are still hitting issues, I would file a support ticket and also ask your AAD administrator to assign the role permisssion to your service principal.
As an aside, we are also working on updated Node.js SDK samples for the upcoming (soon!) release of the 10.0.0 Javascript SDK.
See the beta samples here - https://github.com/Azure-Samples/media-services-v3-node-tutorials/tree/10.0.0-beta.1

get all AAD groups in which service principal is added as member

I have a scenario, I need to write functional tests for my API(s). API uses Azure AD authentication. There are multiple roles in system and role of a user is decided on the basis of membership of different AD groups.
so for functional test I need different users with in different groups.
I created a service principals with contributor rights in subscription and added them in groups and granted following Microsoft graph Application type API permissions.
- Application.Read.All
- Directory.Read.All
Now I used these apis to complete my use case.
1- https://login.microsoftonline.com/{tenant-Id}/oauth2/token
to get the access token against service principal.
2- GET https://graph.microsoft.com/v1.0/me/memberOf
to get the list of user's groups. but i got following response with authentication token of service principal.
{
"error": {
"code": "Request_ResourceNotFound",
"message": "Resource 'xxxx471-bxxxa-45a2-b61b-18xxxxx42af88' does not exist or one of its queried reference-property objects are not present.",
"innerError": {
"request-id": "fxxxxc41-319e-xxxx-xxxx-360xxxx58077",
"date": "2020-04-13T11:41:01"
}
}
}
I also have tried this
3- https://graph.microsoft.com/v1.0/users/{princialId}/memberOf
and get the following response
"error": {
"code": "Request_ResourceNotFound",
"message": "Resource 'xxxxx-xxxx-xxxx-b61b-18421142af88' does not exist or one of its queried reference-property objects are not present.",
"innerError": {
"request-id": "fxxxxc41-319e-xxxx-xxxx-360xxxx58077",
"date": "2020-04-14T05:59:03"
}
}
}
I have used object id of app registered in azure AD. when i searched service principal using power shell using following command I found different Object_Id than which is written on AD app on azure portal
command : get-AzureADServicePrincipal
with this Object_Id I was able to get service principal's groups using beta services.
https://graph.microsoft.com/beta/servicePrincipals/{object ID}/memberOf
anybody can explain why i was not able to get the groups of service principal using v1.0 service.
Thanks
anybody can explain why i was not able to get the groups of service principal using v1.0 service.
Because the v1.0 version does not support this API GET /servicePrincipals/{id}/memberOf , it just could be availale in the Beta version currently.
You could check this doc - List servicePrincipal memberOf, select the Version with 1.0, then it will give a prompt message like below.
I have used object id of app registered in azure AD. when i searched service principal using power shell using following command I found different Object_Id than which is written on AD app on azure portal
The Object Id of the service principal is not the same with that of the App Registration, the one you got from the powershell is correct, also, you can find it in the portal in the Enterprise applications like below.
I agree that beta service was not part of V1.0 but according to V1 documentation
https://graph.microsoft.com/v1.0/users/{id | userPrincipalName}/memberOf
should work.
please visit
https://learn.microsoft.com/en-us/graph/api/user-list-memberof?view=graph-rest-1.0&tabs=http
Please find documetation image here

Obtaining an access token for MSI enabled web application

I have a Web API project hosted in Azure as web app with Managed Service identity enabled (so I don't need an app registration, right?):
Now I need to obtain a token to access my API so that I can use it in POSTMAN:
az login
az account get-access-token --resource "https://mytenant.onmicrosoft.com/d3a219e0-bbbf-496b-a4a4-b9ca485c5a52"
which gives me
Get Token request returned http error: 400
and server response:
{"error":"invalid_resource","error_description":"AADSTS50001: The
application named
https://mytenant.onmicrosoft.com/d3a219e0-bbbf-496b-a4a4-b9ca485c5a52
was not found in the tenant named
xxxxxxxx-xxxx-xxxx-af31-xxxxxxxxxx. This can happen if the
application has not been installed by the administrator of the tenant
or consented to by any user in the tenant. You might have sent your
authentication request to the wrong tenant.
I get the same error if I try to use object id 63d571cf-79bf-405d-8304-a31fb64cb953 instead of app id as part of resource uri.
What am I doing wrong?
What am I doing wrong?
az account get-access-token is used to get token to access the Azure resource. We could get more information from this document.
--resource
Azure resource endpoints. Default to Azure Resource Manager Use 'az cloud show' command for other Azure resources.
The resoure should be in the following endpoints. And default resource is https://management.azure.com/
"endpoints": {
"activeDirectory": "https://login.microsoftonline.com",
"activeDirectoryDataLakeResourceId": "https://datalake.azure.net/",
"activeDirectoryGraphResourceId": "https://graph.windows.net/",
"activeDirectoryResourceId": "https://management.core.windows.net/",
"batchResourceId": "https://batch.core.windows.net/",
"gallery": "https://gallery.azure.com/",
"management": "https://management.core.windows.net/",
"resourceManager": "https://management.azure.com/",
"sqlManagement": "https://management.core.windows.net:8443/",
"vmImageAliasDoc": "https://raw.githubusercontent.com/Azure/azure-rest-api-specs/master/arm-compute/quickstart-templates/aliases.json"
}
Based on my understanding, the command no relationship with your API access.
For more information about MSI and how to protect an API by using OAuth 2.0 with Azure Active Directory, please refer to this tutorial and this tutorial.
The resource URI does not contain your Application Id nor Object Id.
It is a separate identifier that you can find from the App Registration's Properties under App ID URI.
And since this is an MSI-generated service principal, there is no app. I think you have to register an app in this case.

Tenant not found when trying to login?

I'm trying to login to an Azure AD B2C app using the example here: https://github.com/nordvall/TokenClient/wiki/OAuth-2-Resource-Owner-Password-Credentials-grant-in-AzureAd
Configured like so:
url: https://login.microsoftonline.com/[myapp].onmicrosoft.com/oauth2/token?api-version=1.6
Passing in the Azure AD B2C applications application id for client_id but I'm actually not sure what to pass in for the resource. I'm trying to get an access token for some azure functions but the azure functions app doesn't seem to have any specific 'resource id' I can define anywhere..
When I make the post request I get the following:
{
"error": "invalid_request",
"error_description": "AADSTS90002: Tenant not found. This may happen if there are no active subscriptions for the tenant. Check with your subscription administrator.\r\nTrace ID: x\r\nCorrelation ID: x\r\nTimestamp: 2018-02-19 10:54:20Z",
"error_codes": [
90002
],
"timestamp": "2018-02-19 10:54:20Z",
"trace_id": "x",
"correlation_id": "x"
}
The guide you referenced is for Azure AD, not B2C, unfortunately.
Azure AD B2C doesn't currently support Resource Owner Grant Flow, see this SO post. UserVoice request for this.
This documentation might help: Azure Active Directory B2C: Types of applications. More specifically: Daemons/server-side apps.
These apps can get tokens only after an interactive user flow has occurred.

Resources