Context
We are using multiple directories (TENANT_A, TENANT_B) on Azure. The goal is to create a service principal (Application), _SP_APP, inside TENANT_A which is granted access into TENANT_B. We want to use this service principal in script to manage both directory easily.
One of the script is to make new Application Registration inside TENANT_B AND to grant ADMIN CONSENT for these applications.
What is done
_SP_APP
Global Admin on both Directory
Granted Access to TENANT_B (Visible in Enterprise Application)
Api Permissions were granted Admin Consent (TENANT_A and TENANT_B)
Microsoft Graph (Delegated and Application Full Access)
Azure Active Directory Graph (Delegated and Application Full Access)
Steps
Working correctly
# Login with service principal of multiple tenants application
az login --service-principal -u _SP_APP -p <PASSWORD> --tenant TENANT_B
# Creating application and fetching ID
_OBJECT_ID=`az ad app create ...`
Not Working
# Granting Admin Consent
az ad app permission admin-consent --id $_OBJECT_ID
# ERROR
Bad Request({"ClassName":"Microsoft.Portal.Framework.Exceptions.ClientException","Message":"AADSTS50058: A silent sign-in request was sent but no user is signed in.\r\nTrace ID: 9c9bd004-a97a-4543-8ff0-e314de77a700\r\nCorrelation ID: 44c79409-2f3e-43de-a84b-1e5a42e382e7\r\nTimestamp: 2019-10-28 15:54:20Z" ...
What is strange is that when we az login with a Global Admin User and execute the script, it works fine.
Question
Did we miss something to allow this service principal to be able to grant admin-consent or is it something only "user" can do? (I did not find any response in microsoft azure documentation).
Thank you
I have confirmed with Azure support engineer. We can not use service principal to grant admin-consent.
If you must use service principal to do this, you can use Microsoft Graph api. It will consent permissions automatically.
POST https://graph.microsoft.com/beta/xx.onmicrosoft.com/oauth2PermissionGrants
{
"clientId": "clientId-value",
"consentType": "consentType-value",
"expiryTime": "2016-10-19T10:37:00Z",
"id": "id-value",
"principalId": "principalId-value",
"resourceId": "resourceId-value"
}
To call this api, you need to provide an access token, refer to this document for more details.
Related
Given I have created an app using this repository in Azure.
And this app is deployed using a Service Principal which was created by below command:
az ad sp create-for-rbac --name "fxpricepredictor" --role contributor --scopes "/subscriptions/YOUR-SUBSCRIPTION-ID/resourceGroups/YOUR-RESOURCE-GROUP-NAME" --sdk-auth
Now, I need to get the API token to manage my created resources using REST APIs.
Based on documentation, I should be able use my tenantId, clientId and client_secret to get the token by calling the bellow endpoint:
curl: POST
https://login.microsoftonline.com/{{tenantId}}/oauth2/token
Please notice that, I am not the global admin in the tenant.
The official sample postman collection is here and here is how my request looks like in postman:
Sadly the endpoint does not provide me the token and instead it returns such error:
{
"error": "unauthorized_client",
"error_description": "AADSTS700016: Application with identifier 'MY_CLIENTID' was not found in the directory 'MY COMPANY'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.\r\nTrace ID: 5a9a2c53-c3c8-46da-a1a6-551b42082400\r\nCorrelation ID: bf7c5966-ffa4-4312-8a77-434c2560d65a\r\nTimestamp: 2022-10-05 14:54:23Z",
"error_codes": [
700016
],
"timestamp": "2022-10-05 14:54:23Z",
"trace_id": "5a9a2c53-c3c8-46da-a1a6-551b42082400",
"correlation_id": "bf7c5966-ffa4-4312-8a77-434c2560d65a",
"error_uri": "https://login.microsoftonline.com/error?code=700016"
}
please notice, I hided some sensitive values in error response by MY_CLIENTID and MY COMPANY
So, i guess, the main reason that i am facing this issue is that:
This can happen if the application has not been consented to by any user in the tenant.
Meaning that, i should consent my own app. Am I right ?
So, my question is:
How can i get the token to work with REST APIs to manage my resources ?
How can I grant consent to my own app, given that I am not a global Admin ?
Update:
As I figured out, I should be able to Grant Consent to my app using "Microsoft Graph permissions reference". And here is what i have done:
Login to Azure portal
Navigate to "Azure Active Directory"
Navigate to "App registrations"
Click on the created APP ("fxpricepredictor")
Navigate to "API permissions"
Click "Add a permission"
Click on "Microsoft Graph"
Choose "Delegated Permissions"
Search for "authentication" ---> (Sadly this option also requiereds Admin Consent)
I tried to reproduce the same in my environment and got the below results:
When I ran the same command as you, one Azure AD application named fxpricepredictor is automatically created with details like below:
az ad sp create-for-rbac --name "fxpricepredictor" --role contributor --scopes "/subscriptions/<subscriptionID>/resourceGroups/<resourcegroupName>" --sdk-auth
By including above details as parameters, I am able to generate access token successfully via Postman like below:
Please note that, I don't have global administrator role and granting admin_consent is not really required.
With the above access token, I am able to fetch and manage the Azure resources in that resource group like below:
GET https://management.azure.com/subscriptions/<subscriptionID>/resourceGroups/SriTest/resources?api-version=2021-04-01
Response:
The error AADSTS700016 may also occur if there is no application in your tenant with provided ClientID.
I tried including random ClientID which does not exist in Azure AD tenant and got same error as below:
So, make sure to check whether the application is existing or not with the given ClientID in Azure AD tenant.
I'm using a service principle with permissions Application.Read.All and Directory.Read.All of Application type to authenticate to Azure and using following code to pull list of Applications in the tenant.
from azure.common.credentials import ServicePrincipalCredentials
from azure.graphrbac import GraphRbacManagementClient
from config import app
credentials = ServicePrincipalCredentials(
client_id = app["CLIENT"],
secret = app["KEY"],
tenant = app["TENANT_ID"],
resource="https://graph.windows.net"
)
graphrbac_client = GraphRbacManagementClient(credentials, app["TENANT"])
for app in graphrbac_client.applications.list():
print("\nApp:")
print(app)
print("******\n")
Any help is much appreciated
Application.Read.All and Directory.Read.All these 2 permissions requires Global Administrator consent for your directory. I would suggest to ask your Global Administrator to provide consent to your service principal.
From your description, I suppose you added the application permission Application.Read.All and Directory.Read.All of Microsoft Graph, because what you need is Azure Active Directory Graph, which does not have the Application.Read.All permission.
In your code, it uses the resource="https://graph.windows.net", which means your code calls the Azure Active Directory Graph, not Microsoft Graph, to solve the issue, just add the application permission Directory.Read.All of Azure Active Directory Graph like below.
Note : After adding the permission, don't forget to click the Grant admin consent for xxx button, otherwise your service principal will not get the permission.
There may be some delay, after half an hour, test the code, it works fine.
I am trying to troubleshoot why certain automation tasks don't work with a Service Principal I've created, most especially any tasks involving Azure Active Directory. The Azure Portal seems to clearly show that the Service Principal has been granted the Microsoft.Graph Directory.Read.All API Permission. The portal also shows that this Service Principal has the User.Read permission as well.
However, when I run az ad app permission list-grants for the Service Principal, it only lists User.Read. This makes me wonder whether the Directory.Read.All permission is actually present. And yes, the portal clearly shows that Directory.Read.All permission has been granted.
How can I confirm that my Service Principal actually does have the Directory.Read.All API Permission?
az ad app permission list-grants --id db7a66b4-06ad-4412-9bbc-73cb34f96ce2 --show-resource-name
[
{
"clientId": "01b359a2-f452-43c6-b290-e5ea1b359f38",
"consentType": "AllPrincipals",
"expiryTime": "2019-12-08T17:07:04.550141",
"objectId": "olmzAVL0xkOykOXqGzWfOAvNygY8CKVIummKcmVpwq8",
"odatatype": null,
"principalId": null,
"resourceDisplayName": "Microsoft Graph",
"resourceId": "06cacd0b-083c-48a5-ba69-8a726569c2af",
"scope": "User.Read",
"startTime": "0001-01-01T00:00:00"
}
]
And a crude recreation of what I see in the portal for this Service Principal under Azure Active Directory > App Registrations > (Service Principal Name) > API Permissions:
API/Permissions name Type Admin Consent Required
-------------------- ----------- -----------------------------------
Microsoft Graph (2)
Directory.Read.All Application Yes <green check> Granted for MyOrg
User.Read Delegated <green check> Granted for MyOrg
As you have found, the reason is the Azure CLI command az ad app permissions list-grants just list the delegated permissions.
If you also want to get the application permissions granted to the service principal,
currently it is not supported by the Azure CLI and Az powershell module, you need to use AzureAD powershell module.
Try the script as below, it writes output the API name and corresponding permission.
Note the ObjectId in the first line is the ObjectId of your service principal, not the AD App(App registration), you can find it in the Enterprise applications in the portal(filter with All applications).
$apppermissions = Get-AzureADServiceAppRoleAssignedTo -ObjectId <ObjectId of your service principal>
foreach($item in $apppermissions){
$item.ResourceDisplayName
(Get-AzureADServicePrincipal -ObjectId $item.ResourceId).AppRoles | Where-Object {$_.Id -eq $item.Id}
}
The permissions in the App registration in the portal:
Here is a similar issue, you can also take a look.
I finally figured this out, and it was less than obvious.
az ad app permissions list-grants lists oauth2 permissions. In other words, delegated permissions.
My Service Principal's Directory.Read.All permission is an application permission. That means it's a permission my Service Principal has in its own right without needing another user's authentication token.
I'm still trying to figure out how to list the Application permissions using the new az commands and/or the new Get-Az PowerShell modules. If I find out how I'll update this answer.
I found out you can get that output with az cli but by using the rest command like this:
az rest --method get --url https://graph.microsoft.com/v1.0/servicePrincipals/{YOUR_SERVICE_PRINCIPAL_ID}/appRoleAssignments
When attempting to get an access token for a custom AD Application, using az account get-access-token --resource '<APP ID Uri>', I receive the following error:
AADSTS65001: The user or administrator has not consented to use the application with ID '04b07795-8ddb-461a-bbee-02f9e1bf7b46' named 'Microsoft Azure CLI'. Send an interactive authorization request for this user and resource.
04b07795-8ddb-461a-bbee-02f9e1bf7b46 is not my application id, and my application has had administrator consent granted. I've tried putting this id in an interactive login request with no change in behavior.
get-access-token works fine when the resource is a defined MS endpoint like https://database.windows.net or https://vault.azure.net/
My goal is to have Azure App Services with Managed Service Identity authenticating to each other with short-lived AD bearer tokens. Each service has a configured audience that corresponds to the AD App.
Running az account get-access-token --resource '<APP ID Uri>' from local CLI, you are trying to get token from '<APP ID Uri>' using Azure CLI, which client ID is exactly 04b07795-8ddb-461a-bbee-02f9e1bf7b46.
To handle this you could go to:
Azure Active Directory → App registrations → {your app} → Expose an API → Add client application with:
ID: 04b07795-8ddb-461a-bbee-02f9e1bf7b46
Authorized scopes: check '<APP ID Uri>'
To make sure you have right ID you could run az account get-access-token paste token to jwt.io and find value of "appid".
Documentation reference:
Application IDs for commonly used Microsoft applications
I can reproduce your issue with a --resource '<APP ID Uri>', if I login cli with a user account.
If I login with a service principal, it works fine.
You could try to login azure cli with a service principal, refer to this link.
I've some problems with the admin consent in a multi tenant environment.
So here is my structur.
Tenant 1
Tenant 2
I've got registered one ActiveDirectory Aapp in Tenant 1, called "App1".
In this App, I set i.e. permissions for Microsoft Graph.
Then I granted this permission.
Now I want to have also this App1 in my Tenant 2, so I do an AdminConsent with:
https://login.microsoftonline.com/TenantID_of_Tenant2/adminconsent?client_id=ClientID_of_App1
It worked fine. A few minutes later I saw App1 in Tenant2 and I was able i.e. to give access right to App1 for Users of Tenant2. No problem.
So then I had to give my App1 a few more permissions. So I clicked
"App registrations" in Tenant1 and gave more permissions for Microsoft Graph.
Then I clicked to "Enterprise Applications" in Tenant1, selected my App1 -> Permission and then "Grant admin consent for tenant1". A new browser was opened and I was able to do the admin consent for App1 in Tenant1.
Then I thought that I have to do the same in Tenant2, because it works the first time. So in Tenant2 I also navigated to ActiveDirectory -> Enterprise Applications -> selected my App1 -> Permissions
Here I saw the first permissions which I granted. Then I clicked to "Grant admin consent for Tenant2". A new browser was opened, but now it failed with folowwing error:
https://myRedirectURL/?error=access_denied&error_description=AADSTS65005%3a+The+application+%clientID_of_App1%27+asked+for+permissions+to+access+a+resource+that+has+been+removed+or+is+no+longer+available.+Contact+the+app+vendor.%0d%0aTrace+ID%TraceID%0d%0aCorrelation+ID%CorrelationIDaTimestampTimestamp&admin_consent=True&tenant=TenantID_of_Tenant2
Better to read: Error:
"AADSTS65005. The application ID_App1 asked for permissions to access a resource that has been removed or is no longer available. Contatct the app vendor."
I get the same error when I invoke the URL https://login.microsoftonline.com/TenantID_of_Tenant2/adminconsent?client_id=ClientID_of_App1
But I didn't do anything...so wheres the problem?
For your Redirect URI error you can try these steps:
Set the resource in your request to Azure AD.
Ensure that the client Id of the WebApp is configured in the WebApi's "knowClientApplications" array property in the manifest file
Ensure that all permissions are correct (APIs are added as delegated permissions to the client).
Ensure that all services (web app & apis) are multi tenant
Update manifest with:
"availableToOtherTenants": true,
"knownClientApplications": [
"{client app application id}"
],
See also the troubleshooting steps in these similar threads:
Azure AD error when fetching access token & login
The client application has requested access to resource 'https://outlook.office365.com'. This request has failed