The following page shows how can I purge Application Insights data -
https://learn.microsoft.com/en-us/rest/api/application-insights/components/purge
I tried following it but it doesn't mention how to use authentication and I am getting the following error in response -
{
"error": {
"code": "AuthenticationFailed",
"message": "Authentication failed. The 'Authorization' header is missing."
}
Can someone please guide me how do use the authentication header?
As per joy said in comment, just go to the website, and click "try it" -> log use your credential, then you can see the token:
On the page you linked to, scroll all the way up in the menu and find 'Getting started with REST'. When you click that and scroll the page, you find Register your client application with Azure AD.
Most Azure services (such as Azure Resource Manager providers and the classic deployment model) require your client code to authenticate with valid credentials before you can call the service's API. Authentication is coordinated between the various actors by Azure AD, and provides your client with an access token as proof of the authentication. The token is then sent to the Azure service in the HTTP Authorization header of subsequent REST API requests. The token's claims also provide information to the service, allowing it to validate the client and perform any required authorization.
Long story short:
Register your client application with Azure AD
Create the request
Acquire an access token
Assemble the request message
Send the request
Process the response message
You need authorization header to be added in your request to purge the azure application insights data. Refer for more details and step by step guide - https://sanganakauthority.blogspot.com/2019/06/how-to-delete-or-purge-azure.html
Related
We have an API hosted in Azure as an Azure Web App that we need to trigger via http on a schedule.
Our API requires a valid Azure AD Access Token be sent with each request.
Azure Logic Apps gives us the option to authenticate our request with Azure AD. However, we do not see the option of including scope in the request. If we send a request without specified scope or role, we get the following error:
System.UnauthorizedAccessException: IDW10201: Neither scope or roles claim was found in the bearer token.
How can we authenticate an http request from an Azure Logic App when scope/role is required in the access token by the API?
Thanks to #Skin for the suggestion!
Here is what worked for future visitors to this question:
Navigate to your Logic App in the Azure Portal > Select "Logic App Code View" > Add the following to "authentication":
audience: "api://<your api's clientId>"
clientId: "<your logic app's clientId>"
scope: "api://<your api's clientId>/.default" (this piece is not available in the interface)
secret: "the secret you generated for your logic app in your aad app
registration"
tenant: "your tenant id"
Parameter "Audience" is the scope. Depending on how you built your target api and what is expected there as audience in token you could probably have there somehting like: api://<yoru_app_id>/.default, but you should know it best.
E.g. when you call Graph MS your scope/resource/audience here is: https://graph.microsoft.com/.default, but different APIs have different needs for scopes.
I am trying to create an online meeting with a web application using the Microsoft Graph API.
When I try to initiate an authorization request to get permissions from the end-user to create a token with a similar URL to:
https://login.live.com/oauth20_authorize.srf?state=xxx&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default&response_type=code&approval_prompt=auto&client_id=xxx
I get the following error message from the Microsoft API:
The client does not have a secret configured. If you are the client
application developer, configure a secret through the application
management site at https://go.microsoft.com/fwlink/?linkid=2083908.
I have a secret configured for the application in the "Certificates & secrets" part under the "Client secrets":
I have no clue what I am missing here and the Microsoft documentation is not really helpful.
The solution was to change the authorize and token endpoint to https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize and to https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token respectively as it is described here.
In my case - since I want to support multiple tenants - I could not fill out the {tenant} part of the URL with the actual tenant id, but I needed to set organizations since as it is described here only work or school accounts are supported.
So the final URLs changed to the following:
Authorize: https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize
Token: https://login.microsoftonline.com/organizations/oauth2/v2.0/token
We are using the client credentials flow in Azure AD to authenticate our API's when the caller is some type of daemon process. Our security policies dictate that we need to audit when access attempts fail. For the most part we have been able to accommodate most of the security departments requirements except for when the get token request fails. This could be due to a number of reasons such as an invalid client id, secret, or certificate. The endpoint we are using to request a token is https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token.
I tried a few examples demonstrating passing invalid parameters to the access token request. I then checked the audit logs & sign-ins monitoring sections of our Azure AD tenant expecting to see some type of authorization denied message. To my surprise there was nothing.
I've tried searching client credentials flow auditing on Microsoft docs and on Google but I have not been able to find anything in regards to auditing failed access token requests.
Is there somewhere in the portal we can view when the access token request does not return a bearer token?
AFAIK, Azure AD doesn't put access token requests in the logs. You could add the content of access token requests when calling the endpoint in your code.
Audit logs: The audit logs activity report gives you access to the history of every task that's performed in your tenant. Examples of audit logs include changes made to any resources within Azure AD like adding or removing users, apps, groups, roles and policies.
Sign-in logs: With the sign-in activity report, you can determine who performed the tasks that are reported in the audit logs.
I found the answer. Should anyone need this in the future Azure logs Success & Failure access token requests in the "Service principle sign-ins" section.
Click here for screen cap of logging location
I have an AspNetCore 2.0 MVC web API secured by an Azure Active Directory B2C tenant. I have been able to use Postman to test the API end points by following this SO posting: Request Access Token in Postman for Azure AD B2C (in particular, the Microsoft documented steps referenced in SpottedMahn's comments:
https://learn.microsoft.com/en-us/aspnet/core/security/authentication/azure-ad-b2c-webapi#use-postman-to-get-a-token-and-test-the-api )
Now, I am working on a serverless version of the above - the app is pretty much identical expect that the endpoints have been implemented by Azure functions in an Azure Functions App
The Functions App has Authentication on, Log in with Azure Active Directory and the following settings:
This is how i have set up the Application in the Azure B2C tenant:
If I access the functions endpoint via a browser, I get successfully routed to the Azure AD B2C login page and can log in, then see the results from the API endpoint. So I'm pretty confident all is good w.r.t. the Azure AD B2C <-> Function App configuration.
However, I can't use the Request Access Token technique linked above to get a token and inspect the endpoint in Postman
If I take the token obtained after authentication (for example by using fiddler and observing the id_token being returned), and in Postman I choose Bearer authentication and supply that id_token, then Postman successfully hits my endpoint. However, if I follow the steps in the linked document above, I do get the "login" popup and then do get a valid [looking] token, but when I click Use Token and run the request, I get
You do not have permission to view this directory or page.
I'd really like to be able to request an access token from postman just like I can with my aspnetcore 2.0 app (really just for the consistency so I don't have to remember lots of different techniques). Is that possible for Azure Function Apps and if so, any clues what I'm doing wrong in the above?
Ah I stumbled upon it. I fixed it by adding the Postman API client id (note: the postman API client id, not the postman App client id) [those references will make sense in the context of the Microsoft how-to linked above], under "ALLOWED TOKEN AUDIENCES" (visible in screenshot in question above).
I have an Azure mobile service setup and have followed the examples online for authenticating. I call AuthenticationContext.AcquireToken and get back a token. Then I set the header using:
HttpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", AquireAccessToken());
However I am getting a 401 back and in the Azure logs I am getting "The 'Bearer' HTTP authentication scheme is not supported". What am I missing?
If you are using a service to call the mobile service why not use the Application key instead of a login process?
You can set a header on your request like so:
HttpClient.DefaultRequestHeaders.Add("X-ZUMO-APPLICATION", "<YOUR APP KEY>";
You can get your application key from the portal. When you are on the dashboard view click the button at the bottom of the window to "manage keys".
This works if you want to login as the service, but if you need to login on behalf of a user, then you'll need to go the authentication route. You'll also need to make sure the permissions on your various tables and APIs allow the application key level of access.
Alternately, you can use the X-ZUMO-MASTER header with your master key to get admin rights to the service.
Mobile Services does not support tokens being passed in the Authorization header. Instead, please consider using the POST method for the login endpoint. The Mobile Services SDK makes this available as an overload of the login method if desired.
Could you please comment on what examples you are following? Our standard "Get Started with Authentication" tutorial shows how to do login without handling an access token directly. We also have tutorials for using a provider SDK to obtain a token and pass it to the mobile service using the overloads mentioned above. For example, we have this tutorial for Microsoft Account and Azure Active Directory