I'm trying to login to an Azure AD B2C app using the example here: https://github.com/nordvall/TokenClient/wiki/OAuth-2-Resource-Owner-Password-Credentials-grant-in-AzureAd
Configured like so:
url: https://login.microsoftonline.com/[myapp].onmicrosoft.com/oauth2/token?api-version=1.6
Passing in the Azure AD B2C applications application id for client_id but I'm actually not sure what to pass in for the resource. I'm trying to get an access token for some azure functions but the azure functions app doesn't seem to have any specific 'resource id' I can define anywhere..
When I make the post request I get the following:
{
"error": "invalid_request",
"error_description": "AADSTS90002: Tenant not found. This may happen if there are no active subscriptions for the tenant. Check with your subscription administrator.\r\nTrace ID: x\r\nCorrelation ID: x\r\nTimestamp: 2018-02-19 10:54:20Z",
"error_codes": [
90002
],
"timestamp": "2018-02-19 10:54:20Z",
"trace_id": "x",
"correlation_id": "x"
}
The guide you referenced is for Azure AD, not B2C, unfortunately.
Azure AD B2C doesn't currently support Resource Owner Grant Flow, see this SO post. UserVoice request for this.
This documentation might help: Azure Active Directory B2C: Types of applications. More specifically: Daemons/server-side apps.
These apps can get tokens only after an interactive user flow has occurred.
Related
Given I have created an app using this repository in Azure.
And this app is deployed using a Service Principal which was created by below command:
az ad sp create-for-rbac --name "fxpricepredictor" --role contributor --scopes "/subscriptions/YOUR-SUBSCRIPTION-ID/resourceGroups/YOUR-RESOURCE-GROUP-NAME" --sdk-auth
Now, I need to get the API token to manage my created resources using REST APIs.
Based on documentation, I should be able use my tenantId, clientId and client_secret to get the token by calling the bellow endpoint:
curl: POST
https://login.microsoftonline.com/{{tenantId}}/oauth2/token
Please notice that, I am not the global admin in the tenant.
The official sample postman collection is here and here is how my request looks like in postman:
Sadly the endpoint does not provide me the token and instead it returns such error:
{
"error": "unauthorized_client",
"error_description": "AADSTS700016: Application with identifier 'MY_CLIENTID' was not found in the directory 'MY COMPANY'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.\r\nTrace ID: 5a9a2c53-c3c8-46da-a1a6-551b42082400\r\nCorrelation ID: bf7c5966-ffa4-4312-8a77-434c2560d65a\r\nTimestamp: 2022-10-05 14:54:23Z",
"error_codes": [
700016
],
"timestamp": "2022-10-05 14:54:23Z",
"trace_id": "5a9a2c53-c3c8-46da-a1a6-551b42082400",
"correlation_id": "bf7c5966-ffa4-4312-8a77-434c2560d65a",
"error_uri": "https://login.microsoftonline.com/error?code=700016"
}
please notice, I hided some sensitive values in error response by MY_CLIENTID and MY COMPANY
So, i guess, the main reason that i am facing this issue is that:
This can happen if the application has not been consented to by any user in the tenant.
Meaning that, i should consent my own app. Am I right ?
So, my question is:
How can i get the token to work with REST APIs to manage my resources ?
How can I grant consent to my own app, given that I am not a global Admin ?
Update:
As I figured out, I should be able to Grant Consent to my app using "Microsoft Graph permissions reference". And here is what i have done:
Login to Azure portal
Navigate to "Azure Active Directory"
Navigate to "App registrations"
Click on the created APP ("fxpricepredictor")
Navigate to "API permissions"
Click "Add a permission"
Click on "Microsoft Graph"
Choose "Delegated Permissions"
Search for "authentication" ---> (Sadly this option also requiereds Admin Consent)
I tried to reproduce the same in my environment and got the below results:
When I ran the same command as you, one Azure AD application named fxpricepredictor is automatically created with details like below:
az ad sp create-for-rbac --name "fxpricepredictor" --role contributor --scopes "/subscriptions/<subscriptionID>/resourceGroups/<resourcegroupName>" --sdk-auth
By including above details as parameters, I am able to generate access token successfully via Postman like below:
Please note that, I don't have global administrator role and granting admin_consent is not really required.
With the above access token, I am able to fetch and manage the Azure resources in that resource group like below:
GET https://management.azure.com/subscriptions/<subscriptionID>/resourceGroups/SriTest/resources?api-version=2021-04-01
Response:
The error AADSTS700016 may also occur if there is no application in your tenant with provided ClientID.
I tried including random ClientID which does not exist in Azure AD tenant and got same error as below:
So, make sure to check whether the application is existing or not with the given ClientID in Azure AD tenant.
I want create APIM subscriptions through rest api, And was able to do it successfully by following this Microsoft doc, https://learn.microsoft.com/en-us/rest/api/apimanagement/current-ga/subscription.
And for Authentication I am generating a bearer token using ROPC grant type(My UserName & Password). Everything works fine with this flow.
But i dont want to configure my username & password in a application to get a bearer token, instead i followed Client-Credentials grant type(get token by client id & secret), i am able to generate token, but when i use that token to create subscription in APIM, i am getting a exception
The client '0--e' with object id '0--e' does not have authorization to perform action 'Microsoft.ApiManagement/service/subscriptions/write'
Is it possible to add a AAD application inside APIM AccessControl(IAM) to grant permission.
Or is this any other way to do this? or ROPC is the only way?
Can someone please help.
Yes, you can grant permission to AAD application (service principal) in APIM Access Control (IAM) by assigning it API Management Service Contributor role.
I tried to reproduce the same in my environment and got the below results:
I have generated one access token using Client-Credentials grant type like below:
When I used the above token to create APIM subscription with below query, I got the same error:
PUT https://management.azure.com/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.ApiManagement/service/apimService1/subscriptions/testsub?api-version=2021-12-01
{
"properties": {
"ownerId": "/subscriptions/subid/resourceGroups/rgname/providers/Microsoft.ApiManagement/service/servicename/users/xxxxxxxxxxx",
"scope": "/subscriptions/subid/resourceGroups/rgname/providers/Microsoft.ApiManagement/service/servicename/products/xxxxxxxxxxx",
"displayName": "testsub"
}
}
Response:
To resolve the error, you need to grant API Management Service Contributor role for that application like below:
Go to Azure Portal -> APIM Services -> Your APIM -> Access control (IAM) -> Add role assignment
After granting the above role, I generated the access token again and ran the same query as below:
PUT https://management.azure.com/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.ApiManagement/service/apimService1/subscriptions/testsub?api-version=2021-12-01
Response:
When I checked the Portal, APIM subscription got created successfully like below:
Reference:
How to use Role-Based Access Control in Azure API Management | Microsoft Docs
I am trying to use the Microsoft Graph API to configure an Azure B2C instance. Specifically, I need to create UserFlows and IdentityProviders. For this purpose, I have created an AppRegistration with IdentityProvider.ReadWrite.All and IdentityUserFlow.ReadWrite.All API application permissions for the Microsoft Graph. I am able to call the APIs for creating new user flows and identity providers without a problem, but I am unable to link flows to an identity provider. Whenever I use any of the linking API's, I get an error:
AADB2C (User Authorization: Access is denied)
As an example, I get this when trying to list registered identity providers for specific user flow, i.e.
GET https://graph.microsoft.com/beta/identity/b2cUserFlows/B2C_1_{flowId}/identityProviders
The response for this request is a 403 with
{
"error": {
"code": "AADB2C",
"message": "User Authorization: Access is denied.",
"innerError": ...
}
}
I am using the Beta API as described in the docs here: https://learn.microsoft.com/en-us/graph/api/b2cuserflows-list-identityproviders?view=graph-rest-beta&tabs=http. I get the samme error when trying to link a user flow with an identity provider as described in the documentation here: https://learn.microsoft.com/en-us/graph/api/b2cuserflows-update-identityprovider?view=graph-rest-beta&tabs=http
Any idea why I keep getting this authorization block?
Update: I have tried expanding the .IdentityProviders property on a userflow when reading it from the graph api. This does not give a 403, but the identity providers list, on the returned user flow, is empty even when providers have been manually added to the flow in the Azure Portal.
Please ensure to comply with this:
The work or school account needs to belong to one of the following
roles:
Global administrator External Identity User Flow administrator
I have a scenario, I need to write functional tests for my API(s). API uses Azure AD authentication. There are multiple roles in system and role of a user is decided on the basis of membership of different AD groups.
so for functional test I need different users with in different groups.
I created a service principals with contributor rights in subscription and added them in groups and granted following Microsoft graph Application type API permissions.
- Application.Read.All
- Directory.Read.All
Now I used these apis to complete my use case.
1- https://login.microsoftonline.com/{tenant-Id}/oauth2/token
to get the access token against service principal.
2- GET https://graph.microsoft.com/v1.0/me/memberOf
to get the list of user's groups. but i got following response with authentication token of service principal.
{
"error": {
"code": "Request_ResourceNotFound",
"message": "Resource 'xxxx471-bxxxa-45a2-b61b-18xxxxx42af88' does not exist or one of its queried reference-property objects are not present.",
"innerError": {
"request-id": "fxxxxc41-319e-xxxx-xxxx-360xxxx58077",
"date": "2020-04-13T11:41:01"
}
}
}
I also have tried this
3- https://graph.microsoft.com/v1.0/users/{princialId}/memberOf
and get the following response
"error": {
"code": "Request_ResourceNotFound",
"message": "Resource 'xxxxx-xxxx-xxxx-b61b-18421142af88' does not exist or one of its queried reference-property objects are not present.",
"innerError": {
"request-id": "fxxxxc41-319e-xxxx-xxxx-360xxxx58077",
"date": "2020-04-14T05:59:03"
}
}
}
I have used object id of app registered in azure AD. when i searched service principal using power shell using following command I found different Object_Id than which is written on AD app on azure portal
command : get-AzureADServicePrincipal
with this Object_Id I was able to get service principal's groups using beta services.
https://graph.microsoft.com/beta/servicePrincipals/{object ID}/memberOf
anybody can explain why i was not able to get the groups of service principal using v1.0 service.
Thanks
anybody can explain why i was not able to get the groups of service principal using v1.0 service.
Because the v1.0 version does not support this API GET /servicePrincipals/{id}/memberOf , it just could be availale in the Beta version currently.
You could check this doc - List servicePrincipal memberOf, select the Version with 1.0, then it will give a prompt message like below.
I have used object id of app registered in azure AD. when i searched service principal using power shell using following command I found different Object_Id than which is written on AD app on azure portal
The Object Id of the service principal is not the same with that of the App Registration, the one you got from the powershell is correct, also, you can find it in the portal in the Enterprise applications like below.
I agree that beta service was not part of V1.0 but according to V1 documentation
https://graph.microsoft.com/v1.0/users/{id | userPrincipalName}/memberOf
should work.
please visit
https://learn.microsoft.com/en-us/graph/api/user-list-memberof?view=graph-rest-1.0&tabs=http
Please find documetation image here
I've got an app registration in Azure with the required permission - Directory.AccessAsUser.All (delegated) and that registration has Security Reader over all of my subscriptions.
When I GET https://graph.microsoft.com/beta/privilegedRoles/{id}/assignments with my access token (bearer auth), I get the following response:
{
error: {
code: 'UnknownError',
message: '',
innerError: {
'request-id': 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx',
date: '2020-03-13T11:53:41'
}
}
}
The {id} in this case is the ID of the permission I want check the assignments of.
I'm using this as a reference: https://learn.microsoft.com/en-us/graph/api/privilegedrole-list-assignments?view=graph-rest-beta&tabs=http
This is a beta version API, the current endpoints of AAD roles have been disabled for your tenant for migration purpose, see this link.
When customers have the updated version rolled out to their Azure AD organization, the existing graph API will stop working. You must transition to use the Graph API for Azure resource roles. To manage Azure AD roles using that API, swap /azureResources with /aadroles in the signature and use the Directory ID for the resourceId.
So you need to use this API currently, swap /azureResources with /aadroles, test it in the Graph Explorer.
GET https://graph.microsoft.com/beta/privilegedAccess/aadRoles/resources/<tenant-id>/roleAssignments?$filter=RoleDefinitionId+eq+'RoleDefinitionId'