I've been trying to use the Azure Service Management API in order to list the Hosted Services with no success.
In the first place, I was able to set up the authentication using PowerShell as the Microsoft documentation states here: https://msdn.microsoft.com/en-us/library/azure/dn790557.aspx
My first step was to request an access token using OAuth2 making a POST request to this URL:
https://login.windows.net/<MY_TENANT_ID>/oauth2/token
and passing these parameters:
grant_type: client_credentials
client_id: <THE_CLIENT_ID_OF_THE_APP_REGISTERED_THROUGH_POWERSHELL>
client_secret: <THE_PASSWORD_OF_APP_REGISTERED_THROUGH_POWERSHELL>
resource: https://management.core.windows.net
so, I receive a valid response and an access_token included in the response. So far so good.
Then, I want to make a simple call to the Management API; I would like to list my Hosted Services (Cloud Services), so I make a GET request to this URL:
https://management.core.windows.net/<MY_SUBSCRIPTION_ID>/services/hostedservices
Including the following headers:
Authorization: Bearer <THE_ACCESS_TOKEN_RECEIVED_IN_THE_PREVIOUS_STEP>
x-ms-version: 2014-10-01 (I've also tested with different versions)
but, what I get is a 401 Unauthorized error, with the following message:
The JWT token does not contain expected audience uri 'https://management.core.windows.net/'
I also tried with a Native Application registered directly in the Azure Portal (with Permissions set to use the Service Management API) and requesting a token using the grant_type = authorization_code. I get the access_token correctly and a refresh_token, but when I try to make a request to the above URL, I get the same error message.
On a side note, I am able to use the Azure Insights API successfully; the issue above is with the Azure Service Management API.
Anyone knows what I am missing?
I faced the same problem today. Complete the resource url with '/' https://management.core.windows.net
See the mismatch between the url in your resource and the one in the error message 'https://management.core.windows.net/'
Related
I am trying to investigate file uploads to see if they are matched by File Scan policies in Microsoft Defender for Cloud Apps (aka MCAS). I can see them fine at the portal but I need to automate the process via API.
As per documentation, I did create Azure AD application and provided the permissions. This is needed to get access token which is needed to make api calls.
I am getting Insufficient role based permissions error when I call https://aspnet4you2.us3.portal.cloudappsecurity.com/api/v1/files/.
I get same error if I use https://portal.cloudappsecurity.com/cas/api/v1/files/
Any idea how to solve this Insufficient permission issue?
I tried to reproduce the same in my environment and got below results
I registered one Azure AD application and granted API permissions as below:
Now I generated access token via Postman with below parameters:
POST https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/token
client_id:appID
grant_type:client_credentials
client_secret:secret
scope:05a65629-4c1b-48c1-a78b-804c4abdd4af/.default
Response:
When I used the above token to get files with both URLs, I got same error as below:
GET https://portal.cloudappsecurity.com/cas/api/v1/files/
Authorization: Bearer <token>
GET https://mytenantname.us3.portal.cloudappsecurity.com/api/v1/files/
Authorization: Bearer <token>
With the same token, I'm able to call all other APIs like alerts, activities etc. like below:
GET https://mytenantname.us3.portal.cloudappsecurity.com/api/v1/alerts/
Authorization: Bearer <token>
Note that, calling file APIs is not available in application
context.
Alternatively, you can make use of Legacy Method by generating one API token like below:
Go to Defender for Cloud Apps portal -> Settings -> Security extensions -> API tokens -> Add a token
Now, enter Token name and select Generate as below:
API token will be generated successfully and copy the token to use in Postman:
When I used the above API token to call files API with both URLs, I got response successfully as below:
GET https://portal.cloudappsecurity.com/cas/api/v1/files/
Authorization: Token <token>
GET https://mytenantname.us3.portal.cloudappsecurity.com/api/v1/files/
Authorization: Token <token>
You can try the same in your environment by generating API token instead of Bearer token to call Files API.
Reference:
Defender for Cloud Apps file API “Insufficient role based permissions” by Sangho Cho
I have some troubles trying to call an Azure Function (code) with Postman.
I have already set up the Authentication / Authorization and settings.
It's working with my browser (with login page).
But when I try to use Postman, I'm getting 401 :
"You do not have permission to view this directory or page."
I also tried to use the Postman built-in (see configuration) Oauth2 to login. I can successfully get the tokens (access and refresh). But it seems that my API request to functions are not working...
Here is the final API Call: postman screenshot
The aad tenant_id starts with 8d6, the application client_id starts with 226, and the app secret ends with Av2.
Is there anything wrong ... ? It looks like actually, Azure Functions handle only Cookies for the authentication, that's why it's working with the browser and not Postman. How can I make it works with the header Authorization / Bearer ?
Thanks for your help !
The way you got the access token is not correct. Just like #Marc said, in your Postman you are not specifying a resource or scope. The postman get new access token tool only has the scope parameter, so you should use the v2.0 endpoint to get the access token.
Auth URL:
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize
Access Token URL:
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
Scope:
{clientId}/.default
We are testing locking down an API hosted on Azure Web Apps by using the built-in Azure Web App Authentication/Authorization with Azure Active Directory.
We are calling POST https://login.microsoftonline.com/{tenantIDhere}/oauth2/v2.0/token with the following parameters in Postman:
grant_type: password
client_id: {ID}
username: {username}#{tenenat}.onmicrosoft.com
password: {password}
scope: https://{webappname}.azurewebsites.net/.default
client_secret: {secret}
Below is the response I get:
"token_type":"Bearer","scope":"https://{webappname}.azurewebsites.net/user_impersonation https://{webappname}.azurewebsites.net/.default","expires_in":3599,"ext_expires_in":3599,"access_token":"{TOKEN HERE}"}
So I take that token and try and access the webpage by passing the token in the header and I get the below error using POST:
https://{webappname}.azurewebsites.net/api/url
Authorization: Bearer {TOKEN HERE}
Response (401 Unauthorized)
You do not have permission to view this directory or page.
I have spent days trying everything I can find. What am I missing?? As soon as I turn off authorization needed for the web app, I get the expected result. But using the grant_type: password, I CANNOT get in! I have a feeling its related to the scope, but I cannot find documentation on what I need here for this. Any ideas?
The user is able to manually login to the webpage and pull the data, so it is not a permission issue. It has something to do with the token I believe.
If you are using v2.0 endpoint, the scope should be {your_client_id}/.default. Replace https://{webappname}.azurewebsites.net with the client id/application id for your API app in Azure AD.
Edit:
As Wayne said, you could also set scope as {your_client_id}/User.Read to get access token.
I'm trying do develop an application that makes use of the Power BI API.
The problem is, even though I have a valid authentication token, every API endpoint I tried to access so far returns a 403 (Forbidden) Http status with no content on the response body.
I think the token I'm getting is valid because when I try to use the same token the next day it gives me a "Token expired message".
I'm using a corporative Azure Active Directory account where I'm not an administrator. But I have full access to the Power BI workspaces and Reports on it's web interface.
I'm currently authenticating with Azure AD Oatuh2 v1 but I also tryed v2 with no success (I'm still using v1 because on v2 I'm not sure my scope and resource parameters are right).
Here are the requests I'm sending:
GET
https://login.microsoftonline.com/{tenant}/oauth2/authorize?
client_id=<my client id>
&response_type=code
&redirect_uri=http%3A%2F%2Flocalhost%3A8080/azureLogin/authorize
&response_mode=query
get the authorization code on the redirect at localhost:8080/azureLogin/authorize then
POST https://login.microsoftonline.com/{tenant}/oauth2/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded
grant_type=authorization_code
&client_id=<my client id>
&code=<the code I just got>
&redirect_uri=http%3A%2F%2Flocalhost%3A8080/azureLogin/authorize
&client_secret=<my client secret>
As "tenant" I tried both "common" and my organization id.
But when I try to access https://api.powerbi.com/v1.0/myorg/reports with the Authorization: Bearer <token> header. I get a 403 Forbiden response.
On Azure AD I can see my user has given all permissions to this application I registered.
Am I missing something? How can I solve that?
To make the answer visible to others, I'm summarizing the answer shared in comment:
You missed the resource parameter, you are access powerbi, so it should be
resource: https://analysis.windows.net/powerbi/api
The resource is app ID URI of the target web API (secured resource). It may also be an external resource like https://graph.microsoft.com, https://analysis.windows.net/powerbi/api etc. This is required in one of either the authorization or token requests.
I'm having issues with using tokens to access my Azure Web API. I followed this documentation from Microsoft.
I can successfully request an access token by doing a POST request to the authorization token endpoint:
https://login.microsoftonline.com/{Tenant ID}/oauth2/token
My POST body:
client_id:( Web API client ID )
client_secret:( Web API client Secret )
grant_type:password
username:userName
password:*******
resource:sharepoint.com
I'm using POSTMAN to test my calls and when I try to access my API using that returned token from above, I get a 401 unauthorized.
Was a configuration issue inside my WebConfig file.