Error Making Azure Management Library API Call When Authenticating with Azure Active Directory

Error making Azure Management Library API call when authenticating with azure active directory

I believe you're on the right track as to why you're running into this problem.

Here's what's happening:

Essentially permission to execute Service Management API is a delegated permission and not an application permission. In other words, the API is executed in context of the user for which the token is acquired. Now you are getting this token for your application (specified by client id/secret). However your application doesn't have access to your Azure Subscription because the user record created for this application in your Azure AD is of type Service Principal. Since this Service Principal doesn't have access to your Azure Subscription, you're getting this Forbidden Error (I must say that the error is misleading because you're not using certificate at all).

There are a few things you could do:

1. Switch to Azure Resource Manager (ARM) API - ARM API is the next generation of Service Management API (SM API) and Azure is moving towards this direction only. It exclusively works off of Azure AD token. If possible, make use of that to manage your Azure resources (though you need to keep in mind that as of today not all Azure resources can be managed through ARM API). They way you do it is take your Service Principal and assign it to a particular role using new Azure Portal. Please see this link for more details on this: https://azure.microsoft.com/en-in/documentation/articles/resource-group-create-service-principal-portal/.
2. Use X509 Certificate - You can always use X509 Certificate based authorization to authorize your SM API requests. Please see this link for more details on that: https://msdn.microsoft.com/en-us/library/azure/ee460782.aspx#bk_cert. The downside of this approach is that the application (or whosoever has access to this certificate) will get full access to your Azure Subscription and can do everything there (including deleting resources).
3. Acquire token for a user instead of an application - This is another approach you can take. Essentially ask your users to login into Azure AD through your console application and acquire token for that user. Again, please keep in mind that this user must be a Co-Admin in your Azure Subscription and will have full access to your Azure Subscription as with SM API there's no concept of Role-based access control.

Azure Devops REST API authentication failing when using Azure Active Directory

user_impersonation means that this API can only be called with user permission. However, you get the token with client credential which only has application permission.

To get a token for a user, you can try the following codes:

    public static AuthenticationResult GetToeknWithPasswordForDevOps(String username, String password){
        ExecutorService service = Executors.newFixedThreadPool(1);
        AuthenticationContext context = null;
        AuthenticationResult result = null;
        try {
            context = new AuthenticationContext(AUTHORITY, true, service);
            Future<AuthenticationResult> future = context.acquireToken("499b84ac-1321-427f-aa17-267ca6975798", "{your publuc app client id}", username, password, null);
            result = future.get();
        } catch (InterruptedException e) {
            e.printStackTrace();
        } catch (ExecutionException e) {
            e.printStackTrace();
        } catch (MalformedURLException e) {
            e.printStackTrace();
        } finally {
            service.shutdown();
        }
        return result;
    }

Azure API failed to authenticate the request

Azure AD Authentication DOES NOT use the management certificate authentication.

There is a good documentation and code sample on MSDN on how to resolve your current issue.
Authenticating Service Management Requests

Azure Service Management API authentication using Azure Active Directory Oauth

This isn't possible due to the Application Permissions: 0 setting for the Service Management API. The client_credentials grant type uses credentials from the application (client_id and client_secret), and since the application does not have permissions for this API the call fails.

Since the Service Management API will not allow application permissions of any kind, we must use the authorization_code grant type or some other method to obtain a user token.

iOS authentication with Azure AD

Please check the authorization URL you are currently using to sign-in your application.

• If it is somewhat like below, only users from that tenant will be able to log in.
  https://login.microsoftonline.com/<tenantid>

• If this tenant Id corresponds to one of your organizations where you manage users, you can grant admin consent to that tenant in Azure portal like below:

Go to Azure portal -> Azure Active directory -> Your application -> API permissions -> Add required permissions -> Grant admin consent.

• Otherwise, you should either replace this with the tenant Id of that tenant or with 'common' which allows users from any tenant to sign in like this: https://login.microsoftonline.com/common/

• If not, users from other tenant gets this approval page.

• An administrator must provide Admin Consent in the case where access is required to more sensitive resources, or at a broader scope.

• Granting tenant-wide admin consent requires you to sign in as a Global Administrator, an Application Administrator, or a Cloud Application Administrator.

If you want to remove that admin consent screen,

Go to Azure portal -> Azure Active directory -> Enterprise Applications -> Consent and permissions -> User Consent Settings

To know more in detail, please find below links if they are helpful.

References:

Azure SSO- How to remove approval required screen after sign in - Stack Overflow

How to fix the ‘Need admin approval’ error while trying to sign in to the signature management app (codetwo.com)

Exchange Online: Apple Internet Accounts - Need admin approval | diecknet

---

Related Topics