Error making Azure Management Library API call when authenticating with azure active directory
I believe you're on the right track as to why you're running into this problem.
Here's what's happening:
Essentially permission to execute Service Management API
is a delegated permission and not an application permission
. In other words, the API is executed in context of the user for which the token is acquired. Now you are getting this token for your application (specified by client id/secret). However your application doesn't have access to your Azure Subscription because the user record created for this application in your Azure AD is of type Service Principal
. Since this Service Principal doesn't have access to your Azure Subscription, you're getting this Forbidden Error
(I must say that the error is misleading because you're not using certificate at all).
There are a few things you could do:
- Switch to Azure Resource Manager (ARM) API - ARM API is the next generation of Service Management API (SM API) and Azure is moving towards this direction only. It exclusively works off of Azure AD token. If possible, make use of that to manage your Azure resources (though you need to keep in mind that as of today not all Azure resources can be managed through ARM API). They way you do it is take your Service Principal and assign it to a particular role using new
Azure Portal
. Please see this link for more details on this: https://azure.microsoft.com/en-in/documentation/articles/resource-group-create-service-principal-portal/. - Use X509 Certificate - You can always use X509 Certificate based authorization to authorize your SM API requests. Please see this link for more details on that: https://msdn.microsoft.com/en-us/library/azure/ee460782.aspx#bk_cert. The downside of this approach is that the application (or whosoever has access to this certificate) will get full access to your Azure Subscription and can do everything there (including deleting resources).
- Acquire token for a user instead of an application - This is another approach you can take. Essentially ask your users to login into Azure AD through your console application and acquire token for that user. Again, please keep in mind that this user must be a
Co-Admin
in your Azure Subscription and will have full access to your Azure Subscription as with SM API there's no concept ofRole-based access control
.
Azure Devops REST API authentication failing when using Azure Active Directory
user_impersonation
means that this API can only be called with user permission. However, you get the token with client credential which only has application permission.
To get a token for a user, you can try the following codes:
public static AuthenticationResult GetToeknWithPasswordForDevOps(String username, String password){
ExecutorService service = Executors.newFixedThreadPool(1);
AuthenticationContext context = null;
AuthenticationResult result = null;
try {
context = new AuthenticationContext(AUTHORITY, true, service);
Future<AuthenticationResult> future = context.acquireToken("499b84ac-1321-427f-aa17-267ca6975798", "{your publuc app client id}", username, password, null);
result = future.get();
} catch (InterruptedException e) {
e.printStackTrace();
} catch (ExecutionException e) {
e.printStackTrace();
} catch (MalformedURLException e) {
e.printStackTrace();
} finally {
service.shutdown();
}
return result;
}
Azure API failed to authenticate the request
Azure AD Authentication DOES NOT use the management certificate authentication.
There is a good documentation and code sample on MSDN on how to resolve your current issue.
Authenticating Service Management Requests
Azure Service Management API authentication using Azure Active Directory Oauth
This isn't possible due to the Application Permissions: 0 setting for the Service Management API. The client_credentials grant type uses credentials from the application (client_id and client_secret), and since the application does not have permissions for this API the call fails.
Since the Service Management API will not allow application permissions of any kind, we must use the authorization_code grant type or some other method to obtain a user token.
iOS authentication with Azure AD
Please check the authorization URL you are currently using to sign-in your application.
If it is somewhat like below, only users from that tenant will be able to log in.
https://login.microsoftonline.com/<tenantid>
If this tenant Id corresponds to one of your organizations where you manage users, you can grant admin consent to that tenant in Azure portal like below:
Go to Azure portal -> Azure Active directory -> Your application -> API permissions -> Add required permissions -> Grant admin consent.
Otherwise, you should either replace this with the tenant Id of that tenant or with 'common' which allows users from any tenant to sign in like this:
https://login.microsoftonline.com/common/
If not, users from other tenant gets this approval page.
An administrator must provide Admin Consent in the case where access is required to more sensitive resources, or at a broader scope.
Granting tenant-wide admin consent requires you to sign in as a Global Administrator, an Application Administrator, or a Cloud Application Administrator.
If you want to remove that admin consent screen,
Go to Azure portal -> Azure Active directory -> Enterprise Applications -> Consent and permissions -> User Consent Settings
To know more in detail, please find below links if they are helpful.
References:
Azure SSO- How to remove approval required screen after sign in - Stack Overflow
How to fix the ‘Need admin approval’ error while trying to sign in to the signature management app (codetwo.com)
Exchange Online: Apple Internet Accounts - Need admin approval | diecknet
Related Topics
Interesting "Params of Ref" Feature, Any Workarounds
Where and Why Use Int A=New Int
Is the C# Compiler Smart Enough to Optimize This Code
How to Confirm That Mail Has Been Delivered or Not
C# Wait for User to Finish Typing in a Text Box
Is the Size of a Form in Visual Studio Designer Limited to Screen Resolution
Xdocument: Saving Xml to File Without Bom
What Could Be Causing a System.Typeloadexception
Starting a Process with Credentials from a Windows Service
Newtonsoft JSON.Net Serialize Jobject Doesn't Ignore Nulls, Even with the Right Settings
Read from Word Document Line by Line
Is There a Reasonable Approach to "Default" Type Parameters in C# Generics