Azure Active Directory Error. The access token is from the wrong issuer

0
votes

I am trying to call a Azure ARM Rest API to create a resource group. I am passing tenant_id, client_id and client_secret to get the access token which will be later used as authorization header. My code is like below. The application ID is the client ID off the application and application secret is the key which is generated after selecting the time duration.

import adal
import requests
token_response = adal.acquire_token_with_client_credentials(
    'https://login.microsoftonline.com/' + '<tenantId>',
    '<ApplicationId>',
    '<Application Secret>'
)
access_token = token_response.get('accessToken')

endpoint = 'https://management.azure.com/subscriptions/xxxx/resourcegroups/resourcename?api-version=2015-01-01'

headers = {"Authorization": 'Bearer ' + access_token}
json_output = requests.put(endpoint,headers=headers).json()
print json_output

But this is throwing me an error as below

{u'error': {u'message': u"The access token is from the wrong issuer 'https://sts
.windows.net/xxx/'. It must match the tenant 'h
ttps://sts.windows.net/xxx/' associated with th
is subscription. Please use the authority (URL) 'https://login.windows.net/xxx' to get the token. Note, if the subscription is
transferred to another tenant there is no impact to the services, but informatio
n about new tenant could take time to propagate (up to an hour). If you just tra
nsferred your subscription and see this error message, please try back later.",
u'code': u'InvalidAuthenticationTokenTenant'}}

What does this error mean and am I passing the right credentials. If I use the credentials mentioned in the error, I get another error which says application with mentioned client_id not found.

4
pythonpython-2.7azureazure-active-directory
What is the value you're passing for "TenantId"?Gaurav Mantri
I'm passing the string which is in OAuth 2.0 Authorization Endpoint, which is after login.windows.netshwetha
The tenant id should either be a GUID or something like somevalue.onmicrosoft.com (essentially your Azure AD name). Is that you're providing?Gaurav Mantri
@Gaurav, https://manage.windowsazure.com/serco.onmicrosoft.com#Workspaces/ActiveDirectoryExtension/Directory/<Tenant ID GUID>/directoryQuickStart, this is what I'm passing.shwetha
@DSA - Yes, a subscription will be mapped to only one active directory and you have to use "tenant ID" of that directory which is mapped to your subscription. In my case I was trying with a directory which was not mapped to my subscription. You can change the settings and make your subscription map to the directory which you want to use.shwetha

4 Answers

0
votes

As the message says you need to go against login.windows.net instead of login.microsoftonline.com:

token_response = adal.acquire_token_with_client_credentials(
'https://login.windows.net/' + '<tenantId>',
'<ApplicationId>',
'<Application Secret>'
0
votes

It seems that there is some problem with your AD application. To authenticate Azure ARM you need a AD with service principal. You can refer to Create Active Directory application and service principal using portal or Authenticating a service principal with Azure Resource Manager to create a new AD application. Use these info in your code and try again.

0
votes

It's the difference between common tenant and separate tenant which causes this issue.

Would you please see my answer in another thread Azure Active Directory Authorization "The access token is from the wrong issuer ' ?

Hope this helps.

0
votes

In client credentials use

"https://management.core.windows.net/"

instead of https://login.microsoftonline.com/ in your code.

token_response = adal.acquire_token_with_client_credentials( 'https://management.core.windows.net/' + '<tenantId>', '<ApplicationId>', '<Application Secret>'

I fixed same problem with this.

Thanks, Bhushan