Acquire Authorization Token for Azure Function App from PowerShell

0
votes

I've a problem getting token for my azure application

here is the code

function Get-Token
{
    ipmo "${env:ProgramFiles(x86)}\Microsoft SDKs\Azure\PowerShell\ServiceManagement\Azure\Services\Microsoft.IdentityModel.Clients.ActiveDirectory.dll"
    ipmo  "${env:ProgramFiles(x86)}\Microsoft SDKs\Azure\PowerShell\ServiceManagement\Azure\Services\Microsoft.IdentityModel.Clients.ActiveDirectory.WindowsForms.dll"

    $clientId = "1b730954-1685-4b74-9bfd-dac224a7b894"
    $redirectUri = "urn:ietf:wg:oauth:2.0:oob"
    $resourceAppIdURI = "https://ios111.azurewebsites.net/"

    $authority = "https://login.microsoftonline.com/common/"
    $authContext = [Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext]$authority
    $authResult = $authContext.AcquireToken($resourceAppIdURI, $clientId, $redirectUri, "Auto")
    $authResult.CreateAuthorizationHeader()
}

I receive the following error

Exception calling "AcquireToken" with "4" argument(s): "AADSTS65005: Invalid resource. The client has requested access to a resource which is not listed in the requested permissions in the client's application registration. Client app ID: 1b730954-1685-4b74-9bfd-dac224a7b894. Resource value from request: https://ios111.azurewebsites.net/. Resource app ID: f4c1cc8d-629a-4c7e-836a-120ff078e664. List of valid resources from app registration: .

However if i change the $resourceAppIdURI to

$resourceAppIdURI = "https://management.core.windows.net/"

It's all ok, and i'm authorized to access my application with received token (if i set Authorization header value to this token), but without roles claim which i define in application manifest for this user and which i want to check.

If i just access my function from browser, after login page redirected me back to a function, there is no a Authorization header specified by browser but ARRAffinity cookie and ClaimsPrincipal.Current.Claims in function context has correct roles claim. So, seems in case of PS, there JWT token acquired by .AcquireToken is deserialized to ClaimsPrincipal.Current without using internal web app logic.

Any ideas how to give PS client a permission to access my app ?

Thanks !

2
powershellazureauthenticationauthorizationazure-active-directory
Are you using Azure AD to secure your App via Easy Auth? - Wayne Yang
@WayneYang-MSFT Yes, actually had to use advanced settings to use management.core.windows.net in ALLOWED TOKEN AUDIENCES to make it work - Oleg Skripnyak
Is this article you referred? markscholman.com/2016/08/… - Wayne Yang
@WayneYang-MSFT No, but there clientId seems is not well known PS clientId, but appId it accesses , i've tried the same without success - Oleg Skripnyak
You can refer to that article. - Wayne Yang

2 Answers

0
votes

To Get Azuere App Token with the required roles, you need a ClientId and Secret, along with required permissions setup, if admin-consent is needed, you should click the 'Grant Permissions' button on the application properites in the Azure Portal.

Then, if all is set correct, you can get a token like this (with the roles included):

Example for the Microsoft Graph API

$adal = "${env:ProgramFiles(x86)}\Microsoft SDKs\Azure\PowerShell\ServiceManagement\Azure\Services\Microsoft.IdentityModel.Clients.ActiveDirectory.dll"
[System.Reflection.Assembly]::LoadFrom($adal) | Out-Null

$TenantName = "tenant.onmicrosoft.com"
$ClientId = "d1245516-2bg3-1234-123d-7cd067ff66b4" # Your AppId (Just a sample)
$Secret = "H7dd+PejUddGhuuGYY234Xhhhjs7739iQn112317zg=" # Your App Key Secret (Just a sample)

$AuthId = New-Object Microsoft.IdentityModel.Clients.ActiveDirectory.ClientCredential($clientId,$secret)
$redirectUri = "urn:ietf:wg:oauth:2.0:oob"
$resourceAppIdURI = "https://graph.microsoft.com"
[uri]$authority = "https://login.windows.net/$TenantName/oauth2/authorize"
$authContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" -ArgumentList $authority
$Token = $authResult = $authContext.AcquireToken($resourceAppIdURI, $AuthId)

To Check the token you can use this JWT Token Decoder, to see if it has the required roles:

http://jwt.calebb.net/

0
votes

Solved !

Thank for the help you guys !

Actually, i had to register native azure application, give it access for my WebApp and use this appId as the clientId in the script above. Using "1b730954-1685-4b74-9bfd-dac224a7b894" as Well Known PowerShell clientId probably possible for standard MS app, but there no way you can grand PS access for you app, at least not from azure portal.

Here is the link https://markscholman.com/2016/08/consuming-azure-api-app-azure-ad-authentication-using-powershell/ with step by step explanation given by WayneYang-MSFT