Obtaining an access token for MSI enabled web application

0
votes

I have a Web API project hosted in Azure as web app with Managed Service identity enabled (so I don't need an app registration, right?):

enter image description here

Now I need to obtain a token to access my API so that I can use it in POSTMAN:

az login
az account get-access-token --resource "https://mytenant.onmicrosoft.com/d3a219e0-bbbf-496b-a4a4-b9ca485c5a52"

which gives me

Get Token request returned http error: 400 and server response: {"error":"invalid_resource","error_description":"AADSTS50001: The application named https://mytenant.onmicrosoft.com/d3a219e0-bbbf-496b-a4a4-b9ca485c5a52 was not found in the tenant named xxxxxxxx-xxxx-xxxx-af31-xxxxxxxxxx. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.

I get the same error if I try to use object id 63d571cf-79bf-405d-8304-a31fb64cb953 instead of app id as part of resource uri.

What am I doing wrong?

2
azureoauth-2.0azure-active-directoryazure-managed-identity

2 Answers

1
votes

What am I doing wrong?

az account get-access-token is used to get token to access the Azure resource. We could get more information from this document.

--resource

Azure resource endpoints. Default to Azure Resource Manager Use 'az cloud show' command for other Azure resources.

The resoure should be in the following endpoints. And default resource is https://management.azure.com/

 "endpoints": {
    "activeDirectory": "https://login.microsoftonline.com",
    "activeDirectoryDataLakeResourceId": "https://datalake.azure.net/",
    "activeDirectoryGraphResourceId": "https://graph.windows.net/",
    "activeDirectoryResourceId": "https://management.core.windows.net/",
    "batchResourceId": "https://batch.core.windows.net/",
    "gallery": "https://gallery.azure.com/",
    "management": "https://management.core.windows.net/",
    "resourceManager": "https://management.azure.com/",
    "sqlManagement": "https://management.core.windows.net:8443/",
    "vmImageAliasDoc": "https://raw.githubusercontent.com/Azure/azure-rest-api-specs/master/arm-compute/quickstart-templates/aliases.json"
  }

Based on my understanding, the command no relationship with your API access.

For more information about MSI and how to protect an API by using OAuth 2.0 with Azure Active Directory, please refer to this tutorial and this tutorial.

0
votes

The resource URI does not contain your Application Id nor Object Id. It is a separate identifier that you can find from the App Registration's Properties under App ID URI.

And since this is an MSI-generated service principal, there is no app. I think you have to register an app in this case.