Getting Azure Active directory token

1
votes

I have an Azure Account, now I'm trying to get token in an console application to manage resources (i.e. create a resource group etc):

string userName = "xyz@gmail.com";
string password = "XXXXXXXXX";
string directoryName = "xyzgmail.onmicrosoft.com";
string clientId = "guid-of-registered-application-xxx";
var credentials = new UserPasswordCredential(userName, password);
var authenticationContext = new AuthenticationContext("https://login.windows.net/" + directoryName);
var result = await authenticationContext.AcquireTokenAsync("https://management.core.windows.net/", clientId, credentials);

On AcquireTokenAsync call I have

Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException: 'accessing_ws_metadata_exchange_failed: Accessing WS metadata exchange failed'

Can anybody help, please?

Update: how I tried to create a resource group under newly created user

var jwtToken = result.AccessToken;
string subscriptionId = "XX-XX-XX-YY-YY-YY";
var tokenCredentials = new TokenCredentials(jwtToken);
var client = new ResourceManagementClient(tokenCredentials);
client.SubscriptionId = subscriptionId;
var rgResponse =  await client.ResourceGroups.CreateOrUpdateWithHttpMessagesAsync("myresgroup77777",
                new ResourceGroup("East US"));

Here I got another exception

'The client 'newaduser@xyzgmail.onmicrosoft.com' with object id 'aaa-aaa-aaa-aaa' does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourcegroups/write' over scope '/subscriptions/XX-XX-XX-YY-YY-YY/resourcegroups/myresgroup77777'.'

1
c#azureazure-active-directory
Do you have a link to the resource where you saw it used this way? I don't even see an overload that matches what you are doingCrowcoder
Did you assign a role to the user? The permissions to execute Windows Azure Service Management API is granted to the application that assumes the identity of the logged in user. However that user needs to be in a role that has permission to create a resource group in a subscription. Try by assigning in-built Contributor role at the subscription level to this user.Gaurav Mantri
@GauravMantri awesome! it works! Just a minor questions, can I log in via initial user (which is owner) not cremating a new one?amplifier
You should be able to do so. I tried to look up the 1st error you were getting but couldn’t find anything conclusive regarding that. Let me post my comment as an answer.Gaurav Mantri

1 Answers

0
votes

Not sure why you're getting the first error, but the second error is because the signed in user does not have permission to perform the operation (as mentioned in the error message).

When you assign the permission to execute Windows Azure Service Management API, it is actually assigned to the application which assumes the identity of the signed in user.

In order to perform Create Resource Group operation in Azure Subscription, that user must be in a role that allows this operation to be performed. You can try by assigning built-in Contributor role at the Azure Subscription level to this user.

Also, regarding using login.windows.net v/s login.microsoftonline.com, it is recommended that you use latter. When you use login.windows.net, it gets automatically redirected to login.microsoftonline.com. Using login.microsoftonline.com will save you one redirection.