Which permissions are required for ARM REST API

0
votes

I am trying to create an application that can connect to ARM (https://management.azure.com) retrieve some information from it. I already created one that use Microsoft Graph (https://graph.microsoft.com) and works fine, however now I need to get information that is only available on ARM.

I look up on internet about the permissions required, specially on Microsoft Docs, however all the documentation that I was able to find refers only to Microsoft Graph or Windows Graph.

Do you know which permissions should I request through the portal?

public String getAccessToken() throws MalformedURLException, InterruptedException, ExecutionException, ServiceUnavailableException, InvalidKeyException, IllegalBlockSizeException, BadPaddingException, NoSuchAlgorithmException, NoSuchPaddingException
{
    AuthenticationContext objContext;
    AuthenticationResult objToken;
    ExecutorService objService;
    Future<AuthenticationResult> objFuture;
    objService = null;
    objToken = null;
    try
    {
        objService = Executors.newFixedThreadPool(1);
        objContext = new AuthenticationContext(this.getAuthorize(), false, objService);
        objFuture = objContext.acquireToken("https://management.azure.com", this.getApplicationID(), this.getUsername(), SecureText.getInstance().decode(this.getPassword()), null);
        objToken = objFuture.get();
        this.getLogger().info("Connection to Azure Resource Manager".concat(this.getClass().getSimpleName().toLowerCase()).concat(" successfully stablished"));
    }
    finally
    {
        objService.shutdown();
    }
    if (objToken == null)
    {
        throw new ServiceUnavailableException("Authentication Service is not available");
    }
    return objToken.getAccessToken();
}

The following error is displayed:

com.microsoft.aad.adal4j.AuthenticationException: {"error_description":"AADSTS65001: The user or administrator has not consented to use the application with ID 'e1b0615a-911d-4ccf-bf16-e8d0c1c2f8b5' named 'XXXXXXX'. Send an interactive authorization request for this user and resource.\r\nTrace ID: 9731e9b7-116d-4c5e-b219-ab96e12c4300\r\nCorrelation ID: faa9a023-3237-4367-9c66-eec9b77e2805\r\nTimestamp: 2019-09-26 11:20:54Z","error":"invalid_grant"}

1
javaazureazure-resource-manager
I think it needs delegated permissions to like Azure Service Management API or something similar. I'm on my phone now so can't really check the exact one.juunas
This seems relevant with application permission instead of ARM permission. Refer to this screenshot: imgur.com/a/G4QlNqU . Go AAD->Enterprise applications->search the application you created then go->Permission->Click the button Grant admin constent for microsoft to grant your application the admin consent.Merlin Liang
I am aware this is an application permission. Which I need to know is which permissions are required for executing REST API to ARM module Currently the application has the following perissions which I set based on the Microsoft Graph REST API Documentation. AuditLog.Read.All Directory.AccessAsUser.All Directory.Read.All Policy.Read.All SecurityEvents.Read.All Ex: For read/list users docs.microsoft.com/en-us/graph/api/… you have the permissions at the beginning in the Permissions Sectiondelucaezequiel
However for the REST API to the ARM Module (management.azure.com) the permissions are not listed on the available documentation Ex: For read/list tenants docs.microsoft.com/es-es/rest/api/resources/tenants/list you do not have the permissions section The error is only display for REST API queries to Management Module, to the Microsoft Graph one I can connect and retrieve data as expected based on the permissions listed abovedelucaezequiel

1 Answers

1
votes

Have seen similar error in past.

Granting the permission via:

Azure Active Directory -> App Registrations -> MyApp -> Api Permissions -> Grant Admin Consent button

helped me.

Similar posts - The user or administrator has not consented to use the application - Send an interactive authorization request for this user and resource