1
votes

All of the examples on the microsoft azure site having to do with a client application or a service principal having access to azure apis all show the graph apis as the example. I got those to work, but what I need to do is access the azure service management apis.

If I take an auth token that works for the graph api and use it for the service management api, I get an "Authentication failed." error.

I have added the api permission for "azure service management" and the user_impersonation delegated permission type to my public client app, but the management apis still fail.

Am I going about this all wrong? I get the idea that the service management apis are authenticated a different way since there's absolutely no mention of using them anywhere in any of the auth examples.

1
Show your code and the endpoints used for authentication.John Hanley
The token for Graph API won't work. You need to get a token for the Azure API by specifying the correct scope/resource.juunas
If I understand correctly you're trying to execute Service Management API for a Service Principal. Is this correct?Gaurav Mantri
probably? I'm not 100% on all of the security concepts yet. I need consent from an admin in tenant A so my app in tenant B can call vm/network/storage rest apis in tenant A. As I understand it a service principal is created in tenant A when consent is given to my tenant B app.stu

1 Answers

0
votes

I suppose you are using the client application or a service principal to access azure resources. If so, you are using the client credential flow, but the user_impersonation of Azure Service Management API is a delegated permission, it will not take effect in this flow.

The permission is used to be consent by the user who login to the AD App e.g. in the auth code flow, when it has been consent by the user, the App will be able to represent the user to access the azure resources, note the permission is from the user, not the app. So if you want to use this flow, the user should have a role in the subscription or specific resources.

To access the azure resources with the client application or a service principal, you just need to add the service principal as an RBAC role in the Access control (IAM) of your subscription or specific resource, no need to add any API permission in Azure AD, see this link. Then the service principal will be able to access the azure resources.

When you getting the token to access the azure resources, e.g. call the REST APIs, the scope should be https://management.azure.com/.default, not the https://graph.microsoft.com/.default, you can just get the token for one resource in one time.