Error making Azure Management Library API call when authenticating with azure active directory

by

I believe you’re on the right track as to why you’re running into this problem.

Here’s what’s happening:

Essentially permission to execute Service Management API is a delegated permission and not an application permission. In other words, the API is executed in context of the user for which the token is acquired. Now you are getting this token for your application (specified by client id/secret). However your application doesn’t have access to your Azure Subscription because the user record created for this application in your Azure AD is of type Service Principal. Since this Service Principal doesn’t have access to your Azure Subscription, you’re getting this Forbidden Error (I must say that the error is misleading because you’re not using certificate at all).

There are a few things you could do:

  1. Switch to Azure Resource Manager (ARM) API – ARM API is the next generation of Service Management API (SM API) and Azure is moving towards this direction only. It exclusively works off of Azure AD token. If possible, make use of that to manage your Azure resources (though you need to keep in mind that as of today not all Azure resources can be managed through ARM API). They way you do it is take your Service Principal and assign it to a particular role using new Azure Portal. Please see this link for more details on this: https://azure.microsoft.com/en-in/documentation/articles/resource-group-create-service-principal-portal/.
  2. Use X509 Certificate – You can always use X509 Certificate based authorization to authorize your SM API requests. Please see this link for more details on that: https://msdn.microsoft.com/en-us/library/azure/ee460782.aspx#bk_cert. The downside of this approach is that the application (or whosoever has access to this certificate) will get full access to your Azure Subscription and can do everything there (including deleting resources).
  3. Acquire token for a user instead of an application – This is another approach you can take. Essentially ask your users to login into Azure AD through your console application and acquire token for that user. Again, please keep in mind that this user must be a Co-Admin in your Azure Subscription and will have full access to your Azure Subscription as with SM API there’s no concept of Role-based access control.

More Related Contents:

  1. How to authenticate user with Azure Active Directory using OAuth 2.0?
  2. How to validate Azure AD security token?
  3. Getting the latest file modified from Azure Blob
  4. Azure Function with AD auth results in 401 Unauthorized when using Bearer tokens
  5. Azure Bot C# : Webchat Open url in same Tab of Browser, Its opening in new tab
  6. Validate a username and password against Active Directory?
  7. Dependency Injection in attributes
  8. Authorize By Group in Azure Active Directory B2C
  9. How can I make SMTP authenticated in C#
  10. Dependency injection using Azure WebJobs SDK?
  11. .NET Core Identity Server 4 Authentication VS Identity Authentication
  12. Custom Authentication in ASP.Net-Core
  13. Using WebClient or WebRequest to login to a website and access data
  14. ASP.NET Core 2.0 disable automatic challenge
  15. Recommend a C# Task Scheduling Library [closed]
  16. How to programmatically log in to a website to screenscape?
  17. ASP.NET Core disable authentication in development environment
  18. Cookie Authentication expiring too soon in ASP.NET Core
  19. ASP.NET Core 1.1 runs fine locally but when publishing to Azure says “An error occurred while starting the application.”
  20. IDX21323 OpenIdConnectProtocolValidationContext.Nonce was null, OpenIdConnectProtocolValidatedIdToken.Payload.Nonce was not null
  21. Simple token based authentication/authorization in asp.net core for Mongodb datastore
  22. cURL with user authentication in C#
  23. Azure Blob Storage | AcquireLeaseAsync, synchronously wait until lock is released
  24. What is the simplest way to run a timer-triggered Azure Function locally once?
  25. Return more info to the client using OAuth Bearer Tokens Generation and Owin in WebApi
  26. Built-in helper to parse User.Identity.Name into Domain\Username
  27. Single or Multiple Entities Per Collection in DocumentDB
  28. Authentication with Azure Active Directory – how to accept user credentials programmatically
  29. Is it possible to scale Azure app services programmatically
  30. Login to the page with HttpWebRequest

Leave a Comment