I wish to send an event from ADF "Web" Activity to event grid topic. I managed to do it with sending "aeg-sas-key" from web activity as documented here.
However, I tried to achieve the same through ADF Web activity without using "aeg-sas-key" but Authentication as managed identity
But it gives me below error:
{ "error": { "code": "Unauthorized", "message": "Request has an
unsupported Authorization scheme:Bearer. Authorization scheme must be
SharedAccessSignature. Report
'a2af905c-e3ca-401a-be09-3f0b3c6b7d4e:8:5/20/2021 2:00:24 PM (UTC)' to
our forums for assistance or raise a support ticket."
I have added the managed Identity Application of ADF to Event Grid topic with contributor role, but it still does not work. Am I missing something?
To be short, I need to know how to send events to Event Grid topic from ADF Web Activity using Managed Identity Authentication?
Not all the APIs in Azure support MSI auth, just the APIs secured by Azure AD support that, essentially the MSI auth uses the Azure AD client credential flow to get the token, then use the token to call the API.
In this case, as mentioned in the error message, to send an event to your topic, it uses aeg-sas-key to auth, i.e. Basic auth, it does not support the Azure AD auth which means it also could not use MSI to auth.
Related
While making a basic http calls from “Keycloak” to “Azure ADB2C” to retrieve a token as a response from AD B2C.
The current flow looks like this. For a Java web application which is integrated with the ‘Keycloak’ as an identity broker, and from the ‘Keycloak’ we have integrated with ‘Azure AD B2C’ as an identity provider for user authentication and to send the token response back to the keycloak request.
Use case 1: We have integrated a Azure ADB2C signin user flow endpoint in keycloak, which is sending the SignIn requests to b2c and retrieving the token as a response from Azure b2c is fine.
Use case 2: Have a blocker in this use case, While making a basic http header call from ‘Keycloak’ to “Azure AD B2C’, we are seeing an error code in the ‘keycloak’ logs as ‘Invalid_grant’, invalid_secret and ‘Invalid_credentials’ upon different calls passing from keycloak. And upon verifying in Azure ADB2C side, we haven’t found any logs for above request from ‘Keycloak’.
Is there any workaround or any changes has to be made In keycloak to handle a basic http calls to Azure ADB2C?
Thank you!!
For client to client calls, Azure AD B2C supports client_credntial flow:
https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow
You can send the client_id and client_secret parameters in a Basic Authentication header.
Currently we have a use case where we have to call the azure function app from Azure DevOps service hooks. We have enabled the AAD authentication on the azure function app, but from azure DevOps the calls are blocked with 401 unauthorized error. We noticed that the webhook url is accepting only basic authentication. Our Azure AD is integrated with okta and I am currently blocked with this. Can some one help with this?
Azure DevOps service hook authentication
I am afraid there is no such way to achieve this at this moment.
Just as you know, the webhook URL only accepts basic authentication. I also create a azure function app, I could access it by the basic authentication, but if I enable the AAD authentication on that azure function app, I could not access it and get the 401 unauthorized:
Currently, we could not change the authentication method for the service hook. You could try to change the value to Log in with Microsoft Account instead of Azure Active Directory for the option Action to take when request not authenticated drop down. And you could add your request for this feature on our UserVoice site (https://developercommunity.visualstudio.com/content/idea/post.html?space=21 ), which is our main forum for product suggestions.
We are a CSP partner with MS. My goal is to call the Azure API and list all the different tenants we have in our account.
I found this Azure API resource that appears to allow the listing of all tenants: https://learn.microsoft.com/en-us/rest/api/resources/Tenants/List
I’ve been able to implement the authorization code flow, and I can call MS Graph API’s successfully. However when I try to call this API I receive this response:
{
"error": {
"code": "AuthenticationFailed",
"message": "Authentication failed."
}
}
I feel like it may an issue with the permissions I've granted in my app registration, but I can't seem to figure what is needed to make it happen.
I wish there was a way to use the MS Graph API to get all of our tenants, but from my research that doesn't exist.
I think you missed the bear token. I test this api by postman.
You can read this article.
Get an Azure Active Directory token using Azure Active Directory Authentication Library
Response status code does not indicate success: 401 (Unauthorized) When calling Azure Blockchain
I am getting above error when calling Azure Blockchain RESTApi and I have checked all the permissions and getting Access Token correctly but When I call to get the applications we are getting Above mentioned Error
The issue was fixed, by following the below steps:
1) Go to Azure Portal-> App Service -> [Your App Service]-Api
2) Go to Authentication/Authorization Blade
Allow App Service Authentication and choose Allow anonymous requests(no action) and choose Azure Active Directory as Authentication Providers
Click on Advanced -> Fill in the options as in the following image:
Client ID is the same as App ID in the AzureAD Application Registration
Client Secret is the same as API Key you generated from the Keys Section in the AzureAD Application Registration
Issuer URL is https://sts.windows.net/{AZUREADTENANTID} ß You can get the azuread tenant ID from the AzureAD Properties
Allowed Token Audiences should have the following value:
i. [https://%7bYOURBLOCKCHAINAPIURL-API.azurewebsites.net/.auth/login/aad/callback]
https://{YOURBLOCKCHAINAPIURL-API.azurewebsites.net/.auth/login/aad/callback
3) Go to Azure Active Directory
Now, go to Azure AD and Navigate to App Registrations and Click BlockChain API ß or the name you chose for your Azure AD App Registration when you configured blockchain the first time:
Click Settings and Click Reply URLs
Add the following URLs there:
Blockchain Workbench URL (it should be already there)
Blockchain API Base URL (the one that has -API in it)
Blockchain API Base URL with Callback (as indicated below, but use your own URL and add /.auth/login/aad/callback)
The getpostman.com/oauth2/callback URL will be used later to test the API using the Postman App (An App used to test APIs), please add it as is below
4) Save your settings and then go to the Manifest(Next to settings in the Blockchain API AzureAD App Properties)
Set the manifest entry oauth2allowimplicitflow to True
Save Configuration.
That’s it, now we need to test the API, you can download Postman to test the API, the configuration of Postman is a little bit long, I would prefer that you sign up free on this service: https://www.wintellectnow.com/Videos/Watch?videoId=blockchain-on-azure
Use Code: FREETRIAL to sign up – It will require a credit card but it won’t be charged, use any prepaid or postpaid card, but watching this video is highly recommended, specially at minute 53 as it explains how to use the API with Postman (Remember to disable the trial to prevent the card from being charged after 7 days 😊)
Here is a sample Token generated using the built in Auth Sample code that comes with Azure Blockchain Samples on Gethub (You can download this from here: https://github.com/Azure-Samples/blockchain/tree/master/blockchain-workbench/auth-samples/bearer-token-retrieval/static ), if you are going to test using it, you must add http://localhost to the Reply URLs above and you have to place it on your localhost IIS)
And here is a sample from Postman which shows how the token is added to the request header:
Here is the response before the authorization token:
Once the authorization token is available, here is the response that is generated once I call the API indicated in the GET Section in the image above:
Also, here is the response headers after a successful authorization:
To sum it up, the #blockchain API requires #OAuth2 authentication token, this token isn’t passed using Swagger UI or the application you built, you need to modify your application to authenticate to AAD OAuth2 to obtain a Token from AzureAD, then you need to use this generated token in the request header to the API in order to call the API.
One additional tip, don’t select the default machine size while creating workbench, but choose better performance machines like: VM Size: Standard F2s_v2 (2 vcpus, 4 GB memory) ==> approx.. 50 USD per month .
Discussion on Microsoft tech community site
The original Post of the Author
We are currently experiencing an outage in South Central US
https://azure.microsoft.com/en-us/status/
Azure AD is also impacted.
You will want to monitor the Azure Status Page for further updates. Unfortunately we cannot do anything until the problem has been mitigated by engineering.
After the issue has been mitigated and if you are still seeing issues let us know.
I wish to obtain an access token without user interaction in order to automate REST API calls to Azure services (Compute, Network, etc.). In the documentation, several authentication scenarios are listed. The one that fits my use-case the most is "Daemon or Server Application to Web API".
I followed the instructions to request an access token : first I registered an App in my Azure Active Directory. Then I created a key (client_secret parameter) associated to the application ID (client_id parameter). I also obtained the App ID URI (resource parameter). I used all these parameters to create a POST request to the /token endpoint of my Azure AD. However I get the following error message:
{
"code":"InvalidAuthenticationTokenAudience",
"message":"The access token has been obtained from wrong audience or resource 'https://solutionsmosaixsoft.onmicrosoft.com/<APP_ID_URI>'. It should exactly match (including forward slash) with one of the allowed audiences 'https://management.core.windows.net/','https://management.azure.com/'."
}
What am I doing wrong? Am I setting the resource parameter to the wrong value?
The resource parameter tells your application where to get token(identifier of the resource for which the access token is being requested). If you want to get a token to call Azure Service Management API , you could set the resource as https://management.core.windows.net/ .
Edit:
If the APIs you want to call are Microsoft provided APIs , the resource is known ,for example :
Azure Service Management API:https://management.core.windows.net/
Microsoft Graph API :https://graph.microsoft.com/
If you want to call the API apps which your created , you can either use the Client ID or the App ID URI of the resource WebAPI (Find them in the configure tab of the Azure AD application in the Azure Management portal).
You could refer to below link for code samples :
https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-code-samples
You need to make a POST request to the token endpoint.
The resource parameter must be the resource URI for the API that you want to access, not yours.
Azure AD Graph API: https://graph.windows.net/
Microsoft Graph API: https://graph.microsoft.com/