Microsoft Azure API List All Tenants - rest

We are a CSP partner with MS. My goal is to call the Azure API and list all the different tenants we have in our account.
I found this Azure API resource that appears to allow the listing of all tenants: https://learn.microsoft.com/en-us/rest/api/resources/Tenants/List
I’ve been able to implement the authorization code flow, and I can call MS Graph API’s successfully. However when I try to call this API I receive this response:
{
"error": {
"code": "AuthenticationFailed",
"message": "Authentication failed."
}
}
I feel like it may an issue with the permissions I've granted in my app registration, but I can't seem to figure what is needed to make it happen.
I wish there was a way to use the MS Graph API to get all of our tenants, but from my research that doesn't exist.

I think you missed the bear token. I test this api by postman.
You can read this article.
Get an Azure Active Directory token using Azure Active Directory Authentication Library

Related

Send Events to Event Grid Topic from ADF Web activity with MSI authentication

I wish to send an event from ADF "Web" Activity to event grid topic. I managed to do it with sending "aeg-sas-key" from web activity as documented here.
However, I tried to achieve the same through ADF Web activity without using "aeg-sas-key" but Authentication as managed identity
But it gives me below error:
{ "error": { "code": "Unauthorized", "message": "Request has an
unsupported Authorization scheme:Bearer. Authorization scheme must be
SharedAccessSignature. Report
'a2af905c-e3ca-401a-be09-3f0b3c6b7d4e:8:5/20/2021 2:00:24 PM (UTC)' to
our forums for assistance or raise a support ticket."
I have added the managed Identity Application of ADF to Event Grid topic with contributor role, but it still does not work. Am I missing something?
To be short, I need to know how to send events to Event Grid topic from ADF Web Activity using Managed Identity Authentication?
Not all the APIs in Azure support MSI auth, just the APIs secured by Azure AD support that, essentially the MSI auth uses the Azure AD client credential flow to get the token, then use the token to call the API.
In this case, as mentioned in the error message, to send an event to your topic, it uses aeg-sas-key to auth, i.e. Basic auth, it does not support the Azure AD auth which means it also could not use MSI to auth.

How to authenticate to Azure Active Directory without user interaction?

I wish to obtain an access token without user interaction in order to automate REST API calls to Azure services (Compute, Network, etc.). In the documentation, several authentication scenarios are listed. The one that fits my use-case the most is "Daemon or Server Application to Web API".
I followed the instructions to request an access token : first I registered an App in my Azure Active Directory. Then I created a key (client_secret parameter) associated to the application ID (client_id parameter). I also obtained the App ID URI (resource parameter). I used all these parameters to create a POST request to the /token endpoint of my Azure AD. However I get the following error message:
{
"code":"InvalidAuthenticationTokenAudience",
"message":"The access token has been obtained from wrong audience or resource 'https://solutionsmosaixsoft.onmicrosoft.com/<APP_ID_URI>'. It should exactly match (including forward slash) with one of the allowed audiences 'https://management.core.windows.net/','https://management.azure.com/'."
}
What am I doing wrong? Am I setting the resource parameter to the wrong value?
The resource parameter tells your application where to get token(identifier of the resource for which the access token is being requested). If you want to get a token to call Azure Service Management API , you could set the resource as https://management.core.windows.net/ .
Edit:
If the APIs you want to call are Microsoft provided APIs , the resource is known ,for example :
Azure Service Management API:https://management.core.windows.net/
Microsoft Graph API :https://graph.microsoft.com/
If you want to call the API apps which your created , you can either use the Client ID or the App ID URI of the resource WebAPI (Find them in the configure tab of the Azure AD application in the Azure Management portal).
You could refer to below link for code samples :
https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-code-samples
You need to make a POST request to the token endpoint.
The resource parameter must be the resource URI for the API that you want to access, not yours.
Azure AD Graph API: https://graph.windows.net/
Microsoft Graph API: https://graph.microsoft.com/

GSuite : Client is unauthorized to retrieve access tokens using this method

Hi I'm trying to develop an for GSuite admin which enables to migrate their google drive data to another cloud service. But in the process of authentication i'm getting the below error.
{
"error": "unauthorized_client",
"error_description": "Client is unauthorized to retrieve access tokens using this method."
}
Below are the api's that are enabled in developer console.
1. Admin SDK
2. Contacts API
3. G Mail API
4. Calendar API
5. Drive API
Please guide me if done anything wrong in creating an app.
The main thing what i missed here is Authorizing my service account client ID with the GSUITE admin.
And I have been trying to generate access_token for the expired domain of mine.
After clearing all these i have to success in generating and getting user data.
This solution worked for me. I hope it works for you tooo....
Thank you community.

Reading Sharepoint user profiles in Office365 using REST API on behalf of an application - Error 500

I am trying to read sharepoint user profiles using REST Api on userprofiles.peoplemanager Service.
We defined an application in azure AD, with "Sharepoint: read user profiles" permission for both application and on behalf of a user.
When i request the service on behalf of a user (for example getpropertiesfor(#v) with any user identifier passed as parameter), everything is working fine.
When i execute the exact same request on behalf of the application, i'm getting a HTTP 500 error.
Am i doing something wrong ?
What am i supposed to be allowed to execute on behalf of an application with the Azure AD permission "Sharepoint: read user profiles" ?

OneDrive REST API

Please let me know what is the authentication method we should use when working with OneDrive REST APIs.
Is it AZURE AD using the URL https://login.windows.net/common/oauth2/authorize?
Or the https://login.live.com/oauth20_authorize.srf?
I'm trying to make a simple call to the new OneDrive REST API (I'm using Azure AD, but not sure if this is the correct Authentication method).
I'm using Postman rest client to send the request.
I have registered my application in Azure AD and given it full permissions to 'Office 365 SharePoint Online'.
I can successfully get an authorization token using the clientId generated in Azure AD.
However when I attempt to list files using following request using the access token I get the following error.
Could you please let me know what could be the issue?
RESOURCE HTTP GET:
URL: https://-my.sharepoint.com/personal//_api/Files
HEADER: Authorization: Bearer
Response:
3001000;reason="There has been an error authenticating the request.";category="invalid_client"
IF you refer the public free version of OneDrive, then you should take a look at OneDrives API Documentation. Which uses Live SDK.
If you are using the OneDrive for Business, then you should use the SharePoint 2013 APIs. For SharePoint online this Question (its answer) on SharePoint StackExchange might be helpful. OR if you look for the new-and-in-preview Office365, you might find this page interesting.
A blog post with full walkthrough and code how to authenticate to SharePoint Online with Azure ACS.
Check out the [new][1] v1.0 O365 APIs that describe the OneDrive Business and other O365 service APIs, including authentication.