Authenticating a Xamarin Android app using Azure Active Directory fails with 401 Unauthorzed

Question

I am trying to Authenticate a Xamarin Android app using Azure Active Directory by following article here: https://blog.xamarin.com/authenticate-xamarin-mobile-apps-using-azure-active-directory/

1. I have registered a native application with AAD; note that i havent given it any additional permissions beyond creating it.

2. Then i use the below code to authenticate the APP with AAD

button.Click += async (sender, args) =>
            {
                var authContext = new AuthenticationContext(commonAuthority);
                if (authContext.TokenCache.Count > 0)
                    authContext = new AuthenticationContext(authContext.TokenCache.ReadItems().GetEnumerator().Current.Authority);
                authResult = await authContext.AcquireTokenAsync(graphResourceUri, clientId, returnUri, new PlatformParameters(this));

                SetContentView(Resource.Layout.Main);


                doGET("https://management.azure.com/subscriptions/{subscription-id}/resourceGroups/OPSLABRG/providers/Microsoft.Compute/virtualMachines/LABVM?api-version=2015-08-01", authResult.AccessToken);

            };

private string doGET(string URI, String token)
        {
            Uri uri = new Uri(String.Format(URI));

            // Create the request
            var httpWebRequest = (HttpWebRequest)WebRequest.Create(uri);
            httpWebRequest.Headers.Add(HttpRequestHeader.Authorization, "Bearer " + token);
            httpWebRequest.ContentType = "application/json";
            httpWebRequest.Method = "GET";

            // Get the response
            HttpWebResponse httpResponse = null;
            try
            {
                httpResponse = (HttpWebResponse)httpWebRequest.GetResponse();
            }
            catch (Exception ex)
            {
                Toast.MakeText(this, "Error from : " + uri + ": " + ex.Message, ToastLength.Long).Show(); 
                return null;
            }

        }

This seems to be getting a token when using a Work account. Using a valid hotmail account throws error A Bad Request was received.

However the main problem is when i try to retrieve VM details using REST. the REST GET method fails with 401 Unauthorized error even when using the Work account.

I am not sure if the code is lacking something or if i need to give some additional permissions for the App. This needs to be able to support authenticating users from other tenants to get VM details.

Any guidance is appreciated.

Answer 1

According to your description, I checked this issue on my side. As Shawn Tabrizi mentioned that you need to assign the delegated permission for accessing ARM Rest API. Here is my code snippet, you could refer to it:

var context = new AuthenticationContext($"https://login.windows.net/{tenantId}");
result = await context.AcquireTokenAsync(
    "https://management.azure.com/"
    , clientId, new Uri("{redirectUrl}"), platformParameter);

I would recommend you using Fiddler or Postman to simulate the request against ARM with the access_token to narrow this issue. If any errors, you could check the detailed response for troubleshooting the cause.

Here is my test for retrieving the basic information of my Azure VM:

Additionally, you could leverage jwt.io for decoding your access_token and check the related properties (e.g. aud, iss, etc.) as follows to narrow this issue.

Answer 2

note that i havent given it any additional permissions beyond creating it.

This is the problem here.

In order for you to call the Azure Management API https://management.azure.com/, you must first register your application to have permissions to call this API.

You can do that as a part of your app registration like so:

Only at that point, will your app be authorized to call ARM, and your calls should start to work.