Reputation: 1833
Getting Azure Active directory token
I have an Azure Account, now I'm trying to get token in an console application to manage resources (i.e. create a resource group etc):
string userName = "[email protected]";
string password = "XXXXXXXXX";
string directoryName = "xyzgmail.onmicrosoft.com";
string clientId = "guid-of-registered-application-xxx";
var credentials = new UserPasswordCredential(userName, password);
var authenticationContext = new AuthenticationContext("https://login.windows.net/" + directoryName);
var result = await authenticationContext.AcquireTokenAsync("https://management.core.windows.net/", clientId, credentials);
On AcquireTokenAsync call I have
Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException: 'accessing_ws_metadata_exchange_failed: Accessing WS metadata exchange failed'
Can anybody help, please?
Update: how I tried to create a resource group under newly created user
var jwtToken = result.AccessToken;
string subscriptionId = "XX-XX-XX-YY-YY-YY";
var tokenCredentials = new TokenCredentials(jwtToken);
var client = new ResourceManagementClient(tokenCredentials);
client.SubscriptionId = subscriptionId;
var rgResponse = await client.ResourceGroups.CreateOrUpdateWithHttpMessagesAsync("myresgroup77777",
new ResourceGroup("East US"));
Here I got another exception
'The client '[email protected]' with object id 'aaa-aaa-aaa-aaa' does not have authorization to perform action 'Microsoft.Resources/subscriptions/resourcegroups/write' over scope '/subscriptions/XX-XX-XX-YY-YY-YY/resourcegroups/myresgroup77777'.'
Upvotes: 1
Views: 331
Answers (1)
Reputation: 136366
Not sure why you're getting the first error, but the second error is because the signed in user does not have permission to perform the operation (as mentioned in the error message).
When you assign the permission to execute Windows Azure Service Management API, it is actually assigned to the application which assumes the identity of the signed in user.
In order to perform Create Resource Group operation in Azure Subscription, that user must be in a role that allows this operation to be performed. You can try by assigning built-in Contributor role at the Azure Subscription level to this user.
Also, regarding using login.windows.net v/s login.microsoftonline.com, it is recommended that you use latter. When you use login.windows.net, it gets automatically redirected to login.microsoftonline.com. Using login.microsoftonline.com will save you one redirection.
Upvotes: 0
Related Questions
- Not able to get Azure AD token in C#
- Azure Get Authorization Bearer Token API
- Acquire AAD token using ASP.Net web forms
- Get Azure Active Directory Token with username and password
- Get Access Token from Azure Active Directory using username and password
- C# Get Access Token for Azure AD Identity
- How to get access token from Azure AD for TokenCredentials?
- Obtain Azure Access Token
- Get Azure Active Directory Access Token from Powershell
- Azure AD Get access token from authentication result object