How can I allow a service account to access my REST API when using Roles-based Authorization in Azure?

Question

Summary: I have a REST API that I use for functional testing. I only allow people or groups in a specific "Tester" role to hit the API. I want to trigger this functional testing during an Azure DevOps Release Pipeline automatically, but I can't figure out how to authorize the machine account to hit the API.

Details:

I have this API secured with [Authorize(Roles = "Tester")]

    [Route("quotas/developers")]
    [HttpGet]
    [Authorize(Roles = "Tester")]
    [SwaggerResponse(HttpStatusCode.OK, "Successful operation", Type = typeof(DeveloperQuota[]))]
    public async Task<List<DeveloperQuota>> GetDeveloperQuota([FromUri]string developerUpn)

To set this up, I have an Enterprise Application registered in Azure Active Directory. In the manifest, I declare the role.

And then in the Enterprise Application I add some users and groups which are assigned the role "Tester."

This works fine for running my functional tests by hand. I run the tests, it pops up an oauth dialog for me to enter my credentials, it grabs my Bearer token from the successful auth request then passes it along to the APIs.

    private string GetActiveDirectoryToken()
    {
        string authority = this.configuration.ActiveDirectoryAuthority;
        string resource = this.configuration.ActiveDirectoryAudience;
        string keyVaultUri = this.configuration.KeyVaultUri;

        IKeyVaultAdapterFactory keyVaultAdapterFactory = new KeyVaultAdapterFactory();
        var keyVaultAdapter = keyVaultAdapterFactory.CreateInstance(KeyVaultServicePrincipal.PowerShellAppId);

        SecureString clientIdSecure = keyVaultAdapter.GetAzureKeyVaultSecretSecure(keyVaultUri, "GasCallbackRegistrationClientID", null).Result;
        SecureString redirectUriSecure = keyVaultAdapter.GetAzureKeyVaultSecretSecure(keyVaultUri, "GasCallbackRegistrationClientIDRedirectUri", null).Result;

        var authContext = new AuthenticationContext(authority);
        var result = authContext.AcquireTokenAsync(
            resource,
            SecureStringUtilities.DecryptSecureString(clientIdSecure),
            new Uri(SecureStringUtilities.DecryptSecureString(redirectUriSecure)),
            new PlatformParameters(PromptBehavior.Auto)).Result;

        return result.AccessToken;
    }

Of course, if I'm running this during automation, there will be nothing to fill in the dialog with creds, nor do I want to be storing a copy of these creds, especially since these creds roll on a schedule which are maintained elsewhere.

My thought was that I could create an Azure Service Principal, associate a cert with the service principal, install the cert on my deployment machine, login as the Service Principal if the cert was available, and then put that Service Principal in the "Tester" role. The problem is I can't add a Service Principal as a user in the Enterprise Application. It only appears to allow me to add "Users and groups." I similarly can't add a service principal to a group.

Any thoughts on how I can authorize my deployment box to hit these APIs?

Answer 1

Roles published for applications are treated as application permissions and not assignable to other apps via the "Users and Groups" assignment screen.

To assign the app permissions to a client app, go to the client app's registration page, click on Api Permissions and then Add a Permission. Select the My Api tab, search for your application that published the app roles and you'd see the app role listed in the list below. Select that, save and then grant admin consent.