Azure WVD Rest API Auth

Question

I have a aspnetcore app that I'm writing and would like to be able to manage WVD resources. The problem I'm having is that the Bearer token I'm getting from Msal is giving me a 401 when I try to

GET https://rdweb.wvd.microsoft.com/api/feeddiscovery/webfeeddiscovery.aspx

I thought maybe I needed to add an API permission to my app in azure, but I've already added:

https://management.azure.com/user_impersonation

And I cant seem to locate anything that suggests it might work for WVD.

Maybe I'm way off track though.

I've tried looking at the source:

https://github.com/Azure/RDS-Templates/tree/master/wvd-templates/wvd-management-ux/deploy

But its been compiled and minified, so thats proving to be difficult.

Any help getting a valid token to call the WVD Rest API would be greatly appreciated.

Getting the token:

Full Code (minus the Microsoft.Identity.Web stuff)

var token = await TokenAcquisition.GetAccessTokenOnBehalfOfUserAsync(new[] { "https://mrs-Prod.ame.gbl/mrs-RDInfra-prod/user_impersonation" });
            var httpClient = new HttpClient();
            httpClient.BaseAddress = new Uri("https://rdweb.wvd.microsoft.com/");
            httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", $"{token}");
            var result = await httpClient.GetAsync("api/hubdiscovery/eventhubdiscovery.aspx");
            result = await httpClient.GetAsync("api/feeddiscovery/webfeeddiscovery.aspx");

This method is from the Microsoft.Identity.Web project.

Answer 1

Omg I just figured it out by comparing the token I got from the msft rdweb application:

From the RDWeb App: "aud": "https://mrs-prod.ame.gbl/mrs-RDInfra-prod",

From my App: "aud": "https://mrs-Prod.ame.gbl/mrs-RDInfra-prod",

.... Yes I was using an uppercase P in - mrs-Prod. And the msft app was using a lowercase p in mrs-prod.

I'm flabbergasted, angry and excited all at the same time.

For the record I copied my value directly from Azure in my apps api permissions screen.

Answer 2

The https://management.azure.com is for Azure Service Management API, in your case, it is not correct.

Please navigate to the AD App in the portal -> API permissions -> APIs my organization uses -> search by Windows Virtual Desktop, find it and click.

If you want the management tool to make Windows Virtual Desktop management calls on behalf of the user who's signed into the tool, choose Delegated permissions -> user_impersonation, complete the steps like the screenshot. You can also let the user consent the permission by himself without clicking the Grant admin consent button, it depends on you.

Then the permission appears like below.

For more details, see this Tutorial: Deploy a management tool and this step.

Update:

Try to use powershell New-RdsRoleAssignment to add user account as a RDS Owner role, make sure you have installed the Microsoft.RDInfra.RDPowerShell module first, refer to this link.

Add-RdsAccount -DeploymentUrl "https://rdbroker.wvd.microsoft.com"
Get-RdsTenant
New-RdsRoleAssignment -RoleDefinitionName "RDS Owner" -SignInName "xxxx@xxxx.onmicrosoft.com" -TenantName "joywvd"

---

Then I run the Get-RdsTenant command again, and use fiddler to catch the request, get the token, decode in the https://jwt.io/, it appears like below.

The aud and scp should be the same as your token, you can also decode your token to check, then I use postman to call the https://rdweb.wvd.microsoft.com/api/feeddiscovery/webfeeddiscovery.aspx, it works.