CODEWITHSUNDEEP
c#azure-resource-managerazure-ad-graph-api
Brandon Cross
Brandon Cross

Reputation: 3

Can you use a Graph API auth token with AzureRM?

The goal of my project is to be able to access a users subscriptions via the AzureRM. This application will be used in a Default Directory Only - Single Tenant for building out infrastructure and is being built as a C# Form Application.

I've run into issues with figuring out how to login a user to get the auth token to be able to pass through the authorization header of the GET call. All I currently get is a 401 - Unauthorized.

What I'm curious about is whether I need to be trying to login my user using AzureRM (if that is possible) or if a login through Graph API is fine and I have an issue elsewhere that I need to be looking into.

Upvotes: 0

Views: 359

Answers (1)

anon
anon

Reputation:

How to get the access (auth) token using the AzureRM

By creating an Active Directory application and service principal and using a ClientID and ClientSecret, you may retrieve the AccessToken. How to get the auth token by creating AD, Client Id, Client Secret, Service Principal, follow this [documentation] (https://stefanstranger.github.io/2016/10/21/UsingtheAzureARMRESTAPIGetAccessToken/) for clear steps, given by Stefan stranger.

how to login a user to get the auth token to be able to pass through the authorization header of the GET call.

There are 2 ways to pass the tokens, through the HTTP authorization header and Via the addition of a URL query parameter with "token=tokenvalue."

Here you're using the authorization header way!

You can request the Microsoft identity platform for an OAuth 2.0 access token. The security principal—a user, group, or service principal—running the application is verified by Azure AD. If authentication is successful, Azure AD sends the access token back to the application, which can use it to authorize requests.

All I currently get is a 401 - Unauthorized.

There are two kinds of access token issued by Azure AD.

  1. delegate-token - used to delegate the user to operate user's resource.

  2. application token - There is no user context (current user) in this token because it is typically used to perform operations on resources owned by all organizations. In order to access the resource as "me," which requires the user context, we shouldn't use this token.

To operate the resources using the application token, we need to specify the user using users' collection like code below:

string userId = "";
var user = graphserviceClient.Users[userId].Request().GetAsync().Result;

We must grant the "User.Read.All; Directory" permission in order to read the users resource from Azure Active Directory. The app's Read.All permission. Please make sure you have given enough permission by checking the Azure portal's permissions. After changing the permission, you can verify these permissions by decoding the token from JWT Site.

whether I need to be trying to login my user using AzureRM (if that is possible) or if a login through Graph API is fine

If your resource is "https://graph.microsoft.com/" then your authority should be "https://login.windows.net/common/oauth2/v2.0/token" or the same authority but swap "common" for your azure AD tenant ID.

Steps of authorizing the auth token: So here are the steps that I've done so far:

  1. Azure Active Directory B2C Portal
  2. Azure AD Web App registered with Open Id will have required permissions and check in link provided by Microsoft.
  3. Web app will be in trusted mode if logged with admin credentials which lets to manage the users like Create, Modify operations.
  4. Use the InvitationManager part from the MS Graph to send the invitation and can redeem the received code from the OpenIdConnect Authentication Notifications.

Note: By adding Microsoft Graph as a resource and requesting the necessary permissions, you should update your application manifest.

Upvotes: 2

Related Questions