1

I am trying to create an application that can connect to ARM (https://management.azure.com) retrieve some information from it. I already created one that use Microsoft Graph (https://graph.microsoft.com) and works fine, however now I need to get information that is only available on ARM.

I look up on internet about the permissions required, specially on Microsoft Docs, however all the documentation that I was able to find refers only to Microsoft Graph or Windows Graph.

Do you know which permissions should I request through the portal?

public String getAccessToken() throws MalformedURLException, InterruptedException, ExecutionException, ServiceUnavailableException, InvalidKeyException, IllegalBlockSizeException, BadPaddingException, NoSuchAlgorithmException, NoSuchPaddingException
{
    AuthenticationContext objContext;
    AuthenticationResult objToken;
    ExecutorService objService;
    Future<AuthenticationResult> objFuture;
    objService = null;
    objToken = null;
    try
    {
        objService = Executors.newFixedThreadPool(1);
        objContext = new AuthenticationContext(this.getAuthorize(), false, objService);
        objFuture = objContext.acquireToken("https://management.azure.com", this.getApplicationID(), this.getUsername(), SecureText.getInstance().decode(this.getPassword()), null);
        objToken = objFuture.get();
        this.getLogger().info("Connection to Azure Resource Manager".concat(this.getClass().getSimpleName().toLowerCase()).concat(" successfully stablished"));
    }
    finally
    {
        objService.shutdown();
    }
    if (objToken == null)
    {
        throw new ServiceUnavailableException("Authentication Service is not available");
    }
    return objToken.getAccessToken();
}

The following error is displayed:

com.microsoft.aad.adal4j.AuthenticationException: {"error_description":"AADSTS65001: The user or administrator has not consented to use the application with ID 'e1b0615a-911d-4ccf-bf16-e8d0c1c2f8b5' named 'XXXXXXX'. Send an interactive authorization request for this user and resource.\r\nTrace ID: 9731e9b7-116d-4c5e-b219-ab96e12c4300\r\nCorrelation ID: faa9a023-3237-4367-9c66-eec9b77e2805\r\nTimestamp: 2019-09-26 11:20:54Z","error":"invalid_grant"}

Daniel Mann
  • 57,011
  • 13
  • 100
  • 120
delucaezequiel
  • 483
  • 2
  • 9
  • 26
  • I think it needs delegated permissions to like Azure Service Management API or something similar. I'm on my phone now so can't really check the exact one. – juunas Sep 26 '19 at 13:55
  • This seems relevant with application permission instead of ARM permission. Refer to this screenshot: https://imgur.com/a/G4QlNqU . Go AAD->Enterprise applications->search the application you created then go->Permission->Click the button **Grant admin constent for microsoft** to grant your application the admin consent. – Mengdi Liang Sep 27 '19 at 15:28
  • I am aware this is an application permission. Which I need to know is which permissions are required for executing REST API to ARM module Currently the application has the following perissions which I set based on the Microsoft Graph REST API Documentation. AuditLog.Read.All Directory.AccessAsUser.All Directory.Read.All Policy.Read.All SecurityEvents.Read.All Ex: For read/list users https://learn.microsoft.com/en-us/graph/api/user-list?view=graph-rest-1.0&tabs=http you have the permissions at the beginning in the Permissions Section – delucaezequiel Sep 30 '19 at 10:08
  • However for the REST API to the ARM Module (https://management.azure.com) the permissions are not listed on the available documentation Ex: For read/list tenants https://learn.microsoft.com/es-es/rest/api/resources/tenants/list you do not have the permissions section The error is only display for REST API queries to Management Module, to the Microsoft Graph one I can connect and retrieve data as expected based on the permissions listed above – delucaezequiel Sep 30 '19 at 10:08
  • @delucaezequiel - were you able to figure out `how to add permissions to azure ad app for azure management api` ? – rahulaga-msft Dec 11 '22 at 04:26

2 Answers2

1

Have seen similar error in past.

Granting the permission via:

Azure Active Directory -> App Registrations -> MyApp -> Api Permissions -> Grant Admin Consent button

helped me.

Similar posts - The user or administrator has not consented to use the application - Send an interactive authorization request for this user and resource

Ajay Sainy
  • 279
  • 1
  • 9
  • 21
0

I have been trying to find a more efficient way to grant permissions for the Azure Resource Management API.

To access the ARM API, I usually assign roles to the service principal directly, just as you would a user.

For example, to grant the app access to read all in a subscription, do this:

  1. Go to the subscription in Azure: https://portal.azure.com/#view/Microsoft_Azure_Billing/SubscriptionsBlade

  2. Select the subscription that you wish to read with the API

  3. In the left menu, click on "Access control (IAM)

  4. Go to "Role assignments" and click Add > Add Role Assignment at the top

  5. For "Role", select "Reader" Reader Role

  6. For "Members" - search for your app by name Reader Role Member

  7. Finally, click "Review + Assign" - this will grant the app permissions to "Read" all the subscription data

Vadar Vadar
  • 1
  • 2