1

I have an Azure App Service which is authenticated using Azure AD EasyAuth. Configured AppService with AD

Configured AppService with AD 2

I am trying to send a request from another App Service using C# and MSAL.NET (Microsoft.Identity.Client).

The authentication code looks like this

var app = ConfidentialClientApplicationBuilder
    .Create(config.ClientId) // The Client ID in the App Registration connected to the App Service
    .WithClientSecret(config.ClientSecret)
    .WithAuthority(new Uri(config.Authority)) // https://login.microsoftonline.com/tenant.onmicrosoft.com/v2.0
    .WithTenantId(config.TenantId) // Tenant Id Guid
    .Build();


// Used Scopes: ["https://graph.microsoft.com/.default"]
var credentials = await app.AcquireTokenForClient(config.Scopes)
    .ExecuteAsync(cancellationToken);

I get a bearer token successfully, but when I try to call the App Service with token injected to the headers I get a 401 and You do not have permission to view this directory or page. :(

Update 1:

I tried @Jim Xu answer and it's still giving me 401. It returns a www-authenticate header with the following value www-authenticate value

The resource id is the same ClientId in the App Reg

Update 2 - Solution

So to summarize the fix:

  1. The requested scopes when calling AcquireTokenForClient should include {Application ID Uri}/.default
  2. In EasyAuth configuration, the Allowed Token Audiences needs to be set to the Application ID Uri as well
Ayman
  • 1,387
  • 4
  • 20
  • 35

1 Answers1

2

If you want to call the Azure API app which enables easy auth, please refer to the following steps

  1. Get the Application ID URI of the AD application you use to enable easy auth

a. In the Azure portal menu, select Azure Active Directory or search for and select Azure Active Directory from any page.

b. Select App registrations > Owned applications > View all applications in this directory. Select your web app name, and then select Overview. enter image description here

  1. code
var app = ConfidentialClientApplicationBuilder
    .Create(config.ClientId) // The Client ID in the App Registration connected to the App Service
    .WithClientSecret(config.ClientSecret)
    .WithAuthority(new Uri(config.Authority)) // https://login.microsoftonline.com/tenant.onmicrosoft.com/v2.0
    .WithTenantId(config.TenantId) // Tenant Id Guid
    .Build();


// Used Scopes: ["{Application ID URI}/.default"]
var credentials = await app.AcquireTokenForClient("{Application ID URI}/.default")
    .ExecuteAsync(cancellationToken);

For more details, please refer to here.

Jim Xu
  • 21,610
  • 2
  • 19
  • 39
  • it's still giving me 401. I updated my question with the result. Do I need to add a specific scope in the App Reg? – Ayman Feb 24 '21 at 14:19
  • @Ayman Is that you use the same application to project your web API and require token to call the api. – Jim Xu Feb 25 '21 at 01:32
  • sorry didn’t understand your comment – Ayman Feb 25 '21 at 01:46
  • @Ayman I want to if you register a new Azure AD application to get AD token to call your web API. – Jim Xu Feb 25 '21 at 01:47
  • I created a new `App Registration` and connected it to the `App Service` but still the same – Ayman Feb 25 '21 at 10:14
  • @Ayman According to my understanding, you create a new Azure AD application to configure easy auth. Meanwhile, you also use the application to get the token and call the web api. Right? – Jim Xu Feb 25 '21 at 11:57
  • Correct. The same app registration is used to configure easyauth and also used to get the token to call the web api – Ayman Feb 25 '21 at 11:58
  • @Ayman Could you please provide the screenshot of how you configure easy auth? – Jim Xu Feb 26 '21 at 01:32
  • Updated the screen shots – Ayman Feb 26 '21 at 01:38
  • 1
    @Ayman Please update the issue as `https://sts.windows.net//` and add you the app id URL in Allowed Token Audiences – Jim Xu Feb 26 '21 at 01:56
  • Yes that worked . So to summarize my issue, I needed to set the `scope` and the `Allowed Token Audiences` to the Application ID Uri – Ayman Feb 26 '21 at 02:14