How to properly use "get_token" of "ManagedIdentityCredential" of azure identity

Question

I am trying to use managed identity of Azure function to access AAD protected web app, which requires a custom flow instead of using different clients. So the first step is to obtain an access token:

credential = DefaultAzureCredential()
scope = "https://graph.microsoft.com/.default"
token = credential.get_token(scope)

I am able to get a token successfully.

Then access the AAD protected web app:

uri = "https://my-web-app-1.azurewebsites.net/"
headers = {
    'Authorization': 'Bearer ' + token.token
}
api_response = requests.get(uri, headers=headers)

However, this step returns error:

{"code":401,"message":"IDX10511: Signature validation failed. Keys tried: '[PII is hidden]'. \nkid: '[PII is hidden]'. \nExceptions caught:\n '[PII is hidden]'.\ntoken: '[PII is hidden]'."}

So I suspect I used a wrong scope to get the token. So I am confused which scope to use here?

------context-----

I have an azure function which has been enabled system identity which has been enabled to access my web app my-web-app-1.azurewebsites.net/. The web app my-web-app-1.azurewebsites.net/ is AAD protected.

Here is the API permissions under my AAD application which I used for the web app authentication. The mistake here is I set API permissions for web app instead of Azure functions which in case has no way to set (because Functions have a system identity instead of AAD application where we can set API permissions.)

score 5 · Accepted Answer · answered Mar 01 '21 at 01:19

5

Try to set scope as {your-api-client-id}/.default to get access token. Replace your-api-client-id with the client id/application id for your API app in Azure AD.

answered Mar 01 '21 at 01:19

unknown

6,778
1
5
14

What are the rules to pick which scope to use generally? I am always confused which to pick. Like in my case, why cannot I pick `https://graph.microsoft.com/.default`? – derek Mar 01 '21 at 04:30
1

@derek When calling the Microsoft Graph API, you should use `https://graph.microsoft.com/.default` scope. The scope is always the url of your permission(navigate to Azure AD->your app->API permission), and this [article](https://dev.to/425show/just-what-is-the-default-scope-in-the-microsoft-identity-platform-azure-ad-2o4d) shows you more details about "/.default" scope. – unknown Mar 01 '21 at 06:09
I guess my real question is where to find the correct resource id or scope? For example, when I need a token from blob service, I need `credential.get_token(https://storage.azure.com/.default)`. Can I use `credential.get_token(https://graph.microsoft.com/.default)` here? – derek Mar 01 '21 at 23:56
If you mean whether there are relevant official documents about all scopes, it seems no clear instructions. You could refer to the [article](https://www.shawntabrizi.com/aad/common-microsoft-resources-azure-active-directory/), it lists the common Microsoft Resources. – unknown Mar 02 '21 at 01:22
About the example, obviously `https://storage.azure.com/.default` is correct, see [Azure Storage resource ID](https://learn.microsoft.com/en-us/azure/storage/common/storage-auth-aad-app?tabs=dotnet#azure-storage-resource-id). Or find it in the portal, https://i.stack.imgur.com/4zSxQ.png – unknown Mar 02 '21 at 01:29

How to properly use "get_token" of "ManagedIdentityCredential" of azure identity

1 Answers1

Linked