1

I'm trying to read user properties from ms graph inside an Azure function. For authentication I used the DefaultAzureCredential class from Azure.Identity.

Access with Shared Token Cache Credential locally and Managed Identity Credential in Azure is no prob! I wanted to use the Visual Studio Code Credential, but I get an "Authorization_RequestDenied! Insufficient privileges to complete the operation" error message when I call the graph API.

The problem seems to be the access token I received with the VS Code Credential. The user account is the same one I used with the Shared Token Cache Credential.

Any ideas? Thank you.

Code:

DefaultAzureCredentialOptions options = new DefaultAzureCredentialOptions();
options.VisualStudioCodeTenantId = Environment.GetEnvironmentVariable("Debug_VisualStudioCodeTenantId");


var credential = new DefaultAzureCredential(options);
token = credential.GetToken(
                    new Azure.Core.TokenRequestContext(
                        new[] { "https://graph.microsoft.com/.default" }));

accessToken = token.Token;


var graphServiceClient = new GraphServiceClient(
            new DelegateAuthenticationProvider((requestMessage) =>
            {
                requestMessage
                .Headers
                .Authorization = new AuthenticationHeaderValue("bearer", accessToken);

                return Task.CompletedTask;
            }));

var users = await graphServiceClient.Users.Request().GetAsync(); // throw the forbidden exception

Exception: "Code: Authorization_RequestDenied\r\nMessage: Insufficient privileges to complete the operation.\r\nInner error:\r\n\tAdditionalData:\r\n\tdate: 2021-04-20T08:02:23\r\n\trequest-id: ...\r\n\tclient-request-id: ...\r\nClientRequestId: ...\r\n"

Jonas
  • 25
  • 5
  • Can you inspect the token at e.g. https://jwt.ms? Ensure from there that the token contains all the things it should, like the "scp" claim should contain the needed scopes. – juunas Apr 20 '21 at 08:21
  • I am new in token based authentication, so I am not sure what a token should contains. The scp tag contains "email Mail.ReadWrite Mail.Send openid profile Tasks.ReadWrite". Could the problem be that I need to register VS code in Azure or something like that? – Jonas Apr 20 '21 at 08:37
  • Looks like it could be missing a needed scope. The issue is that the service principal that VS Code is using (its app registration) does not require that. This is the general issue with using these credentials locally :\ You might need to try a different credential type or use client credential authentication (secret / certificate). – juunas Apr 20 '21 at 08:48
  • What a pity. But thank you for your help. – Jonas Apr 20 '21 at 09:02
  • I guess you could also try `https://graph.microsoft.com/User.Read.All` as the scope instead of the .default. That might end in an error though :\ – juunas Apr 20 '21 at 09:08
  • Yes, as @juunas said try adding User.Read.All. You don't have this [required permission](https://learn.microsoft.com/en-us/graph/api/user-list?view=graph-rest-1.0&tabs=http#permissions) in your token and I think that's the issue. – Shiva Keshav Varma Apr 20 '21 at 09:19
  • When I do that I get this exception message: "VisualStudioCodeCredential authentication failed: AADSTS65002: Consent between first party application '...' and first party resource '...' must be configured via preauthorization - applications owned and operated by Microsoft must get approval from the API owner before requesting tokens for that API." – Jonas Apr 20 '21 at 09:25

1 Answers1

0

After inspecting the token returned by VS Code, it seems to be missing a required delegated permission/scope. The docs say one of these is required to list users:

User.ReadBasic.All, User.Read.All, User.ReadWrite.All, Directory.Read.All, Directory.ReadWrite.All, Directory.AccessAsUser.All

Since the service principal that VS Code is using does not require any of these, it won't work. After trying to explicitly get the token with the required scope, it doesn't seem to work either.

So the VS Code credential currently just doesn't seem to work for this purpose. You'll need a different credential or perhaps use the client secret/certificate credential with your own app registration.

juunas
  • 54,244
  • 13
  • 113
  • 149
  • 2
    Thanks for your extensive help. For local debugging, Shared Token Cache Credential works as an alternative. It's a pity that the Visual Studio Credential doesn't work. – Jonas Apr 20 '21 at 11:04