1

I have a multi-tenant daemon app in Azure that has no problem authenticating to Microsoft Graph APIs, but doesn't have permissions to access the Azure Resource Graph API; specifically the Compute endpoints to list virtual machines.

Is it possible to allow the app to access Azure Resource Graph as a daemon application?

Ideally I don't want to have to use delegated permissions as it complicates things for an app that needs to run as a daemon.

Walking through the auth flow manually I get this error

 "The client '<client id>' with object id '<object id>' does not have authorization to perform action 'Microsoft.Compute/virtualMachines/read' over scope '/subscriptions/<subscription>' or the scope is invalid. If access was recently granted, please refresh your credentials."

Are there any permissions I can specifically add to enable this access from the app? Or is this just not possible with a daemon app?

RG5
  • 517
  • 1
  • 5
  • 16

1 Answers1

0

The API endpoint which you are using is not Graph API endpoint, you need to grant Azure Service Management Api permissions instead of MS graph permissions, and then you need to set the scope to: https://management.azure.com/user_impersonation

The permissions have to be granted to the Azure Service Management in the azure portal, The API for listing of the VM's"

GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Compute/virtualMachines/{vmName}?api-version=2022-08-01

Reference document:https://learn.microsoft.com/en-us/rest/api/compute/virtual-machines/get?tabs=HTTP#code-try-0

Hope this helps.

Mehtab Siddique
  • 556
  • 1
  • 2
  • 5
  • Thanks for the reply. I was hoping to avoid user impersonation if possible. Do you know if I can use impersonation with the daemon app service account that is created during registration rather than impersonating the end user though for this access? – RG5 Oct 04 '22 at 13:33