Share via

Getting this error "The received access token is not valid: at least one of the claims 'puid' or 'altsecid' or 'oid' should be present. If you are accessing as application please make sure service principal is properly" when trying to use the getBatch API

sid 5 Reputation points
2024-11-14T11:07:21.47+00:00

I am getting this error when trying to query the getBatch API to pull the metrics of my VM's in the resource group of my Subscription as per the documentation here: https://learn.microsoft.com/en-us/azure/azure-monitor/essentials/migrate-to-batch-api?tabs=individual-response

{"error":{"code":"InvalidAuthenticationToken","message":"The received access token is not valid: at least one of the claims 'puid' or 'altsecid' or 'oid' should be present. If you are accessing as application please make sure service principal is properly created in the tenant."}

The App is already part of the tenant and has the builtin "Reader" role to the subscription. When I create this via "App registrations".

I even gave the App "Owner" and "Monitoring Reader" roles but it still doesn't work. Any idea what could be the problem ?

Azure Monitor
Azure Monitor
An Azure service that is used to collect, analyze, and act on telemetry data from Azure and on-premises environments.
3,662 questions
Microsoft Security | Microsoft Entra | Microsoft Entra ID

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. James Hamil 27,221 Reputation points Microsoft Employee Moderator
    2024-11-14T21:51:45.4133333+00:00

    Hi @sid , please check the following for me and let me know the results:

    1. Make sure that the App registration (Not just the app) has the correct permissions to access the resources in your subscription and. You can check this by going to the "Access control (IAM)" tab in the subscription and verifying that the App registration has the "Reader" role assigned.
    2. Check if the App registration has the correct permissions to access the Azure Monitor API. You can do this by going to the "API permissions" tab in the App registration and verifying that the App registration has the "Azure Monitor" API permission.
    3. Make sure that the access token you are using is valid and has the correct permissions. You can try to regenerate the access token and use the new token to query the getBatch API.
    4. If you are still facing issues, you can try to create a new service principal and assign the required permissions to it. You can then use the new service principal to query the getBatch API.

    Please let me know if this helps.

    Best,

    James

    0 comments
  2. James Hamil 27,221 Reputation points Microsoft Employee Moderator
    2025-01-15T22:47:26.47+00:00

    Hi @sid , thank you for confirming your answer. I'll bring your feedback to the product group. Since you can't verify your own answer, I'll repost it here for others to reference. Please mark "Accept Answer."

    "I found that I need to enable the resource provider microsoft.insights at the subscription level which seems to have solved the problem and I get the metrics from the getBatch API endpoint but I am not 100% sure if this was the real problem."

    Please let me know if you have any questions and I can help you further.

    Best,

    James

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.