acquire a token of app registration with MI , via powershell Rest in an azure function app

Question

acquire a token of app registration with MI , via powershell Rest in an azure function app

Guy Levi 5 Microsoft Employee

Hello,

I am trying to acquire a token from an app registration. Since this app registration has API permissions I want to use, I need to do it with managed identity.

To achieve this, I created a function app where I published the following code.
the client is the App registration client id ( should it be something else ?)

Also not sure if the scope is the correct way to write it .

param($Request, $TriggerMetadata)

# Set the client ID of the App Registration that the managed identity is federated to
$clientId = "3f13273c-3fab-4887-94ec-e9c29b543dc1"

# Set the scope for the token (usually the App ID URI of the target API)
$scope = "api://AzureADTokenExchange/.default"

# Request the token from Azure Instance Metadata Service (IMDS)
try {
    $response = Invoke-RestMethod -Method GET -Headers @{Metadata="true"} -Uri "http://169.254.169.254/metadata/identity/oauth2/token?client_id=$clientId&resource=$scope&api-version=2018-02-01"
    
    # Extract the token
    $accessToken = $response

    # Return the token in the HTTP response
    Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
        StatusCode = 200
        Body = @{
            access_token = $accessToken
        } | ConvertTo-Json -Depth 3
    })
} catch {
    # Handle error and return the error response
    Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
        StatusCode = 500
        Body = @("Error retrieving token: $($_.Exception.Message)")
    })
}

As you can see in the attached screen shot it is being published properly.

I also have a federated identity based on the managed identity I created on the app registration, and that same identity is in the Azure function.

However, when I try to get the response to see if it has the token, the response is constantly empty. I believe there is an issue with how I am trying to acquire the token with the invoke request , in the code.

# Define the function URL

az account set --subscription "51828c2e-c358-414d-9739-e799a65b0fdf"


$functionKey = az functionapp function keys list --name R2D-Kusto-AzureFunctionPs --resource-group kusto-r2d-resources --function-name gettokenfunction --query "default" --output tsv | Out-String


$functionKey = $functionKey.Trim()

$functionUrl = "https://r2d-kusto-azurefunctionps.azurewebsites.net/api/gettokenfunction?code=$functionKey"

# Call the function
$response = Invoke-RestMethod -Uri $functionUrl -Method GET

# Extract and display the token
$token = $response
Write-Output "Access Token: $token"

Write-Output "Access Token: $token"

Invoke-RestMethod : The remote server returned an error: (500) Internal Server Error.

At line:14 char:13

$response = Invoke-RestMethod -Uri $functionUrl -Method GET
```
        ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
```
- CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-RestMethod], WebException
- FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeRestMethodCommand

Access Token: @{access_token=}

Could someone please help me understand what might be wrong and how to get the token from the app registration?

Praveen Kumar Gudipudi 1,880 Reputation points Moderator

2025-05-21T21:12:29.26+00:00
Guy Levi,

Here's a breakdown of what you could check and adjust based on your provided code:

Client ID: Ensure that the $clientId variable actually holds the Application (client) ID of your app registration. If your managed identity is configured correctly, you might not need to specify the client ID, as the managed identity should be able to authenticate itself automatically.

Resource/Scope: Your $scope is set to api://AzureADTokenExchange/.default, which is typically the correct format for scope. However, you should double-check this value. If you are calling a specific API, make sure that the scope matches that API's Application ID URI followed by /.default. For example, if your API's Application ID URI is api://your-api-id, then use api://your-api-id/.default.

Invoke-RestMethod: The URL you've used for acquiring the token seems correct as you're hitting the Azure Instance Metadata Service (IMDS). Make sure your function app's Managed Identity has permissions to access the resource identified by your $scope.

Function URL: When calling your function with Invoke-RestMethod, ensure that $functionKey is correctly retrieved and that the function's HTTP trigger is correctly set up to accept the requests.

Debugging: Since you're getting a 500 Internal Server Error, consider adding more detailed error logging in your catch block to capture additional exception messages that could help diagnose the issue better. Please check above suggested steps and let us know with an update.
Guy Levi 5 Reputation points Microsoft Employee

2025-05-22T12:17:30.1833333+00:00
I get the following error , I think it is since the endpoint 169.254.169.254 is not usable for Azure function , anything else I should use to get the token ?

Connection refused (169.254.169.254:80)
Praveen Kumar Gudipudi 1,880 Reputation points Moderator

2025-05-23T20:11:20.6433333+00:00

Guy Levi,,

According to How to use managed identities for Azure resources on an Azure VM to acquire an access token, 169.254.169.254 is a special IP address where the managed identity endpoint is hosted.

Please refer above documentation and let us know with an update.
Praveen Kumar Gudipudi 1,880 Reputation points Moderator

2025-05-26T19:44:45.5066667+00:00

Guy Levi,

Following up to see if you have chance to check my previous response and please let us know with an update to assist you further on this.
Praveen Kumar Gudipudi 1,880 Reputation points Moderator

2025-05-27T22:12:32.9533333+00:00

Guy Levi,

We haven't heard back from you yet, and I wanted to ensure everything is on track and see if there's anything more, we can assist you with.
Anonymous

2025-05-27T22:32:13.5266667+00:00

I've been hitting a similar issue. Have a multi-tenant app with a managed identity federated credential.

This might be way off so far but the closest I've seemed to have gotten was this:

Connect-AzAccount -Identity -AccountId "###"

$accessToken = (Get-AzAccessToken).Token

$response = Invoke-RestMethod -Method POST -ContentType "application/x-www-form-urlencoded" -Uri "http://login.microsoftonline.com/{tenantid}/oauth2/v2.0//token?client_id=$clientId&scope=$scope&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&client_assertion=$accesstoken&grant_type=client_credentials"

However, the response I get is the microsoft login page, and an error message saying:

strServiceExceptionMessage":"AADSTS900561: The endpoint only accepts POST, OPTIONS requests. Received a GET request."

But the request is clearly marked as a post, so not sure whats up.

I also tried using:

Connect-AzAccount -ServicePrincipal -TenantId "###" -ApplicationId "###" -FederatedToken $accessToken

But error I get on that says:

Connect-AzAccount : Authentication failed against tenant "###". User interaction is required. This may be due to the conditional access policy settings such as multi-factor authentication (MFA). If you need to access subscriptions in that tenant, please rerun 'Connect-AzAccount' with additional parameter '-TenantId ###'.

Could not find tenant id for provided tenant domain '###'

1 answer

Your answer

Praveen Kumar Gudipudi 1,880 Reputation points Moderator

2025-05-21T21:12:29.26+00:00

Guy Levi,

Here's a breakdown of what you could check and adjust based on your provided code:

Client ID: Ensure that the $clientId variable actually holds the Application (client) ID of your app registration. If your managed identity is configured correctly, you might not need to specify the client ID, as the managed identity should be able to authenticate itself automatically.

Resource/Scope: Your $scope is set to api://AzureADTokenExchange/.default, which is typically the correct format for scope. However, you should double-check this value. If you are calling a specific API, make sure that the scope matches that API's Application ID URI followed by /.default. For example, if your API's Application ID URI is api://your-api-id, then use api://your-api-id/.default.

Invoke-RestMethod: The URL you've used for acquiring the token seems correct as you're hitting the Azure Instance Metadata Service (IMDS). Make sure your function app's Managed Identity has permissions to access the resource identified by your $scope.

Function URL: When calling your function with Invoke-RestMethod, ensure that $functionKey is correctly retrieved and that the function's HTTP trigger is correctly set up to accept the requests.

Debugging: Since you're getting a 500 Internal Server Error, consider adding more detailed error logging in your catch block to capture additional exception messages that could help diagnose the issue better. Please check above suggested steps and let us know with an update.
Guy Levi 5 Reputation points Microsoft Employee

2025-05-22T12:17:30.1833333+00:00

I get the following error , I think it is since the endpoint 169.254.169.254 is not usable for Azure function , anything else I should use to get the token ?

Connection refused (169.254.169.254:80)
Praveen Kumar Gudipudi 1,880 Reputation points Moderator

2025-05-23T20:11:20.6433333+00:00

Guy Levi,,

According to How to use managed identities for Azure resources on an Azure VM to acquire an access token, 169.254.169.254 is a special IP address where the managed identity endpoint is hosted.

Please refer above documentation and let us know with an update.
Praveen Kumar Gudipudi 1,880 Reputation points Moderator

2025-05-26T19:44:45.5066667+00:00

Guy Levi,

Following up to see if you have chance to check my previous response and please let us know with an update to assist you further on this.
Praveen Kumar Gudipudi 1,880 Reputation points Moderator

2025-05-27T22:12:32.9533333+00:00

Guy Levi,

We haven't heard back from you yet, and I wanted to ensure everything is on track and see if there's anything more, we can assist you with.
Anonymous

2025-05-27T22:32:13.5266667+00:00

I've been hitting a similar issue. Have a multi-tenant app with a managed identity federated credential.

This might be way off so far but the closest I've seemed to have gotten was this:

Connect-AzAccount -Identity -AccountId "###"

$accessToken = (Get-AzAccessToken).Token

$response = Invoke-RestMethod -Method POST -ContentType "application/x-www-form-urlencoded" -Uri "http://login.microsoftonline.com/{tenantid}/oauth2/v2.0//token?client_id=$clientId&scope=$scope&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&client_assertion=$accesstoken&grant_type=client_credentials"

However, the response I get is the microsoft login page, and an error message saying:

strServiceExceptionMessage":"AADSTS900561: The endpoint only accepts POST, OPTIONS requests. Received a GET request."

But the request is clearly marked as a post, so not sure whats up.

I also tried using:

Connect-AzAccount -ServicePrincipal -TenantId "###" -ApplicationId "###" -FederatedToken $accessToken

But error I get on that says:

Connect-AzAccount : Authentication failed against tenant "###". User interaction is required. This may be due to the conditional access policy settings such as multi-factor authentication (MFA). If you need to access subscriptions in that tenant, please rerun 'Connect-AzAccount' with additional parameter '-TenantId ###'.

Could not find tenant id for provided tenant domain '###'

Answer 1

Hi Guy Levi,

I tried to run your code in Azure function App and got 500 Internal Server error as below:

[ "Error retrieving token: An attempt was made to access a socket in a way forbidden by its access permissions. (169.254.169.254:443)" ]

In PowerShell Azure Functions, calling http://169.254.169.254 for managed identity can fail if the function App attempts to route the call via HTTPS instead of HTTP or applies a proxy, even on public network access.

An attempt was made to access a socket in a way forbidden by its access permissions. (169.254.169.254:443)

This error indicates something is redirecting the request to port 443 (HTTPS), even though the Invoke request is using HTTP.

Hence as a workaround, you can use below PowerShell code with Az modules to generate access token in Function App using Managed Identity.

run.ps1:


param($Request, $TriggerMetadata)

 

 Connect-AzAccount -Identity | Out-Null

 

$scope = "api://b2b532c5XXb537-d507914e592a" //APP ID or Client ID of App registration

 

try {

    $tokenResponse = Get-AzAccessToken -ResourceUrl $scope

 

    Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{

        StatusCode = 200

        Body = @{

            access_token = $tokenResponse.Token

        } | ConvertTo-Json -Depth 3

    })

}

catch {

    Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{

        StatusCode = 500

        Body = @("Error retrieving token: $($_.Exception.Message)")

    })

}

requirements.ps1:

@{

	'Az.Accounts' = '2.12.1'

}

profile.ps1:


Import-Module Az.Accounts

`I have assigned below API permission to the Function App's managed identity:

Able to generate the access token as below:

Hope it helps!

Please do not forget to click "Accept the answer” and Yes wherever the information provided helps you, this can be beneficial to other community members.

User's image

If you have any other questions or still running into more issues, let me know in the "comments" and I would be happy to help you.

Anonymous

2025-05-30T06:04:24.7+00:00

Guy Levi, Just checking in to see if the provided answer helped. If it did, please click "Accept the answer” and Yes for the answer . So it can benefit other community members reading this thread. If you have any further queries, do let us know.
Anonymous

2025-06-03T11:10:06.16+00:00

Guy Levi, We still have not heard back from you. Please click "Accept the answer” and Yes for the answer. So, it can benefit other community members reading this thread. If you have any further queries, do let us know.

Share via

acquire a token of app registration with MI , via powershell Rest in an azure function app

1 answer

Your answer