When using DefaultAzureCredential through NodeJS SDK to send an email through the EmailClient I get a Denied By Resource Provider

Question

When using DefaultAzureCredential through NodeJS SDK to send an email through the EmailClient I get a Denied By Resource Provider

Ryan Zielke 5

When using DefaultAzureCredential through NodeJS SDK to send an email through the EmailClient I get a Denied By Resource Provider. The Azure Function is created. It doesn't tell me what resource provider is denying and I have a global admin and contributor role set for Communication Service

ajkuma 28,036 Reputation points Microsoft Employee Moderator

2023-03-23T19:01:23.7333333+00:00

@Ryan Zielke ,

Just checking in to see if you had got a chance to see the previous response.
If the answer helped (pointed you in the right direction) > please click Accept Answer
Or please share the requested/more info to help you better.

2 answers

Your answer

ajkuma 28,036 Reputation points Microsoft Employee Moderator

2023-03-23T19:01:23.7333333+00:00

@Ryan Zielke ,

Just checking in to see if you had got a chance to see the previous response.
If the answer helped (pointed you in the right direction) > please click Accept Answer
Or please share the requested/more info to help you better.

Answer 1

ajkuma 28,036 Microsoft Employee Moderator

@Ryan Zielke ,

I believe you’re referring to the steps outlined in this doc
Azure Communication Email client library for JavaScript - please do confirm.

As mentioned in the doc - You can also authenticate with Azure Active Directory using the Azure Identity library. To use the DefaultAzureCredential provider shown below, or other credential providers provided with the Azure SDK, please install the @azure/identity package:

npm install @azure/identity

Bash: npm install @azure/identity


const { DefaultAzureCredential } = require("@azure/identity");

 

// DefaultAzureCredential expects the following three environment variables:

// - AZURE_TENANT_ID: The tenant ID in Azure Active Directory

// - AZURE_CLIENT_ID: The application (client) ID registered in the AAD tenant

// - AZURE_CLIENT_SECRET: The client secret for the registered application

const credential = new DefaultAzureCredential();

I understand you have already verified admin and contributor roles, if you haven’t checked, you may try to check the Azure portal to see if there are any other restrictions or policies that are preventing the user from accessing the resource.

Also, ensure Registration Provider (RP)** is registered.

--Azure Portal >> Select the subscription you want to use to register a resource provider >> under Settings select Resource providers.

--To register a resource provider, select the resource provider and then select Register

Resource providers for Azure services

Kindly let us know how it goes, I'll follow-up with you further.

Ryan Zielke 5 Reputation points

2023-03-24T21:52:46.64+00:00

Thank you, I still get the error. What resource provider needs to be set? I have set a lot of them and it doesn't seem to help. I get the following error:

invalid_resource: AADSTS500011: The resource principal named https://****.communication.azure.com/ was not found in the tenant named Microsoft Services. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant. Trace ID: #### Correlation ID: #### Timestamp: 2023-03-24 21:51:23Z. (https://login.microsoftonline.com/error?code=500011)
ajkuma 28,036 Reputation points Microsoft Employee Moderator

2023-03-27T21:03:30.5533333+00:00

Apologies for the delay from over the weekend. I'm checking on this and will get back to you shortly.
ajkuma 28,036 Reputation points Microsoft Employee Moderator

2023-03-29T13:16:49.2866667+00:00
For a deeper investigation into this we would need your subscription ID and ACS resource details, which are PII, so we’ll have to follow-up offline, please let me know.

In the interim, please checkout these:

Typically, the error message indicates that the authentication request is sent to the wrong Azure AD. If you haven’t done, just to isolate, you may verify if the error message’s tenant ID is the same as your tenant ID.

To know your tenant ID, you may login Azure Active Directory Admin center and click “Properties” (left side navigation).

Ensure there is no typo/incorrect name for the scope for access, as that sometimes display such error message.

Review if it’s delegated permissions as outlined in this discussion thread Update | Azure Communication Services (ACS)| SDK versions
https://github.com/Azure/Communication#sdks

Answer 2

Trung Phạm 5

I am having the same issue, I tried this link: https://learn.microsoft.com/en-us/azure/communication-services/concepts/authentication#azure-ad-authentication and got credentials but it did not work for me.

Trung Phạm 5 Reputation points

2023-09-22T11:17:20.9+00:00

anyway i fixed it by using ClientSecretCredential
ajkuma 28,036 Reputation points Microsoft Employee Moderator

2023-09-25T13:01:11.27+00:00

Thanks for the follow-up and sharing the solution that worked for you.

Dhaakad Cinema 0

I'm having the same issue, here is my code

const credential = new DefaultAzureCredential();
const emailClient = new EmailClient('https://<endpoint-name>.communication.azure.com/', credential);
const mailFromDomain = process.env.AZURE_EMAIL_FROM_DOMAIN;

async function sendEmail() {      

    console.log('azureService:sendEmail: sending email ');     
	const message = {
		senderAddress: mailFromDomain,         
		content: {
			subject: "This is the subject",            
			html: `<!DOCTYPE html> <html lang="en"> <head>     <meta charset="UTF-8">     <title>Hello</title> </head> <body> <h1>Hello from localhost</h1> </body> </html>`,
		},         
		recipients: {
			to: [{                     
				address: "testEmail",                     
				displayName: "test",                 
				}],
        },     
	};      
	try{         
		const poller = await emailClient.beginSend(message);         
		const response = await poller.pollUntilDone();
		console.log('azureService:sendEmail: response ', response);     
	}catch (e){         
		console.error('azureService:sendEmail: ',e);     
	}  
}

sendEmail();

and resource providers communicationImage

 {
  "name": "RestError",
  "code": "Denied",
  "statusCode": 401,
  "request": {
    "url": "https://emailcommunicationdhaakad.india.communication.azure.com/emails:send?api-version=2023-03-31",
    "headers": {
      "content-type": "application/json",
      "accept": "application/json",
      "accept-encoding": "gzip,deflate",
      "user-agent": "azsdk-js-communication-email/1.0.0 core-rest-pipeline/1.12.0 Node/v18.12.1 OS/(x64-Windows_NT-10.0.19045)",
 "x-ms-client-request-id": "e4eceb1a-cfe4-459b-b5fc-9706595e7469",
      "authorization": "REDACTED",
      "content-length": "367"
    },
    "method": "POST",
    "timeout": 0,
    "disableKeepAlive": false,
    "streamResponseStatusCodes": {},
    "withCredentials": false,
    "requestId": "e4eceb1a-cfe4-459b-b5fc-9706595e7469",
    "allowInsecureConnection": false,
    "enableBrowserStreams": false
  },
  "details": {
    "date": "Sat, 28 Oct 2023 07:47:08 GMT",
    "content-type": "application/json",
    "transfer-encoding": "chunked",
    "connection": "keep-alive",
    "x-azure-ref": "20231028T074706Z-x1xb7wwpxx2798nk46swn1gsy000000000u000000000f25f",
    "x-cache": "CONFIG_NOCACHE",
    "error": {
      "code": "Denied",
      "message": "Denied by the resource provider."
    }
  },
  "message": "Denied by the resource provider."
}

any help is appriciated

Share via

When using DefaultAzureCredential through NodeJS SDK to send an email through the EmailClient I get a Denied By Resource Provider

2 answers

Your answer