Rest API flow Authentication on management.azure.com scope

Question

Rest API flow Authentication on management.azure.com scope

Andrea Romano 0

Hi at all, I have a problem about authentication on production environment. In development environment I have a multi-tenant application with azure management delegate permission. I am able to get token at endpoint https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize with my client id and scope like "openid https://management.azure.com//.default". After this I'am able to refresh the token using endpoint https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token with clientid, clientsecret, grant_type e refresh_token parameters In the development enviroment this flow works perfectly and I can access to azure subscription of the tenant. The same flow in production enviroment doesn't works because when I try to refresh the token with a tenant, I receive the error:

{"error":"invalid_grant","error_description":"AADSTS65001: The user or administrator has not consented to use the application with ID '****' named '*****'. Send an interactive authorization request for this user and resource. Trace ID: 63164622-725f-4cb7-ba1b-1f4027bca600 Correlation ID: 385204d6-8243-4f23-b2aa-3c85132d0409 Timestamp: 2024-01-31 16:11:20Z","error_codes":[65001],"timestamp":"2024-01-31 16:11:20Z","trace_id":"63164622-725f-4cb7-ba1b-1f4027bca600","correlation_id":"385204d6-8243-4f23-b2aa-3c85132d0409","suberror":"consent_required"}

The permission is correctly granted by administrator: User's image

I don't understand what I miss. Thanks for help, I have added correlationID Andrea

Navya 19,795 Reputation points Microsoft External Staff Moderator

2024-02-01T13:26:59.82+00:00

Hi @Andrea Romano

Thank you for posting this in Microsoft Q&A.

AADSTS65001: The user or administrator has not consented to use the application. This error usually occurs when you missed granting admin consent to the added scope while retrieving access token.You are passing scope as https://management.azure.com//.default . The .default scope is used to refer generically to a resource service (API) in a request, without identifying specific permissions. If consent is necessary, using .default signals that consent should be prompted for all required permissions listed in the application registration (for all APIs in the list).

Make sure that every API listed in your application has been approved by an admin.

Hope this helps. Do let us know if you any further queries.

Thanks,

Navya
Andrea Romano 0 Reputation points

2024-02-01T14:21:37.2+00:00

As you can see above, I have the "Windows Azure Service Management API" delegated permission approved by an admin.
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Navya 19,795 Reputation points Microsoft External Staff Moderator

2024-02-05T10:47:09.12+00:00

@Andrea Romano
Yes, I can see "Windows Azure Service Management API" delegated permission approved by an admin.
If possible, could you please share the API request used to obtain an access token and a refresh token? This will help me understand the issue better and provide a more accurate solution.
Andrea Romano 0 Reputation points

2024-02-05T13:21:38.0066667+00:00

Hi, below I try to explain our flow. I call this url to take the authorization code https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize?client_id=xxxxx&response_type=code&redirect_uri=https://xxxxx/v3.0/webhooks/partnercenter/refreshtokenv2&code_challenge=xxxx&code_challenge_method=S256&response_mode=query&scope=openid%20https://azure.management.com//.default&state=xyz With the response of this call I used the authorization code to do this call:

obviously with the correct values. Now I can stored both access_token and refresh_token returned by it. Everything works well, after this I try to refresh the token with a specific tenant-id, but I received the error in the first post.

The scope in the screenshot is wrong! The correct is "https://management.azure.com//.default" but nothing change. I don't understand what I miss, because in the sandbox environment I am able to get secure score about a subscription of a tenant. The application that I used is a multi-tenant app, that we also used with PartnerCenter REST Api and SDK. If you have a private contact/email I can send to you every call also with sensible data and a more detailed explaination.
Andrea Romano 0 Reputation points

2024-02-07T08:15:05.15+00:00

Good morning, I would want to add more details, because it isn't clear. The objective of this should be to read the secure score about a subscription in the tenant directory. The tenant isn't in the our active directory, but it is a tenant inside our Partner Center with an active GDAP with roles to manage his subscriptions/user/order and with an active delegation relationship. Indeed through the Partner Center we can enter in the azure of the tenant and see his subscriptions, but I cannot access to his subscriptions via rest api, because I don't understand how to make the authentication and/or how give access to my azure app

1 answer

Your answer

Navya 19,795 Reputation points Microsoft External Staff Moderator

2024-02-01T13:26:59.82+00:00

Hi @Andrea Romano

Thank you for posting this in Microsoft Q&A.

AADSTS65001: The user or administrator has not consented to use the application. This error usually occurs when you missed granting admin consent to the added scope while retrieving access token.You are passing scope as https://management.azure.com//.default . The .default scope is used to refer generically to a resource service (API) in a request, without identifying specific permissions. If consent is necessary, using .default signals that consent should be prompted for all required permissions listed in the application registration (for all APIs in the list).

Make sure that every API listed in your application has been approved by an admin.

Hope this helps. Do let us know if you any further queries.

Thanks,

Navya
Andrea Romano 0 Reputation points

2024-02-01T14:21:37.2+00:00

As you can see above, I have the "Windows Azure Service Management API" delegated permission approved by an admin.
Deleted

This comment has been deleted due to a violation of our Code of Conduct. The comment was manually reported or identified through automated detection before action was taken. Please refer to our Code of Conduct for more information.
Navya 19,795 Reputation points Microsoft External Staff Moderator

2024-02-05T10:47:09.12+00:00

@Andrea Romano
Yes, I can see "Windows Azure Service Management API" delegated permission approved by an admin.
If possible, could you please share the API request used to obtain an access token and a refresh token? This will help me understand the issue better and provide a more accurate solution.
Andrea Romano 0 Reputation points

2024-02-05T13:21:38.0066667+00:00

Hi, below I try to explain our flow. I call this url to take the authorization code https://login.microsoftonline.com/organizations/oauth2/v2.0/authorize?client_id=xxxxx&response_type=code&redirect_uri=https://xxxxx/v3.0/webhooks/partnercenter/refreshtokenv2&code_challenge=xxxx&code_challenge_method=S256&response_mode=query&scope=openid%20https://azure.management.com//.default&state=xyz With the response of this call I used the authorization code to do this call:

obviously with the correct values. Now I can stored both access_token and refresh_token returned by it. Everything works well, after this I try to refresh the token with a specific tenant-id, but I received the error in the first post.

The scope in the screenshot is wrong! The correct is "https://management.azure.com//.default" but nothing change. I don't understand what I miss, because in the sandbox environment I am able to get secure score about a subscription of a tenant. The application that I used is a multi-tenant app, that we also used with PartnerCenter REST Api and SDK. If you have a private contact/email I can send to you every call also with sensible data and a more detailed explaination.
Andrea Romano 0 Reputation points

2024-02-07T08:15:05.15+00:00

Good morning, I would want to add more details, because it isn't clear. The objective of this should be to read the secure score about a subscription in the tenant directory. The tenant isn't in the our active directory, but it is a tenant inside our Partner Center with an active GDAP with roles to manage his subscriptions/user/order and with an active delegation relationship. Indeed through the Partner Center we can enter in the azure of the tenant and see his subscriptions, but I cannot access to his subscriptions via rest api, because I don't understand how to make the authentication and/or how give access to my azure app

Answer 1

Navya 19,795 Microsoft External Staff Moderator

Hi @Andrea Romano

As per your explanation I understand you are able to get access token and refresh token, but while refresh the token you got the error AADSTS65001.

While requesting an access token and a refresh token, you pass the scope as openid offline_access, but to obtain a refresh token, you pass the scope as https://management.azure.com//.default, which causes an error.

The refresh token should use the scope that was used in the authorization code flow (to get access token and refresh token). To fix the error, make sure to include the scope of openID offline Access in the refresh token request.

User's image

And I noticed another thing in the snips that you provided. You are using https://login.microsoftonline.com/organizations/oauth2/v2.0/token endpoint to obtain the access token and refresh token. While obtain refresh token you are using specific tenant https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token endpoint. The parameter values used in the authorization flow should also be passed in the refresh token.

To more about refresh token : https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-auth-code-flow#refresh-the-access-token

Hope this helps. Do let us know if you any further queries.

Thanks, Navya.

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Andrea Romano 0 Reputation points

2024-02-12T08:38:17.0666667+00:00

Hi Navya, I have tried what you say. If I try to get the token with tenant I receive another error message:

AADSTS90099: The application '---------' (Partner Center Web App) has not been authorized in the tenant '293604a4-99f4-4c9f-9273-c7daa0dddaec'. Applications must be authorized to access the customer tenant before partner delegated administrators can use them.

I have also tried to consent the application on the tenant with: https://login.microsoftonline.com/293604a4-99f4-4c9f-9273-c7daa0dddaec/adminconsent?client_id=**xxxxxxxx**

error=access_denied> error_description=AADSTS650052> The app is trying to access a service "fa3d9a0c-3fb0-42cc-9193-47c7ecd2edbd"(Microsoft Partner Center) that your organization "-------" lacks a service principal for. Contact your IT Admin to review the configuration of your service subscriptions or consent to the application in order to create the required service principal. > Trace ID f8c2823c-f0c0-443b-bd9f-8f2188517400 > Correlation ID 6382ded0-216f-44bd-ba89-17e81c92286f > error_uri=https%3a%2f%2flogin.microsoftonline.com%2ferror%3fcode%3d650052&> admin_consent=True

It is very strange because my application works every day with PartnerCenter on the tenants that give us GDAP and delegation. What does this error mean? Thanks
Navya 19,795 Reputation points Microsoft External Staff Moderator

2024-02-14T14:03:51.12+00:00
Andrea Romano

This error "AADSTS650052: The app is trying to access a service "fa3d9a0c-3fb0-42cc-9193-47c7ecd2edbd"(Microsoft Partner Center) that your organization "-------" lacks a service principal for" usually occurs if the Service Principal is missing for the Azure AD Application created.

Could you confirm if you have created a service principal? If not, create one for Microsoft Partner Center. In an administrator PowerShell window, run the following commands.

Install-Module Connect-AzureAD New-AzureADServicePrincipal -DisplayName "Microsoft Partner Center" -AppId fa3d9a0c-3fb0-42cc-9193-47c7ecd2edbd

https://learn.microsoft.com/en-us/partner-center/developer/secure-sample-application#create-a-partner-center-service-principal
Andrea Romano 0 Reputation points

2024-02-16T14:31:50.9766667+00:00

Thanks for the support Navya. I have opened a support ticket directly on azure platform, because I have found some customers where our flow works correctly and other customers not. It seems that the problem would not be our login, but there are some problem with delegation or gdap roles ... For now I would close this thread, because the problem is scaled up.

Share via

Rest API flow Authentication on management.azure.com scope

1 answer

Your answer