Service principal access to IoT Central API

BlackUnicorn 26 Reputation points
2020-12-18T18:19:52.943+00:00

Hello

I'm trying to use service principal to use IoT Central API.

I registered application that I successfully added as user with Administrator role in IoT Central using https://learn.microsoft.com/en-us/rest/api/iotcentral/users/set#add-or-update-a-service-principal-user

I used CLI to get bearer token using
az login --service-principal --username "{applicationId}" --password "{applicationSecret}" --tenant "{tenatId}"
az account get-access-token --resource https://apps.azureiotcentral.com

I than tried to use the token to call IoTC API, specifically this endpoint: https://learn.microsoft.com/en-us/rest/api/iotcentral/roles/list
I received 403 AccessDenied "You do not have permission to perform this operation." The same request is working ok when I use token that I created using my user credentials.

I'm not sure what I'm missing here. Should I perform some additional actions to allow service principal to accesss the api? I tried adding the application contributor role to the resource group where IoTC is placed but it didn't change anything.

I would appreciate it if someone could point me in the right direction.

Thank you.

Azure IoT Central
Azure IoT Central
An Azure hosted internet of things (IoT) application platform.
342 questions
{count} votes

Accepted answer
  1. Johnson Yang 166 Reputation points Microsoft Employee
    2020-12-23T17:30:37.037+00:00

    @BlackUnicorn , I checked the API documents it does not describe very clearly that they need the object id not application id when you create service principal user from public API.

    You can find your application's object id from Azure Portal -> Azure Active Directory -> Enterprise applications -> your app
    50840-image.png

    so created service principal user like [tenant id]-[object id], another requirement to ensure your application can access the IoT Central public API, you should ensure from Azure Portal -> Azure Active Directory -> App registrations -> your app -> API Permissions, had following permissions added.
    50941-image.png

    After you added permission for Microsoft IoT Central, you should also click 50850-image.png

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. Sander van de Velde 28,236 Reputation points MVP
    2020-12-19T15:59:24.807+00:00

    It feels like you are mixing two different security patterns.

    The IoT Central API makes use of API keys declared inside IoT Central. These keys are related to groups of users in IoT Central.

    49569-image.png

    The keys generated here can be used in the Rest calls, even with C#. See also this blog.

    There is an excellent MS Learn module available which explains it all