question

devarae-2861 avatar image
0 Votes"
devarae-2861 asked jkotes commented

Trying to access Azure Service with AD from Desktop C# application

Hello!

We are developing an App Service that is set up with Authentication/Authorization turned on, and anonymous requests are set to "Login with Azure Active Directory" (Express configured using an existing App). The application is built in Visual Studio and published to Azure).

The App Service uses AAD to login web users, and that all works as desired.
But the App Service also exposes an API (for example: https://appserviceurl/api/ControllerName/SampleAPICall ). We would like a different desktop application (C#) to be able to call that API via HttpWebRequest or similar.

We are currently attempting to use PublicClientApplicationBuilder, providing the clientid/tenentid/etc for the AAD to gain an AccessToken.

         var app = PublicClientApplicationBuilder.Create(clientId).WithTenantId(tenantId).WithRedirectUri(requestURIString).Build();

         var accounts = await app.GetAccountsAsync();

         AuthenticationResult result;
         try
         {
             result = await app.AcquireTokenSilent(scopes, accounts.FirstOrDefault()).ExecuteAsync();
         }
         catch (MsalUiRequiredException)
         {
             result = await app.AcquireTokenInteractive(scopes)
                 .WithParentActivityOrWindow(parent)
                 .ExecuteAsync();
         }

We are then passing the resulting AccessToken to the the HttpWebRequest:
request.Headers.Add("Bearer", result.AccessToken);

Running this, we get a popup dialog prompting the desktop user to log in to Microsoft, and the result returns with an AccessToken.

But when we attempt to send the request with the Bearer/Token, it returns a 401 error. We're not sure if there's some missing setup on the Azure AD side, or whether what we';re trying here is actually possible. Any suggestions are welcome! Or if this question is addressed elsewhere please redirect us there.

Thanks in advance!

azure-active-directory
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

soumi-MSFT avatar image
0 Votes"
soumi-MSFT answered jkotes commented

@devarae-2861, The error 401 is Unauthorized. This error is prompted by the API, when a request is sent but the request doesnt contain proper permissions for the API to validate and authorize the access.

In you case, the API that is exposed through AAD, should have some permissions listed on it. Now when you are requesting for a token from AAD, these permissions should be asked for from AAD and AAD would issue an access token with these permissions listed in it, either under the scp parameter or roles parameter [this depends on the fact if you are using delegated permissions(user permissions) or application permissions]

Once you have the permissions listed in your token and then you send the token as bearer to the api, the api would be able to provide you the access after validating and authorizing the permissions from the access token.

Hope this helps.

Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.

· 4
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thanks! Here's some additional info. Apologies for not including it in the original post:

We do have a "user_impersonation" API Permission set for the Azure AD App registration we are using. Currently the Application Id Uri is the auto-generated "api://" one, so the string I am currently passing as the scope in the code above is "api://<generated string>/user_impersonation"

Should we be using a different permission? Or perhaps we are missing some other step on the API Permissions setup?

Is it an issue that the actual URL we are trying to reach in the http request (example: https://appserviceurl/api/ControllerName/SampleAPICall) is not the same as the Application Id Uri here?

0 Votes 0 ·

@davarae-286, Thank you for sharing the details. I apologize for the delay in my response.

It would be great if we can connect on a Screenshare, so that I can take a look at the configuration once.

Do share the following details on azcommunity[at]microsoft[dot]com

  • Tenant ID/Tenant Name:

  • Subscription ID

For both the API and the other app registration using this api:

  • Application ID:

  • Application Name:

Do share the following details on that email, shared above and also do not forget to mention this thread's link so that it helps me find it sooner. In the mean time I am also trying to look for more details on this and will keep you posted.


0 Votes 0 ·

I sent the details via email as requested. Thank you!

0 Votes 0 ·
Show more comments