Hello @sakuraime ,
Thanks for your query. I was able to repro your issue locally but with different error message:
Initially for the below command in the client_id parameter, I was trying to pass the ObjectID instead of ApplicationID
PS C:\windows\system32> $response = Invoke-WebRequest -Uri 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&client_id=OBJECTIDRETRIEVEDFROMAZUREPORTALVM&resource=https://management.azure.com/' -Method GET -Headers @{Metadata="true"}
Invoke-WebRequest : {"error":"invalid_request","error_description":"Identity not found"}
At line:1 char:13
- $response = Invoke-WebRequest -Uri 'http://169.254.169.254/metadata/i ...
- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
- CategoryInfo : InvalidOperation: (System.Net.HttpWebRequest:HttpWebRequest) [Invoke-WebRequest], WebException
- FullyQualifiedErrorId : WebCmdletWebResponseException,Microsoft.PowerShell.Commands.InvokeWebRequestCommand
This will be the complete working command:
PS C:\windows\system32> $response = Invoke-WebRequest -Uri 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&client_id=PASSTHEAPPLICATIONID&resource=https://management.azure.com/' -Method GET -Headers @{Metadata="true"}
PS C:\windows\system32> $response
StatusCode : 200
StatusDescription : OK
Content : {"access_token":"TOKENVALU}
RawContent : HTTP/1.1 200 OK
Content-Length: 1715
Content-Type: application/json; charset=utf-8
Date: Fri, 26 Feb 2021 18:49:16 GMT
Server: IMDS/150.870.65.489
Forms : {}
Headers : {[Content-Length, 1715], [Content-Type, application/json; charset=utf-8], [Date, Fri, 26 Feb 2021 18:49:16 GMT], [Server, IMDS/150.870.65.489]}
Images : {}
InputFields : {}
Links : {}
ParsedHtml : System.__ComObject
RawContentLength : 1715
How to get the applicationID:
1) Get-AzureRmADServicePrincipal -DisplayName "managedidentity"
Above command will display the list of all IDs.
2) Get the ObjectID of the VM from Azure Portal ( VMName - > Settings -> Identity ) -
3) From the output , search for that ObjectID copied from portal
4) Grab the ApplicationID
5) Try to run the whole command in one single line
Pass that applicationID to the Invoke-WebRequest command . It should work
My Azure VM machine Screen Shots of Successful and Unsuccessful attempts:
Below Additional references should help you out in troubleshooting further:
https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/qs-configure-powershell-windows-vm
https://learn.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/tutorial-windows-vm-ua-arm
If the above information helps , Kindly "Accept the Answer and Upvote"