question

SamuelSantos-1106 avatar image
0 Votes"
SamuelSantos-1106 asked SamuelSantos-1106 commented

Can't create service principals (use Graph API) through Java SDK

Hello,

I am having trouble using the Graph API through Java SDK in my java application.

I have an Azure Active Directory Application (created through the App Registrations section in the portal), and I am authenticating my requests with its client id and tenant id, and a secret key.
I believe the problem is not on the client side authentication because I have been using the SDK to make other types of requests with no issues for a long time.

Right now, I am trying to create and manage Service Principals through the SDK but all the requests return forbidden errors.

Code that I'm running:

 AzureTokenCredentials credentials = new ApplicationTokenCredentials(clientId, tenantId, secretKey, AzureEnvironment.AZURE);
    
 Azure azure = Azure.configure()
         .withLogLevel(LogLevel.BODY)
         .authenticate(credentials)
         .withSubscription(subscriptionId);
    
 ServicePrincipal sp = azure.accessManagement()
     .servicePrincipals()
     .define("testserviceprincipal")
     .withNewApplication("https://***********/")
     .create();


Response:

 Method threw 'com.microsoft.azure.management.graphrbac.GraphErrorException' exception.
 Status code 403, {
     "odata.error":{
         "code":"Authorization_RequestDenied",
         "message":{
             "lang":"en",
             "value":"Insufficient privileges to complete the operation."
         },
         "requestId":"42011287-9d20-4128-b6a2-3b07497427ff",
         "date":"2021-10-14T17:07:35"
     }
 }

I found this topic and gave a lot of different permissions to my AD App (printscreen below), but the 403 errors remained.

140598-image.png


Am I missing something?
Thanks in advance!


azure-active-directory
image.png (64.5 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

sikumars avatar image
0 Votes"
sikumars answered SamuelSantos-1106 commented

Hello @SamuelSantos-1106,

Thanks for reaching out.

It seem to be acquired token was issued with following audience "Azure Active Directory Graph" https://graph.windows.net but you had configured above API permissions which are part of "Microsoft Graph" https://graph.microsoft.com/ not "Azure Active Directory Graph" hence HTTP 403 Authorization_RequestDenied is expected.

You can decode and verify AAD access_token from https://jwt.ms , you should see something like below for working scenario when you decode token:

141824-image.png

To fix the issue, either assign "Azure Active Directory Graph" API permission for App OR use tokenAudience as https://graph.microsoft.com/ in your code as explained here.

Note: Azure Active Directory Graph will be deprecated in June 2022. We recommend using Microsoft Graph APIs for your application

Therefore, when you use Azure SDK which build on MSAL library instead ADAL library for client to get token to call Microsoft Graph then above API permission should work.

ADAL example for Azure SDK module: https://docs.microsoft.com/en-us/javascript/api/overview/azure/activedirectory?view=azure-node-latest#client-package
ServicePrincipal interface : https://docs.microsoft.com/en-us/javascript/api/@azure/graph/serviceprincipal?view=azure-node-latest

Hope this helps.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.



image.png (48.0 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Thank you!
Migrating to the new version of the SDK (MSAL) fixed it for me!

1 Vote 1 ·
ShwetaChoudhary-8869 avatar image
0 Votes"
ShwetaChoudhary-8869 answered

Thank you for reaching out.

The error you are getting tells token you are using does not have enough privileges. Check the token you have generated to ensure it has the necessary scopes to create service principals.
Follow documentation here to see how to generate tokens.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.