Azure Active Directory
An Azure enterprise identity service that provides single sign-on and multi-factor authentication.
13,553 questions
Accesing Graph API from Synapse Workspce using the workspace managed identity.
Paul Hernandez
541
Reputation points
Hi everyone ,
I am trying to access the Graph API from a Synapse Workspace Pipeline using the managed identity of the workspace but I still miss some pieces.
We have an AAD group with "Directory Reader" role assigned and we added the MI of the workspace to this group.
Now I'm using a Web Activity to call the Graph API as follows:
I got the following error:
{
"errorCode": "2108",
"message": "{\"error\":{\"code\":\"InvalidAuthenticationToken\",\"message\":\"Access token validation failure. Invalid audience.\",\"innerError\":{\"date\":\"2022-02-07T15:08:06\",\"request-id\":\"7ce4d1ab-d378-48d8-aa3d-d39a658f68c2\",\"client-request-id\":\"7ce4d1ab-d378-48d8-aa3d-d39a658f68c2\"}}}",
"failureType": "UserError",
"target": "Get Users",
"details": []
}
I think I don't need any token since I'm using the MI, but I don't know exactly what's wrong, whether I am still missing permissions or I need a token anyway.
Any comment will be appreciated.
{count} votes
-
CarlZhao-MSFT 20,696 Reputation points2022-02-08T06:07:35.36+00:00 You need a token of course, whenever you try to call the graph api you need to have a token, which api are you calling?
Hi @CarlZhao-MSFT ,
thanks for your reply.
I want to list members of certain AAD groups.
I'm trying to get the token but all examples I've found use a service principal with secret.
I want to use the managed identity of the synapse workspace instead. We already added it to a AAD group with "Read.Directory" permission.
I also found some examples on how to use the MI of a web app and other services but not synapse or data factory.
This is a screenshot of my latest attempt to get a token:
I'm not sure if the grant type is correct (I'm just using it because is required). Also, the Resource could be different.
This is the error:
Any help will be appreciated.
Yes, the client credential flow requires a client secret, please grant a client secret to your web app, or you can use a certificate.
Can I avoid using a secret?
I successfully created a REST Linked Server and authenticate using managed identity. The connection succeded. Would it be possible to use this linked service to access the api?
Have you tried it? I think this will report error.
Yes, it is not working
This is an expected error, you just need to change the
Resourceto:https://graph.microsoft.com/.Sign in to comment
Hi @Paul Hernandez
You just need to change the
Resourceto:https://graph.microsoft.com/.If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Oh yeah!
That's made it possible:
Sign in to comment
0 additional answers
Sort by: Most helpful
Sign in to answerActivity