Accesing Graph API from Synapse Workspce using the workspace managed identity.

Question

Accesing Graph API from Synapse Workspce using the workspace managed identity.

Paul Hernandez 591 Microsoft Employee

Hi everyone ,

I am trying to access the Graph API from a Synapse Workspace Pipeline using the managed identity of the workspace but I still miss some pieces.

We have an AAD group with "Directory Reader" role assigned and we added the MI of the workspace to this group.

Now I'm using a Web Activity to call the Graph API as follows:

I got the following error:

{

"errorCode": "2108",  
"message": "{\"error\":{\"code\":\"InvalidAuthenticationToken\",\"message\":\"Access token validation failure. Invalid audience.\",\"innerError\":{\"date\":\"2022-02-07T15:08:06\",\"request-id\":\"7ce4d1ab-d378-48d8-aa3d-d39a658f68c2\",\"client-request-id\":\"7ce4d1ab-d378-48d8-aa3d-d39a658f68c2\"}}}",  
"failureType": "UserError",  
"target": "Get Users",  
"details": []

}

I think I don't need any token since I'm using the MI, but I don't know exactly what's wrong, whether I am still missing permissions or I need a token anyway.

Any comment will be appreciated.

CarlZhao-MSFT 31,816 Reputation points

2022-02-08T06:07:35.36+00:00

You need a token of course, whenever you try to call the graph api you need to have a token, which api are you calling?
Paul Hernandez 591 Reputation points Microsoft Employee

2022-02-08T07:29:08.11+00:00
Hi @CarlZhao-MSFT ,

thanks for your reply.

I want to list members of certain AAD groups.

I'm trying to get the token but all examples I've found use a service principal with secret.

I want to use the managed identity of the synapse workspace instead. We already added it to a AAD group with "Read.Directory" permission.

I also found some examples on how to use the MI of a web app and other services but not synapse or data factory.

This is a screenshot of my latest attempt to get a token:

I'm not sure if the grant type is correct (I'm just using it because is required). Also, the Resource could be different.

This is the error:

{ "errorCode": "2108", "message": "{\"error\":\"invalid_client\",\"error_description\":\"AADSTS7000216: 'client_assertion', 'client_secret' or 'request' is required for the 'client_credentials' grant type.\\r\\nTrace ID: .... ` `",\"error_uri\":\"https://login.microsoftonline.com/error?code=7000216\"}", "failureType": "UserError", "target": "Get Access Token", "details": [] }

Any help will be appreciated.
CarlZhao-MSFT 31,816 Reputation points

2022-02-08T07:54:51.74+00:00

Yes, the client credential flow requires a client secret, please grant a client secret to your web app, or you can use a certificate.
Paul Hernandez 591 Reputation points Microsoft Employee

2022-02-08T09:05:39.237+00:00

Can I avoid using a secret?

I successfully created a REST Linked Server and authenticate using managed identity. The connection succeded. Would it be possible to use this linked service to access the api?
CarlZhao-MSFT 31,816 Reputation points

2022-02-08T09:12:23.123+00:00

Have you tried it? I think this will report error.
Paul Hernandez 591 Reputation points Microsoft Employee

2022-02-08T09:18:16.547+00:00

Yes, it is not working

The HttpStatusCode 401 indicates failure.
Request URL: https://graph.microsoft.com/v1.0/me/transitiveMemberOf/microsoft.graph.group?$count=true
Response payload:{"error":{"code":"InvalidAuthenticationToken","message":"Access token validation failure. Invalid audience."
CarlZhao-MSFT 31,816 Reputation points

2022-02-08T09:23:21.423+00:00

This is an expected error, you just need to change the Resource to: https://graph.microsoft.com/.

CarlZhao-MSFT 31,816 Reputation points

2022-02-08T06:07:35.36+00:00

You need a token of course, whenever you try to call the graph api you need to have a token, which api are you calling?
Paul Hernandez 591 Reputation points Microsoft Employee

2022-02-08T07:29:08.11+00:00

Hi @CarlZhao-MSFT ,

thanks for your reply.

I want to list members of certain AAD groups.

I'm trying to get the token but all examples I've found use a service principal with secret.

I want to use the managed identity of the synapse workspace instead. We already added it to a AAD group with "Read.Directory" permission.

I also found some examples on how to use the MI of a web app and other services but not synapse or data factory.

This is a screenshot of my latest attempt to get a token:

I'm not sure if the grant type is correct (I'm just using it because is required). Also, the Resource could be different.

This is the error:

{ "errorCode": "2108", "message": "{\"error\":\"invalid_client\",\"error_description\":\"AADSTS7000216: 'client_assertion', 'client_secret' or 'request' is required for the 'client_credentials' grant type.\\r\\nTrace ID: .... ` `",\"error_uri\":\"https://login.microsoftonline.com/error?code=7000216\"}", "failureType": "UserError", "target": "Get Access Token", "details": [] }

Any help will be appreciated.
CarlZhao-MSFT 31,816 Reputation points

2022-02-08T07:54:51.74+00:00

Yes, the client credential flow requires a client secret, please grant a client secret to your web app, or you can use a certificate.
Paul Hernandez 591 Reputation points Microsoft Employee

2022-02-08T09:05:39.237+00:00

Can I avoid using a secret?

I successfully created a REST Linked Server and authenticate using managed identity. The connection succeded. Would it be possible to use this linked service to access the api?
CarlZhao-MSFT 31,816 Reputation points

2022-02-08T09:12:23.123+00:00

Have you tried it? I think this will report error.
Paul Hernandez 591 Reputation points Microsoft Employee

2022-02-08T09:18:16.547+00:00

Yes, it is not working

The HttpStatusCode 401 indicates failure.
Request URL: https://graph.microsoft.com/v1.0/me/transitiveMemberOf/microsoft.graph.group?$count=true
Response payload:{"error":{"code":"InvalidAuthenticationToken","message":"Access token validation failure. Invalid audience."
CarlZhao-MSFT 31,816 Reputation points

2022-02-08T09:23:21.423+00:00

This is an expected error, you just need to change the Resource to: https://graph.microsoft.com/.

Answer 1

CarlZhao-MSFT 31,816

Hi @Paul Hernandez

You just need to change the Resource to: https://graph.microsoft.com/.

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Paul Hernandez 591 Reputation points Microsoft Employee

2022-02-08T09:49:07.62+00:00

Oh yeah!

That's made it possible:

Accesing Graph API from Synapse Workspce using the workspace managed identity.

0 additional answers

Activity