Azure REST API - authentication error

Carlo Cecco 41 Reputation points
2022-07-05T12:12:09.093+00:00

Hi there.

After creating an App in my account in Azure Active Directory, I create a client secret and call using Postman:

https://login.microsoftonline.com/{my-tenant}/oauth2/v2.0/token

I receive the token and use it as Authorization calling (Postman)

https://management.azure.com/subscriptions/{subscription-id}/resourceGroups/WEB/providers/Microsoft.Compute/virtualMachines/LP-vm1?api-version=2022-03-01&%24expand=instanceView

This call returns a "Authentication failed" error. What's wrong?

Azure Virtual Machines
Azure Virtual Machines
An Azure service that is used to provision Windows and Linux virtual machines.
6,807 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
18,636 questions
{count} votes

Accepted answer
  1. JamesTran-MSFT 36,046 Reputation points Microsoft Employee
    2022-07-20T21:45:22.72+00:00

    @Carlo Cecco
    Thank you for following up on this and I apologize for the delayed response!

    When it comes to the Request ID and Correlation ID that you shared, I wasn't able to find any logs from our end. However, to make sure you have everything set up correctly, and since you already have everything created/ downloaded in order to use Postman, can you reference my walk-through below and make sure you have the same or similar values.

    #The majority of these values can be found on your Azure AD App Registration  
    Tenant ID  
    Client ID  
    Client Secret Value  
    

    222835-image.png

    #You'll be using `https://management.azure.com/.default` as the scope in order to get the AAD Token  
    Scope: https://management.azure.com/.default  
    Grant Type: client_credentials  
      
    #To get the AAD Token, you'll be using the `/oauth2/token` endpoint  
    POST https://login.microsoftonline.com/{tenantId}/oauth2/token  
    

    222825-image.png

    #Once you have the Access Token, you'll copy and paste it into your Virtual Machines - Instance View HTTP Request.  
    #Optionally you can verify the Access Token at https://jwt.ms/  
    #For more info - https://learn.microsoft.com/en-us/rest/api/compute/virtual-machines/instance-view?tabs=HTTP  
    Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsI......  
    

    222846-image.png

    #From your initial HTTP Request it looks like you're trying to get the instance view, so you should be able to use the below GET request  
    #For more info - https://learn.microsoft.com/en-us/rest/api/compute/virtual-machines/instance-view?tabs=HTTP  
    https://management.azure.com/subscriptions/{{subscriptionId}}/resourceGroups/VirtualMachines/providers/Microsoft.Compute/virtualMachines/testVM/instanceview?api-version=2022-03-01  
    

    222881-image.png

    Troubleshooting:
    The client '...' with object id '...' does not have authorization to perform action 'Microsoft.Resources/subscriptions/WEB/Microsoft.Compute/LP-vm1/read' over scope '/subscriptions/.../WEB/providers/Microsoft.Compute/virtualMachines' or the scope is invalid

    WWW-Authenticate: Bearer authorization_uri="https://login.windows.net/...ce11a3", error="invalid_token", error_description="Could not find identity for access token." x-ms-failure-cause: gateway

    From the full error message that you shared, it looks like you might've been using https://login.windows.net/ as the scope, which could be the issue. However, if you're still running into the same error message after using https://management.azure.com/.default scope, please let me know.

    You can also walk through the Azure REST APIs with Postman (2021) blog post, which details steps on how to get started with Postman to hopefully help resolve the authorization portion of your error message.

    I hope this helps!

    If you have any other questions, please let me know.
    Thank you for your time and patience throughout this issue.

    1 person found this answer helpful.

1 additional answer

Sort by: Most helpful
  1. JamesTran-MSFT 36,046 Reputation points Microsoft Employee
    2022-07-06T23:33:53.337+00:00

    @Carlo Cecco
    Thank you for following up on this!

    Error Message:
    The client '...' with object id '...' does not have authorization to perform action 'Microsoft.Resources/subscriptions/WEB/Microsoft.Compute/LP-vm1/read' over scope '/subscriptions/.../WEB/providers/Microsoft.Compute/virtualMachines' or the scope is invalid

    From your error message, and based off the Virtual Machines - Get documentation, it looks like you'll need to add the user_impersonation API permisson to your app. If you're still running into the same issue, you'll have to make sure that the user you're logged in with/impersonating has the correct RBAC (read) permissions under the /subscriptions/.../WEB/providers/Microsoft.Compute/virtualMachines scope.
    218317-image.png

    If you have any other questions, please let me know.
    Thank you for your time and patience throughout this issue.