Share via

OAuth Client Credentials Token gets "AuthorizationFailed" response

Manjunath G 1 Reputation point
2022-08-20T11:11:39.747+00:00

I want create APIM subscriptions through rest api, And was able to do it successfully by following this doc, <https://learn.microsoft.com/en-us/rest/api/apimanagement/current-ga/subscription>.

And for Authentication I am generating a bearer token using ROPC grant type(My UserName & Password). Everything works fine with this flow.

But i dont want to configure my username & password in a application to get a bearer token, instead i followed Client-Credentials grant type(get token by client id & secret), i am able to generate token, but when i use that token to create subscription in APIM, i am getting a exception
The client '0*****-*****-***e' with object id '0*****-*****-***e' does not have authorization to perform action 'Microsoft.ApiManagement/service/subscriptions/write'

Is it possible to add a AAD application inside APIM AccessControl(IAM) to grant permission.
Or is this any other way to do this? or ROPC is the only way?

Can someone please help.

Microsoft Security | Microsoft Entra | Microsoft Entra ID

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Akshay Kaushik 18,026 Reputation points Microsoft Employee Moderator
    2022-08-26T08:10:12.12+00:00

    Hello @Manjunath-2530,

    Ask: To add AAD application in APIM Access control to grant permission/roles.

    Solution: This could be achieved by creating a group via application SPN.

    Steps:

    • Grab the application SPN by navigating to AAD-> Apps, select app and copy object ID.

    235169-finding-spn.png

    • Create a Group and add SPN as a member. (The app will be reflected in the Group)

    235194-create-group-using-spn.png

    • On the AIPM IAM blade select the role to be assigned to the application.

    235146-select-role.png

    • Add the Group created for application in Step 2.

    235126-assign-role-to-the-group-contatining-app-spn.png

    Please "Accept the answer" and rate your experience if the information helped you. This will help us and others in the community as well.

    Was this answer helpful?

    0 comments
  2. JimmySalian-2011 45,371 Reputation points Volunteer Moderator
    2022-08-21T10:57:06.167+00:00

    Hi,

    Thank you for asking this question on the Microsoft Q&A Platform.

    It seems some permissions and access issue is causing this, I can think of assigning additional permissions and comparing against your current account.

    api-management-role-based-access-control

    ==
    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

    Was this answer helpful?

    0 comments

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.