locked
Azure AD App - Accessing WEB API RRS feed

  • Question

  • Hi Team ,

    I have created web api on azure and then created a Azure AD app to provide for authentication and Authorization to clients. 

    I have two apps created as per process mentioned here 

    https://blogs.msdn.microsoft.com/microsoft_azure_simplified/2015/03/22/getting-started-using-azure-active-directory-aad-for-authenticating-automated-clients-c/

    I started seeing issues when i try to fetch the access token using given Azure AD app. I saw the issue to be inconsistent and seem to work for 1 app but not another. 

     public static class ServicePrincipal
        {
            static string authority = ConfigurationManager.AppSettings["ida:Tenant"];
            static string clientId = ConfigurationManager.AppSettings["ida:ClientId"];
            static string clientSecret = ConfigurationManager.AppSettings["ida:Password"];
            static string resource = ConfigurationManager.AppSettings["ida:Audience"];

            public static Task<AuthenticationResult> GetS2SAccessTokenForProdMSA()
            {
                return GetS2SAccessToken(authority, resource, clientId, clientSecret);
            }

            static async Task<AuthenticationResult> GetS2SAccessToken(string authority, string resource, string clientId, string clientSecret)
            {
                var clientCredential = new ClientCredential(clientId, clientSecret);
                AuthenticationContext context = new AuthenticationContext(new Uri(authority).AbsoluteUri, false);
                var authenticationResult = await context.AcquireTokenAsync(
                    resource,
                    clientCredential);
                return authenticationResult;
            }
        }

      string token = ServicePrincipal.GetS2SAccessTokenForProdMSA().Result.AccessToken;

    Above code gave following error 

    The application named not found in tenant.. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant

    On More investigation i found one of apps which was working was created from Old Azure classic portal and other from new portal. 

    The difference was in manifest.xml for old classic portal had this in identifiedurls

    "identifierUris": [
        "https://mod324352.onmicrosoft.com/DemoYammerEFAPI"
      ],

    But the app created using new azure portal seem to have following :

     "identifierUris": [
        "https://MOD324352.onmicrosoft.com/64799e80-07e5-4cec-9716-59baf8a894fc"
      ],

    So then i manually updated to match the audience. 

    "identifierUris": [
        "https://MOD324352.onmicrosoft.com/YammerAPIClientNewPortal"
      ],

    Question i have is ,

    1) is this behavior by design (why is it different in classic and new portal) and is the only way to update the ideifierUri's through manifiest file. 

    2) Who can create Azure AD app (is it only subscription-admin) or even contributor. The article below doesnt specify this. 

    https://t.co/uktRPxhCxf

    Further i am also trying to execute the below power shell , do we again need admin role or can i have some custom RBAC Role for this with min rights possible. 

     For this, you should have the Azure AD module for powershell installed as described earlier. Run the following commands to get the Object ID:

    •     connect-msolservice    

     (Enter AD username and password as before)

    • Get-MsolServicePrincipal -AppPrincipalId ‘<Client ID>’

    Regards

    Abhishek 

    Thursday, December 1, 2016 4:23 PM

All replies

  • Hello,

    We are checking on the query and would get back to you soon on this.

    I apologize for the inconvenience and appreciate your time and patience in this matter.

    Regards,

    Vijisankar

    Friday, December 2, 2016 10:56 AM
  • thanks appreciate response at the soonest possible..
    Friday, December 2, 2016 1:40 PM