none
Does Azure MSI support accessing Graph API? RRS feed

  • Question

  • I have a VM created in Azure with MSI (Managed Service Identity) enabled and I also grant the contributor role of my subscription to the VM, so from this VM, I am able to call "localhost:50342" to get the access token and then use Azure Resource Manager API (endpoint: management.azure.com) to access Azure resources. Now when I tried to use the same way to access Azure Graph API (endpoint: graph.microsoft.com), I kept getting "[code] => Authorization_RequestDenied [value] => Insufficient privileges to complete the operation". So how am I able to grant permissions to the VM to access Azure Graph API when MSI is enabled? Thank you very much!
    Monday, November 13, 2017 3:24 PM

All replies

  • Microsoft Graph API is just a REST API endpoint where once you have an access token, you can utilize the access token to perform task. Typically, users have an Application within Azure AD that has a required resource of the Microsoft Graph API. If MSI does not do this type of process, then you will need to request an access token from an Application that has this resource or create your own HTTP request to retrieve an access token with Graph API Permissions from an existing AAD Application.
    You may refer to this link - https://developer.microsoft.com/en-us/graph/docs/concepts/auth_overview 
    -------------------------------------------------------------------------------------------------------------
    Do click on "Mark as Answer" on the post that helps you and vote it as helpful, this can be beneficial to other community members.  



    Monday, November 13, 2017 9:27 PM
  • @vijisankar, thank you for your reply. The idea here is, we don't want to register a new application and base on this application to obtain the access token for resource API or Group API, we'd like to just use MSI to get the access token. I just found out that when enabling MSI, Azure automatically created an application for the VM, I think if we grant the Graph API permission to this application, from the VM, we should be able to access Graph API. I am waiting for our global admin to grant the permissions to prove this. Thanks.
    Monday, November 13, 2017 10:31 PM
  • There doesn't seem to be a way to grant permissions to the application which is created by Azure for MSI. Our global admin didn't see the options in azure portal to allow him to do so. So I am stuck here. Does anyone know if it's possible to use MSI to access Group API??? Please help, thanks much!
    Tuesday, November 14, 2017 4:04 PM
  • This scenario, for using MSI to authenticate to the Graph API, is not documented or tested yet.  It is a scenario we want to show how to do in the future. Stay updated @ Azure roadmap - https://azure.microsoft.com/en-us/roadmap/?category=security-identity and Azure updates - https://azure.microsoft.com/en-us/updates/ 
    -----------------------------------------------------------------------------------------------------------------------------------
    Do click on "Mark as Answer" on the post that helps you and vote it as helpful, this can be beneficial to other community members.

    Tuesday, November 21, 2017 4:53 AM
    Moderator
  • Monday, March 26, 2018 7:04 PM
  • Hi. I'm stuck with the same problem, too.

    I tried the last suggested solution but I'm getting the following error:

    New-AzureADServiceAppRoleAssignment : Error occurred while executing NewServicePrincipalAppRoleAssignment
    Code: Request_BadRequest
    Message: One or more properties are invalid.
    RequestId: e965cf55-4cce-49bb-ad3c-0d37f90c8e56
    DateTimeStamp: Mon, 20 May 2019 16:31:23 GMT
    HttpStatusCode: BadRequest
    HttpStatusDescription: Bad Request
    HttpResponseStatus: Completed

    Both the ObjectId for the msi app and the graph api should be correct. I'll past the script that I'm trying to execute.

    $graph = Get-AzureADServicePrincipal -Filter "AppId eq '00000003-0000-0000-c000-000000000000'"
    $web=Get-AzureADServicePrincipal -SearchString "{My_App_Name}"
    New-AzureADServiceAppRoleAssignment -ObjectId $web.ObjectId -Id "b528084d-ad10-4598-8b93-929746b4d7d6" -PrincipalId $web.ObjectId -ResourceId $graph.ObjectId
    Tuesday, May 21, 2019 7:27 AM