Obtaining an access token for MSI enabled web application

Question

I have a Web API project hosted in Azure as web app with Managed Service identity enabled (so I don't need an app registration, right?):

Now I need to obtain a token to access my API so that I can use it in POSTMAN:

az login
az account get-access-token --resource "https://mytenant.onmicrosoft.com/d3a219e0-bbbf-496b-a4a4-b9ca485c5a52"

which gives me

Get Token request returned http error: 400 and server response: {"error":"invalid_resource","error_description":"AADSTS50001: The application named https://mytenant.onmicrosoft.com/d3a219e0-bbbf-496b-a4a4-b9ca485c5a52 was not found in the tenant named xxxxxxxx-xxxx-xxxx-af31-xxxxxxxxxx. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant.

I get the same error if I try to use object id 63d571cf-79bf-405d-8304-a31fb64cb953 instead of app id as part of resource uri.

What am I doing wrong?

score 1 · Answer 1 · edited Jun 20 '20 at 09:12

What am I doing wrong?

az account get-access-token is used to get token to access the Azure resource. We could get more information from this document.

--resource

Azure resource endpoints. Default to Azure Resource Manager Use 'az cloud show' command for other Azure resources.

The resoure should be in the following endpoints. And default resource is https://management.azure.com/

 "endpoints": {
    "activeDirectory": "https://login.microsoftonline.com",
    "activeDirectoryDataLakeResourceId": "https://datalake.azure.net/",
    "activeDirectoryGraphResourceId": "https://graph.windows.net/",
    "activeDirectoryResourceId": "https://management.core.windows.net/",
    "batchResourceId": "https://batch.core.windows.net/",
    "gallery": "https://gallery.azure.com/",
    "management": "https://management.core.windows.net/",
    "resourceManager": "https://management.azure.com/",
    "sqlManagement": "https://management.core.windows.net:8443/",
    "vmImageAliasDoc": "https://raw.githubusercontent.com/Azure/azure-rest-api-specs/master/arm-compute/quickstart-templates/aliases.json"
  }

Based on my understanding, the command no relationship with your API access.

For more information about MSI and how to protect an API by using OAuth 2.0 with Azure Active Directory, please refer to this tutorial and this tutorial.

I don't really get it. `az account get-access-token` does not work if I provide `https://login.microsoftonline.com` from the list of endpoints but perfectly works with `https://database.windows.net/` which is not on the list (I remember I used such tokens to access SQL database by passing it to `SqlConnection.AccessToken`). Why getting a token to access my API is somehow different? — UserControl, Aug 16 '18 at 08:09
az account get access-token is used to get the token to access the `Azure resouce`(azure resource endpint) And azure resource that protected by Azure identity server. If you use JWT.IO to check the token then you could know the `token audience`. If you want to access you custom api, your audience should you identity server if you have. Also it depends on the way how to protect your WebAPi. — Tom Sun - MSFT, Aug 16 '18 at 08:27

juunas · Answer 2 · 2018-08-15T19:12:37.503

0

The resource URI does not contain your Application Id nor Object Id. It is a separate identifier that you can find from the App Registration's Properties under App ID URI.

And since this is an MSI-generated service principal, there is no app. I think you have to register an app in this case.

edited Aug 15 '18 at 19:12

answered Aug 15 '18 at 18:02

juunas

54,244
13
113
149

1

I have no App Registration for my web app. I thought one of benefits of MSI was that you don't need to add app registrations (it's a like an extra friction). My understanding is any user added to the app on Enterprise application blade can access the app if he has a token. Am I missing something here? Can I get App ID URI for an MSI *without* creating the app registration? – UserControl Aug 15 '18 at 19:10
Ahh, I read your question too quickly. Since there is no app registration, another app cannot acquire a token for it. You need to register the app in this case. – juunas Aug 15 '18 at 19:11
thanks, I guess I get the point. However, I then don't understand what "Users and groups" is supposed to do for an enterprise application. – UserControl Aug 15 '18 at 19:18
Ahh, well you can control user access to an app via the service principal. Though I guess it just doesn't really make sense to use that with the MSI principal. – juunas Aug 15 '18 at 19:19

Obtaining an access token for MSI enabled web application

2 Answers2