12

When attempting to get an access token for a custom AD Application, using az account get-access-token --resource '<APP ID Uri>', I receive the following error:

AADSTS65001: The user or administrator has not consented to use the application with ID '04b07795-8ddb-461a-bbee-02f9e1bf7b46' named 'Microsoft Azure CLI'. Send an interactive authorization request for this user and resource.

04b07795-8ddb-461a-bbee-02f9e1bf7b46 is not my application id, and my application has had administrator consent granted. I've tried putting this id in an interactive login request with no change in behavior.

get-access-token works fine when the resource is a defined MS endpoint like https://database.windows.net or https://vault.azure.net/

My goal is to have Azure App Services with Managed Service Identity authenticating to each other with short-lived AD bearer tokens. Each service has a configured audience that corresponds to the AD App.

Andy Hohorst
  • 381
  • 3
  • 11
  • not sure what the command is for cmd line but in powershell it is 'New-AzureRmRoleAssignment -ObjectId -Scope '/subscriptions/ -RoleDefinitionName contributor' Basically it's telling you to give the object contributor rights. I haven't figured out how to create a new application without having to perform this step and haven't seen any documentation requiring it either. That's what works though. –  Dec 07 '18 at 20:08
  • I get a null reference from this - Object reference not set to an instance of an object. – Andy Hohorst Dec 11 '18 at 19:57
  • I finally found what I was looking for. If you go into your subscription and open the IAM blade choose your , then under "Manage" choose "Properties". There is the "ObjectID" you are referencing. If that does not match the <04b07795-8ddb-461a-bbee-02f9e1bf7b46> id you aren't using the correct application to log in. –  Dec 11 '18 at 20:31
  • that 04b id is Azure CLI. I don't know how to change it, is the problem. – Andy Hohorst Dec 13 '18 at 12:33
  • You don't change it. That is the objectID for the AD application and needs to be granted contributor role. –  Dec 13 '18 at 15:58
  • This sounds like the issue at [[BUG] Unable to get MSI token from local Visual Studio](https://github.com/Azure/azure-sdk-for-net/issues/6172). – tbrownaw Jul 02 '19 at 18:42

2 Answers2

16

Running az account get-access-token --resource '<APP ID Uri>' from local CLI, you are trying to get token from '<APP ID Uri>' using Azure CLI, which client ID is exactly 04b07795-8ddb-461a-bbee-02f9e1bf7b46.

To handle this you could go to: Azure Active Directory → App registrations → {your app} → Expose an API → Add client application with:

ID: 04b07795-8ddb-461a-bbee-02f9e1bf7b46

Authorized scopes: check '<APP ID Uri>'

To make sure you have right ID you could run az account get-access-token paste token to jwt.io and find value of "appid".

Documentation reference: Application IDs for commonly used Microsoft applications

Bartosz Pelikan
  • 935
  • 7
  • 18
  • That really helped me out. I was kind of in a similar situation, except my issue was with the Powershell Azure ID : 1950a258-227b-4e31-a9cf-717495945fc2 . That being said, I applied your solution and it worked great :) – Sage Pourpre Jun 21 '20 at 19:03
1

I can reproduce your issue with a --resource '<APP ID Uri>', if I login cli with a user account.

enter image description here

If I login with a service principal, it works fine.

enter image description here

You could try to login azure cli with a service principal, refer to this link.

Joy Wang
  • 39,905
  • 3
  • 30
  • 54
  • 1
    This is a very helpful workaround, thank you. I am still hoping to find a way to allow users to receive access tokens as themselves, since part of the reason we're doing this is to avoid passing around login credentials. – Andy Hohorst Dec 10 '18 at 13:00
  • Maybe I missed a detail, but if you are using a AD application, you should be using service principal. Not a user account. –  Dec 11 '18 at 20:21
  • 1
    I'm trying to develop locally, and I cannot get the azure cli to pull the access-token for an AD application for my user login in my local web application. I did login as a service principal though and was able to pull the token while debugging locally. I'm not sure why it doesn't work for user accounts which have been granted default access to the AD application. – McFrank Mar 21 '19 at 17:45