Calling management.azure.com API fails due to authentication

Question

I have a WEB API application working via Azure active directory.

I can get the information of all the user in active directory like this:

var app = ConfidentialClientApplicationBuilder.CreateWithApplicationOptions(_applicationOptions).Build();
string[] scopes = { "https://graph.microsoft.com/.default" };

AuthenticationResult result = null;
try
{
    result = await app.AcquireTokenForClient(scopes).ExecuteAsync();
}
catch (MsalServiceException ex)
{
    // Case when ex.Message contains:
    // AADSTS70011 Invalid scope. The scope has to be of the form "https://resourceUrl/.default"
    // Mitigation: change the scope to be as expected
}

// use the default permissions assigned from within the Azure AD app registration portal
HttpClient client = new HttpClient();
client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", result.AccessToken);
HttpResponseMessage response = await client.GetAsync("https://graph.microsoft.com/v1.0/users");
string content = await response.Content.ReadAsStringAsync();

But if I try to get tenants calling

https://management.azure.com/tenants?api-version=2019-06-01

I receive AuthenticationFailed error.

I guess this is because my AccessToken doesn't have the necessary scopes.

How can I fix it?

score 1 · Accepted Answer · answered Sep 30 '19 at 19:02

1

You are getting an access token for MS Graph API, not Azure Management API.

Use the following scope:

https://management.core.windows.net/.default

Docs: https://learn.microsoft.com/en-us/rest/api/azure/#authorization-code-grant-interactive-clients

answered Sep 30 '19 at 19:02

juunas

54,244
13
113
149

Calling management.azure.com API fails due to authentication

1 Answers1