Azure WVD Rest API Auth

Question

I have a aspnetcore app that I'm writing and would like to be able to manage WVD resources. The problem I'm having is that the Bearer token I'm getting from Msal is giving me a 401 when I try to

GET https://rdweb.wvd.microsoft.com/api/feeddiscovery/webfeeddiscovery.aspx

I thought maybe I needed to add an API permission to my app in azure, but I've already added:

https://management.azure.com/user_impersonation

And I cant seem to locate anything that suggests it might work for WVD.

Maybe I'm way off track though.

I've tried looking at the source:

https://github.com/Azure/RDS-Templates/tree/master/wvd-templates/wvd-management-ux/deploy

But its been compiled and minified, so thats proving to be difficult.

Any help getting a valid token to call the WVD Rest API would be greatly appreciated.

Getting the token:

Full Code (minus the Microsoft.Identity.Web stuff)

var token = await TokenAcquisition.GetAccessTokenOnBehalfOfUserAsync(new[] { "https://mrs-Prod.ame.gbl/mrs-RDInfra-prod/user_impersonation" });
            var httpClient = new HttpClient();
            httpClient.BaseAddress = new Uri("https://rdweb.wvd.microsoft.com/");
            httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", $"{token}");
            var result = await httpClient.GetAsync("api/hubdiscovery/eventhubdiscovery.aspx");
            result = await httpClient.GetAsync("api/feeddiscovery/webfeeddiscovery.aspx");

This method is from the Microsoft.Identity.Web project.

Just an update, Microsoft.Identity.Web is now a NuGet package. We encourage its usage to keep your library updated and with bug fixed. [Microsoft.Identity.Web wiki](https://github.com/AzureAD/microsoft-identity-web/wiki) — Tiago B, Jul 08 '20 at 20:01

Joy Wang · Answer 1 · 2020-01-03T06:51:17.337

1

The https://management.azure.com is for Azure Service Management API, in your case, it is not correct.

Please navigate to the AD App in the portal -> API permissions -> APIs my organization uses -> search by Windows Virtual Desktop, find it and click.

If you want the management tool to make Windows Virtual Desktop management calls on behalf of the user who's signed into the tool, choose Delegated permissions -> user_impersonation, complete the steps like the screenshot. You can also let the user consent the permission by himself without clicking the Grant admin consent button, it depends on you.

Then the permission appears like below.

For more details, see this Tutorial: Deploy a management tool and this step.

Update:

Try to use powershell New-RdsRoleAssignment to add user account as a RDS Owner role, make sure you have installed the Microsoft.RDInfra.RDPowerShell module first, refer to this link.

Add-RdsAccount -DeploymentUrl "https://rdbroker.wvd.microsoft.com"
Get-RdsTenant
New-RdsRoleAssignment -RoleDefinitionName "RDS Owner" -SignInName "xxxx@xxxx.onmicrosoft.com" -TenantName "joywvd"

Then I run the Get-RdsTenant command again, and use fiddler to catch the request, get the token, decode in the https://jwt.io/, it appears like below.

The aud and scp should be the same as your token, you can also decode your token to check, then I use postman to call the https://rdweb.wvd.microsoft.com/api/feeddiscovery/webfeeddiscovery.aspx, it works.

edited Jan 03 '20 at 06:51

answered Jan 01 '20 at 03:08

Joy Wang

39,905
3
30
54

Thanks for that. I've added that to the app, but I'm still getting a 401 even when I have that scope. When I use the same account to load the rdweb portal everything populates fine, so we know the user is good. – Wjdavis5 Jan 01 '20 at 14:34
@Wjdavis5 Could you provide the code about getting the token? – Joy Wang Jan 01 '20 at 14:57
updated the question. I've also looked at the tutorial you linked, but with the code being minified its difficult to follow. Thanks again for the help – Wjdavis5 Jan 01 '20 at 19:19
@Wjdavis5 I think we don't need the `Constants.ScopeUserRead`, `User.Read` is for Microsoft Graph, just use `(new[] {Constants.WVD })` to have a try. – Joy Wang Jan 02 '20 at 01:51
I have tried it both with and without that scope and still get a 401. Also I wanted to add that I have tried doing other things, such as listing VMs in my account with this same code (different scope of course) and have that working fine. So I know the code to get a token is correct. – Wjdavis5 Jan 02 '20 at 13:48
@Wjdavis5 Did you consent the permission? – Joy Wang Jan 02 '20 at 14:07
hm - If I didnt, wouldnt it prompt me for consent every time I log into the application? I want to say yes but I cant think of a way to verify what consent I've given. – Wjdavis5 Jan 02 '20 at 14:47
@Wjdavis5 Not every time, just the first time when you login. You can click the Grant admin consent button in the portal to make sure the permission has been consented. Then when the user login, it will not prompt him to consent again. – Joy Wang Jan 02 '20 at 14:59
either way, I've provided admin consent in the azure portal. will test again when I get home. – Wjdavis5 Jan 02 '20 at 18:48
same result, 401 when calling /api/feeddiscovery/webfeeddiscovery.aspx – Wjdavis5 Jan 03 '20 at 02:08
@Wjdavis5 Did you add your user account as a `RDS Owner`? You could check my update. – Joy Wang Jan 03 '20 at 06:55
The user account has all required permissions, we know this b/c the default MSFT RDWebclient page works for us. – Wjdavis5 Jan 03 '20 at 14:41
just wanted to say thank you again for working with me on this. I really do appreciate it. – Wjdavis5 Jan 05 '20 at 00:05

score 0 · Accepted Answer · answered Jan 04 '20 at 17:47

Omg I just figured it out by comparing the token I got from the msft rdweb application:

From the RDWeb App: "aud": "https://mrs-prod.ame.gbl/mrs-RDInfra-prod",

From my App: "aud": "https://mrs-Prod.ame.gbl/mrs-RDInfra-prod",

.... Yes I was using an uppercase P in - mrs-Prod. And the msft app was using a lowercase p in mrs-prod.

I'm flabbergasted, angry and excited all at the same time.

For the record I copied my value directly from Azure in my apps api permissions screen.

Azure WVD Rest API Auth

2 Answers2