0

To automate maintenance of an Azure Digital Twins instance, we require service-to-service API access so that we can use Azure middle-tier options to run as daemon apps (e.g. Logic App or Function).

However, the Azure Digitial Twins 'preview' API (resource id: 0b07f429-9f4b-4714-9392-cc5e8e80c8b0) does not support Application Permissions when registering the application in Azure Active Directory (only Delegated Permissions). However, the related Microsoft Graph API (resource id: 00000003-0000-0000-c000-000000000000) supports both permission types.

Is there any way currently to authenticate for access to the Azure Digital Twins API without the need for a signed-in AAD account (i.e. using 'client_credentials' grant type)?

Chris Lowndes
  • 21
  • 2

2 Answers2

0

To use client credential flow, you need the Application permission. If there is just Delegated Permission defined in the API, you could just access the API with a signed-in user account, e.g. authorization code flow.

In your case, the option is On-Behalf-Of flow.

  1. The user authenticate with the middle-tier application with authorization code flow or another login flow

  2. An OAuth 2.0 On-Behalf-Of token is acquired during authentication

  3. The acquired token is then used to authenticate with or call APIs that are further downstream using the On-Behalf-Of flow

For more details, check this doc - Call Digital Twins from a middle-tier web API.

Community
  • 1
  • 1
Joy Wang
  • 39,905
  • 3
  • 30
  • 54
  • Thank you for the reply, but this provides a known workaround not an answer to my question. The Daemon app runs unattended on a trigger, and has no interaction with a human user. Therefore, the user cannot authenticate at the time of execution. – Chris Lowndes Feb 22 '20 at 04:58
  • @ChrisLowndes If so, you can't call the api. The api was designed to expose just a delegated permission, you must use the user to authenticate. – Joy Wang Feb 24 '20 at 01:19
  • You actually can, I have a demo running at our office that requires no human logon. I created it a while ago, and it revolves around a service principal. Let me know if you still need this. – Matthijs van der Veer Mar 12 '20 at 12:57
0

  1. First you need to add new role (RABC) for console application which is registered in the Azure AD into azure digital twins instance.

  2. Create client secret for console app.

     private static DigitalTwinsClient GetDigitalTwinsClient(string tenantId, string clientId, string clientSecret, string adtEndpoint)
 {
     Environment.SetEnvironmentVariable("AZURE_CLIENT_SECRET", clientSecret);
     Environment.SetEnvironmentVariable("AZURE_CLIENT_ID", clientId);
     Environment.SetEnvironmentVariable("AZURE_TENANT_ID", tenantId);

     var tokenCredential = new DefaultAzureCredential();

     var client = new DigitalTwinsClient(
         new Uri(adtEndpoint),
         tokenCredential, new DigitalTwinsClientOptions
         { Transport = new HttpClientTransport(httpClient) });

     return client;
 }
bhushan sonawane
  • 1
  • 1