what I want to do: use the Azure REST API from a custom tool.
What I did: I created an app registration named CDTester and a secret for it in my default directory. Then I went to the subscription and added the role Contributor to CTTester.
I got a config object cfg loaded from user-secrets with the application id and secret of CDTester and with the tenant id of my default directory.
Now I try to authenticate like this:
var app = ConfidentialClientApplicationBuilder
.Create(cfg.ApplicationId)
.WithTenantId(cfg.LoginTenantId)
.WithClientSecret(cfg.ApplicationSecret)
.Build();
var authResult = await
app.AcquireTokenForClient(new[] {"https://management.azure.net/.default"})
.ExecuteAsync();
The .ExecuteAsynccall fails with
"'
AADSTS500011: The resource principal named https://management.azure.net was not found in the tenant named . This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You might have sent your authentication request to the wrong tenant."
As a (weak) alternative, I added the Azure Service Management delegated permission to CDTester, gave Admin Consent, switched the code to:
var app = PublicClientApplicationBuilder.Create(cfg.ApplicationId)
.WithTenantId(cfg.LoginTenantId)
.WithDefaultRedirectUri()
.Build();
var authResult = await app
.AcquireTokenInteractive(new[] { "https://management.azure.net/user_impersonation" })
.ExecuteAsync();
ran it, logged in with my own user (who's of course global administrator) and got the same message, this time in the browser right after login.
Changing the scope to "https://management.azure.net/.default" in this flow doesn't change anything either.
So, obviously somehow I need to "install the resource principal https://management.azure.net" into my tenant - but for the life of me, I cannot find how.
