0

I need to consume azure consumption apis for a php project. But i'm completely messed up with scopes.

Steps i followed :

  1. Registered an application and got application id.
  2. Created client secret
  3. curl -X POST -d 'grant_type=client_credentials&client_id=86abe145-****-****-****-*******&client_secret=Ymm7Q~xp_****************&resource=https%3A%2F%2Fmanagement.azure.com%2F' https://login.microsoftonline.com/09c409ff-*****-******-******-fa0/oauth2/token

and returned access token with expiry. But when i call an api to get data of prices sheet or usage details it gives me

{"error":{"code":"AuthorizationFailed","message":"The client 'cd1bfd00-561d-****-af29-*********' with object id 'cd1bfd00-561d-4d84-af29-********' does not have authorization to perform action 'Microsoft.Consumption/usageDetails/read' over scope '/subscriptions/*******-f489-47e8-****-*********' or the scope is invalid. If access was recently granted, please refresh your credentials."}}

What value need to pass in {scope}. I created a scope named hub-app in registed application with consent admin and user and passed it also. api://<client-id>/hub-app. But nothing is working. Please help if somebody used consumption api.

Thanks!

Sourabh Bhutani
  • 623
  • 11
  • 21

1 Answers1

3

It looks like you have simply created an application in your Azure AD and did not assign any Azure RBAC roles to it. This is why you're getting this error.

To fix this, please assign either Billing Reader or Reader role to your application at the subscription level. Please see this link for assigning role using Azure Portal: https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal?tabs=current.

Gaurav Mantri
  • 128,066
  • 12
  • 206
  • 241
  • Hello @gaurav. Thank you so much for reply . I followed what you suggested and gave contributor permission to my app and checked with refresh as well. But still i'm facing same issue. Any idea what i'm missing now. – Sourabh Bhutani Nov 11 '21 at 12:28
  • should i add entry with expose api or permission in app which i registered. I only created app then secret value and created token via curl. – Sourabh Bhutani Nov 11 '21 at 12:59
  • 1
    Please do 2 things: 1) Under API permissions for your application, you need to add `Azure Service Management` API and 2) The scope for which you need to get the token should be that of Azure ARM API which I believe is `https://management.azure.com/.default`. HTH. – Gaurav Mantri Nov 11 '21 at 13:07
  • Thanks @Gaurav for reply. Into my app I gave permission to service management apis and picked delegate with user_impersonate. after this i tried `https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=&response_type=code&redirect_uri=http://localhost/myapp/&response_mode=query&scope=openid%20offline_access%20https%3A%2F%2Fmanagement.azure.com%2F.default&state=12345` to get auth_code for scope then access_token by auth code but returning issue. – Sourabh Bhutani Nov 12 '21 at 11:34
  • When i'm trying to get auth_code its giving `Sorry, but we’re having trouble signing you in. AADSTS700016: Application with identifier 'client-id' was not found in the directory ''. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant. ` i have created app in my one directory but its using 2nd directory. its strange for me. I'm in one directory logged in. What i missed? Please help. – Sourabh Bhutani Nov 12 '21 at 11:38
  • 1
    Instead of using `common` here `https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=&response_type=code&redirect_uri=http://localhost/myapp/&response_mode=query&scope=openid%20offline_access%20https%3A%2F%2Fmanagement.azure.com%2F.default&state=12345`, can you use your tenant id? – Gaurav Mantri Nov 12 '21 at 11:49
  • Great help. I think i am almost done. i got auth code and i'm passing it for token at `https://login.microsoftonline.com/tenant-id/oauth2/v2.0/token` but returning `The request body must contain the following parameter: grant_type.` I have passed all values in body x-www-url-form-uncoded. whats wrong now ? Thank you so much for your replies and help. – Sourabh Bhutani Nov 12 '21 at 12:34
  • Please share the actual request you are sending. – Gaurav Mantri Nov 12 '21 at 12:51
  • Here is postman request [url](https://ibb.co/ZT8ZjGv). Let me know if you need anything. And what is auth-code expiry time ? Any idea Gaurav. – Sourabh Bhutani Nov 12 '21 at 13:01
  • Just wondering if you URL encoded the parameters? Auth codes are generally short lived (about 10 minutes). Auth code expiry time denotes when your auth code will expire. – Gaurav Mantri Nov 12 '21 at 13:24
  • No all values are in body. Nothing in header params. – Sourabh Bhutani Nov 12 '21 at 13:40
  • After fixing of grant_type issue now i'm having `"AADSTS9002326: Cross-origin token redemption is permitted only for the 'Single-Page Application' client-type` and tried with both Web and Mobile and Desktop application platform with redirect uri. Any solution? – Sourabh Bhutani Nov 16 '21 at 13:54
  • 1
    Hey @Gaurav, I fixed issue. I was facing issue beacause calling api in postman, tried in application and it gave me result. Thanks for your help. – Sourabh Bhutani Nov 16 '21 at 14:18
  • @SourabhBhutani: Thanks for confirming the solution. Could you please accept the solution provided by Gaurav. This would help other community members who are facing similar issue. – Madhuraj Vadde Nov 25 '21 at 14:52