0

I am developing a azure function which needs to connect to Microsoft Dataverse via managed Identity. During local development I have added my azure account in visual studio and selected for azure function authentication. I'm using the below code to access token :

var vsCred = new VisualStudioCredential();
var tok = await vsCred.GetTokenAsync(
new TokenRequestContext(new[] { "CLIENT ID of managed identity" }),default
);

But getting this error : System.Private.CoreLib: Exception while executing function: ManagedIdentityTestFxn. System.Private.CoreLib: Process "C:\Program Files\Microsoft Visual Studio\2022\Professional\Common7\IDE\CommonExtensions\Microsoft\Asal\TokenService\Microsoft.Asal.TokenService.exe" has failed with unexpected error: TS003: Error, TS004: Unable to get access token. 'AADSTS65001: The user or administrator has not consented to use the application with ID '' named 'VS with native MSA'. Send an interactive authorization request for this user and resource. Azure AD Permissions : enter image description here enter image description here I tried giving admin consent but still facing the same issue. enter image description here enter image description here

Ashish Gupta
  • 1
  • 2

1 Answers1

1

Instead of using VisualStudioCredential you can use this DefaultAzureCredential to get access an token like below:

using Azure.Core;  
using Azure.Identity;

string userAssignedClientId = "<your managed identity client Id>";  
var credential = new DefaultAzureCredential(new DefaultAzureCredentialOptions { ManagedIdentityClientId = userAssignedClientId });  
var accessToken = credential.GetToken(new TokenRequestContext(new[] { "https://vault.azure.net" }));  
// To print the token, you can convert it to string  
String accessTokenString = accessToken.Token.ToString();

//You can use the credential object directly with Key Vault client.  
var client = new SecretClient(new Uri("https://myvault.vault.azure.net)",credential);

Alternatively, you can run the below PowerShell script In the kudo console of your function app like below

$resourceURI ="https://admin.services.crm.dynamics.com"  
$client_id = "dd8770dc-cbae-43f0-a36d-e27XXXXX"  
$tokenAuthURI = $env:IDENTITY_ENDPOINT + "?resource=$resourceURI&client_id=$client_id&api-version=2019-08-01"  
$tokenResponse = Invoke-RestMethod -Method Get -Headers @{"X-IDENTITY-HEADER"="$env:IDENTITY_HEADER"} -Uri $tokenAuthURI  
$accessToken = $tokenResponse.access_token

I tried to reproduce the same in my environment with powershell script and got the results like below:

I have a function app where I added managed identity like this:

enter image description here

Go to kudo console in function app, Now open kudo console by selecting the advancedtool in your function App :

enter image description here

Now I selected powershell and ran the script like below:

$resourceURI ="https://admin.services.crm.dynamics.com"  
$client_id = "dd8770dc-cbae-43f0-a36d-e27XXXXX"  
$tokenAuthURI = $env:IDENTITY_ENDPOINT + "?resource=$resourceURI&client_id=$client_id&api-version=2019-08-01"  
$tokenResponse = Invoke-RestMethod -Method Get -Headers @{"X-IDENTITY-HEADER"="$env:IDENTITY_HEADER"} -Uri $tokenAuthURI  
$accessToken = $tokenResponse.access_token

enter image description here

When I ran the $accessToken I got the token successfully like below:

enter image description here

Reference:

Use managed identities on a virtual machine to acquire access token - Azure AD - Microsoft Entra | Microsoft Learn

Imran
  • 3,875
  • 2
  • 3
  • 12
  • Thanks Imran for your response. I'm having issue with visual studio authentication for local development .When I set my account in azure function authentication setting in visual studio and try to get token with either using VisualStudiocredential or DefaultAzureCredential it gives me error. Although it's working fine with azure cli or settting ExcludeInteractiveBrowserCredential option to false. – Ashish Gupta Feb 18 '23 at 18:22