0

I'm attempting to gain an access token in PowerShell, to access my Funciton App which requires Azure AD authentication.

I am running the following commands:

Connect-AzAccount -Subscription <subscriptionID> -TenantId <tenantID>
Get-AzAccessToken -ResourceUrl "<resourceURL>"

The result is the following error: Get-AzAccessToken : SharedTokenCacheCredential authentication unavailable. Token acquisition failed for user <username>. Ensure that you have authenticated with a developer tool that supports Azure single sign on.

I am able to access the same app via my web browser, and via Postman, but am struggling with PowerShell.

My function app is configured to return a 302 redirect for unauthenticated requests, as shown in the screenshot below.

Function App Authentication confirugation

Mike
  • 207
  • 3
  • 10
  • See following : https://learn.microsoft.com/en-us/dotnet/api/overview/azure/identity-readme?force_isolation=true&view=azure-dotnet#examples – jdweng Mar 31 '23 at 13:44
  • Thanks @jdweng. That's some useful background, although I'm not sure it addresses my particular issue...? (Correct me if I'm wrong.) – Mike Mar 31 '23 at 14:28
  • You have a credential issue. There are multiple types of credentials. See : https://www.c-sharpcorner.com/article/defaultazureidentity-and-its-various-credential-types3/?force_isolation=true – jdweng Mar 31 '23 at 17:27

1 Answers1

0

As detailed in this blog by @vishnugillela, here is the one of the methods which we use to get access token from managed identity login with Azure AD for an Azure function app resource.

Instead of using Get-AzAccessToken , I used the Invoke-WebRequest PowerShell command to retrieve the function app resource access token.

I tried the below PS script in my environment by providing my function app resource URL as shown and it was successfully generated the access token.

$Uri = 'https://myfunctionapp.azurewebsites.net'
 
$res = Invoke-WebRequest -Uri $Uri -Method GET -Headers @{Metadata="true"} -UseBasicParsing
$content = $res.Content | ConvertFrom-Json
$generatedaccessToken = $content.access_token
$generatedaccessToken

enter image description here

Alternatively, you can use PowerShell functions to generate the access token for a particular azure resource as given in the above referenced article. I also tried the same in my environment by making few modifications and it worked as expected.

function Get-AccToken {
    $con = Get-AzContext
    $profile = [Microsoft.Azure.Commands.Common.Authentication.Abstractions.AzureRmProfileProvider]::Instance.Profile
    $profileClient = New-Object -TypeName Microsoft.Azure.Commands.ResourceManager.Common.RMProfileClient -ArgumentList ($profile)
    $tokenretrieve = $profileClient.AcquireAccessToken($con.Subscription.TenantId)
    return $tokenretrieval.AccessToken
}
$subscriptionid = "subscriptionID"
$authHeader = @{
    'Content-Type'  = 'application/json'
    'Authorization' = 'Bearer ' + (Get-AccToken)
}
 $url = "https://myfunctionapp.azurewebsites.net"
 $response = Invoke-RestMethod -Method Get -Headers $authHeader -Uri $url
$response

enter image description here

Jahnavi
  • 3,076
  • 1
  • 3
  • 10
  • Thanks @Jahnavi for taking the time to look at my question. Unfortunately, neither of the approaches you have suggested are working for me. Attempting the first method, my `$res.Content` is html format, not json, so `ConvertFrom-Json` fails. – Mike Apr 03 '23 at 12:54
  • In the second method, I am able to get a token successfully, but `Invoke-RestMethod` is telling me `You do not have permission to view this directory or page.` I have added a screenshot of my authentication settings in case that is helpful. – Mike Apr 03 '23 at 13:00
  • Have you enabled the system identity for the function app? @Mike – Jahnavi Apr 03 '23 at 13:10
  • If enabled, Go to Azure role assignments and you need to give owner role to authenticate and get access token via PowerShell. You can check this [image](https://i.imgur.com/Pn1y61B.png). – Jahnavi Apr 03 '23 at 13:12
  • What is the error from convertfrom-json command? – Jahnavi Apr 03 '23 at 13:13
  • The error is `ConvertFrom-Json: Conversion from JSON failed with error: Unexpected character encountered while parsing value: <. Path '', line 0, position 0.`, which isn't surprising as it's trying to parse html as json. Yes, I System assigned identity is enabled. What scope were you thinking of assigning Owner over? – Mike Apr 03 '23 at 13:28
  • Can you go through with these links. [Github](https://github.com/PowerShell/PowerShell/issues/3284), [SO](https://stackoverflow.com/questions/70860338/invoke-webrequest-content-convertfrom-json-conversion-from-json-failed-with-err) – Jahnavi Apr 03 '23 at 14:38
  • Skip giving `convertfrom-json` and try what it is giving! – Jahnavi Apr 03 '23 at 14:38