0

I am trying to create an application that can connect to ARM (https://management.azure.com) retrieve some information from it. I already created one that use Microsoft Graph (https://graph.microsoft.com) and works fine, however now I need to get information that is only available on ARM.

I look up on internet about the permissions required, specially on Microsoft Docs, however all the documentation that I was able to find refers only to Microsoft Graph or Windows Graph.

Do you know which permissions should I request through the portal?

public String getAccessToken() throws MalformedURLException, InterruptedException, ExecutionException, ServiceUnavailableException, InvalidKeyException, IllegalBlockSizeException, BadPaddingException, NoSuchAlgorithmException, NoSuchPaddingException
{
    AuthenticationContext objContext;
    AuthenticationResult objToken;
    ExecutorService objService;
    Future<AuthenticationResult> objFuture;
    objService = null;
    objToken = null;
    try
    {
        objService = Executors.newFixedThreadPool(1);
        objContext = new AuthenticationContext(this.getAuthorize(), false, objService);
        objFuture = objContext.acquireToken("https://management.azure.com", this.getApplicationID(), this.getUsername(), SecureText.getInstance().decode(this.getPassword()), null);
        objToken = objFuture.get();
        this.getLogger().info("Connection to Azure Resource Manager".concat(this.getClass().getSimpleName().toLowerCase()).concat(" successfully stablished"));
    }
    finally
    {
        objService.shutdown();
    }
    if (objToken == null)
    {
        throw new ServiceUnavailableException("Authentication Service is not available");
    }
    return objToken.getAccessToken();
}

The following error is displayed:

com.microsoft.aad.adal4j.AuthenticationException: {"error_description":"AADSTS65001: The user or administrator has not consented to use the application with ID 'e1b0615a-911d-4ccf-bf16-e8d0c1c2f8b5' named 'XXXXXXX'. Send an interactive authorization request for this user and resource.\r\nTrace ID: 9731e9b7-116d-4c5e-b219-ab96e12c4300\r\nCorrelation ID: faa9a023-3237-4367-9c66-eec9b77e2805\r\nTimestamp: 2019-09-26 11:20:54Z","error":"invalid_grant"}

Daniel Mann
  • 53,152
  • 13
  • 97
  • 112
delucaezequiel
  • 363
  • 4
  • 22
  • I think it needs delegated permissions to like Azure Service Management API or something similar. I'm on my phone now so can't really check the exact one. – juunas Sep 26 '19 at 13:55
  • This seems relevant with application permission instead of ARM permission. Refer to this screenshot: https://imgur.com/a/G4QlNqU . Go AAD->Enterprise applications->search the application you created then go->Permission->Click the button **Grant admin constent for microsoft** to grant your application the admin consent. – Mengdi Liang Sep 27 '19 at 15:28
  • I am aware this is an application permission. Which I need to know is which permissions are required for executing REST API to ARM module Currently the application has the following perissions which I set based on the Microsoft Graph REST API Documentation. AuditLog.Read.All Directory.AccessAsUser.All Directory.Read.All Policy.Read.All SecurityEvents.Read.All Ex: For read/list users https://docs.microsoft.com/en-us/graph/api/user-list?view=graph-rest-1.0&tabs=http you have the permissions at the beginning in the Permissions Section – delucaezequiel Sep 30 '19 at 10:08
  • However for the REST API to the ARM Module (https://management.azure.com) the permissions are not listed on the available documentation Ex: For read/list tenants https://docs.microsoft.com/es-es/rest/api/resources/tenants/list you do not have the permissions section The error is only display for REST API queries to Management Module, to the Microsoft Graph one I can connect and retrieve data as expected based on the permissions listed above – delucaezequiel Sep 30 '19 at 10:08

1 Answers1

1

Have seen similar error in past.

Granting the permission via:

Azure Active Directory -> App Registrations -> MyApp -> Api Permissions -> Grant Admin Consent button

helped me.

Similar posts - The user or administrator has not consented to use the application - Send an interactive authorization request for this user and resource

Ajay Sainy
  • 259
  • 1
  • 9
  • 20