Search code examples
azureazure-active-directorybotframeworkazure-webapps

Azure usage details API shows "Authentication failed" after sign in with azure active directory v1 connection

I completely followed this link https://learn.microsoft.com/en-us/azure/bot-service/bot-builder-authentication?view=azure-bot-service-4.0&tabs=aadv1%2Ccsharp%2Cbot-oauth and created a Azure AD app registration and used Azure Active Directory v1 for my web app bot.

After sign in, I view the token but with that token I cannot access the Azure API's, as it shows below response in Postman:

{
"error": {
    "code": "AuthenticationFailed",
    "message": "Authentication failed."
}

I called the Azure API below:

https://management.azure.com/subscriptions/${subscriptionId}/providers/Microsoft.Consumption/usageDetailsapi-version=2018-10-01

In my app registration in Azure AD, I have given these permission to access the Azure API:

enter image description here

enter image description here

In my Web App Bot -> Settings -> OAuth Connection Settings, I select:

ClientId -> My application client id
ClinetSecret -> My application client secret 
GrantType -> I does not know what to give so I just typed "authorization_code" (If this wrong then Where I need to find my grantType) 
LoginURL -> https://login.microsoftonline.com 
TenantId -> common (To allow any user) 
ResourceURL -> https://graph.microsoft.com/ 
Scopes -> I just left blank

Why am I not able to access the Azure API with that token?

Any Help. Thanks

Solution

  • An access token issued by Azure AD will always be for a specific resource. Which service a token is intended for is identified in the token's "audience" (in the aud claim). When using the v1 endpoint, the resource for which an app requests an access token is identified in the resource parameter of the authorization request. In the v2 endpoint, the resource is identified as part of the scope parameter.

    In your case, the resource you've configured your bot to get a token for is Microsoft Graph (https://graph.microsoft.com), but then you're trying to use the resulting token to call the Azure Management API. The first thing the Azure Management API does is check if the access token it received is actually intended for it. If the audience does not match, it will immediately respond with an error.

    Instead of trying to get a token for Microsoft Graph, you need to configure your bot to get a token for the Azure Management API. You should use https://management.azure.com, which is the resource URI for the Azure Management API, instead of https://graph.microsoft.com which is the resource URI for Microsoft Graph.