Search code examples
azureoauth-2.0azure-active-directoryazure-api-managementazure-authentication

Microsoft Azure OAuth Client Credentials Token gets "AuthorizationFailed" response

I want create APIM subscriptions through rest api, And was able to do it successfully by following this Microsoft doc, https://learn.microsoft.com/en-us/rest/api/apimanagement/current-ga/subscription.

And for Authentication I am generating a bearer token using ROPC grant type(My UserName & Password). Everything works fine with this flow.

But i dont want to configure my username & password in a application to get a bearer token, instead i followed Client-Credentials grant type(get token by client id & secret), i am able to generate token, but when i use that token to create subscription in APIM, i am getting a exception The client '0--e' with object id '0--e' does not have authorization to perform action 'Microsoft.ApiManagement/service/subscriptions/write'

Is it possible to add a AAD application inside APIM AccessControl(IAM) to grant permission. Or is this any other way to do this? or ROPC is the only way?

Can someone please help.

Solution

  • Yes, you can grant permission to AAD application (service principal) in APIM Access Control (IAM) by assigning it API Management Service Contributor role.

    I tried to reproduce the same in my environment and got the below results:

    I have generated one access token using Client-Credentials grant type like below:

    enter image description here

    When I used the above token to create APIM subscription with below query, I got the same error:

    PUT https://management.azure.com/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.ApiManagement/service/apimService1/subscriptions/testsub?api-version=2021-12-01

{
  "properties": {
    "ownerId": "/subscriptions/subid/resourceGroups/rgname/providers/Microsoft.ApiManagement/service/servicename/users/xxxxxxxxxxx",
    "scope": "/subscriptions/subid/resourceGroups/rgname/providers/Microsoft.ApiManagement/service/servicename/products/xxxxxxxxxxx",
    "displayName": "testsub"
  }
}

    Response:

    enter image description here

    To resolve the error, you need to grant API Management Service Contributor role for that application like below:

    Go to Azure Portal -> APIM Services -> Your APIM -> Access control (IAM) -> Add role assignment

    enter image description here

    After granting the above role, I generated the access token again and ran the same query as below:

    PUT https://management.azure.com/subscriptions/subid/resourceGroups/rg1/providers/Microsoft.ApiManagement/service/apimService1/subscriptions/testsub?api-version=2021-12-01

    Response:

    enter image description here

    When I checked the Portal, APIM subscription got created successfully like below:

    enter image description here

    Reference:

    How to use Role-Based Access Control in Azure API Management | Microsoft Docs