client_credentials authentication with Azure ID: Application is not assigned to a role
I'm trying to use Azure AD for a App-to-App authentication (grant_type: client_credentials) for calling a Rest API.
To avoid implementation issue I firstly tried with Postman with the following configuration, and got the error " Application {clientID} is not assigned to a role for the application {clientID}":
On Azure the App Registration seems to be properly configured, with a custom scope in "API permissions" and the same scope listen in "Expose an API".
What should I have to add in order to be able to call that API? Please note that the same API works properly using IdentityServer4 with client_credentials grand type.
Thanks in advance
The answer from Rukmini is not entirely correct. In the answer provided, a Delegated permissions is assigned as API permission, and the token request is with a client_credentials flow. For client_credentials flow authentication, an Application permissions is required, not Delegated.
The issue can be fixed by keeping the "Assignment Required" on YES for security reasons (you may want to decide who, user/group or service principal, can access your application), and creating an Application permission on your App Registration.
Specifically:
- Create an App Role for the app registration with users/groups and Applications (if you need to have both Delegated and Application permissions, otherwise Application is sufficient")
- Create an API in "Expose an API" (if you need Delegated permissions for your users) with another Value
- Edit the manifest to have matching values between the ID of the app role and the scope, and between the scope name and App Role value (only if you want to have both the Delegated and the Application permissions with the same value)
- In API Permissions, Add a permission for your application using Application permissions and grant admin consent
That way, you can keep the Assignment required on YES and use both client_credential and other flows. For other flows, you need to add also the Delegated permissions.
- How to set up a Low Disk Space alert with the new Azure Monitor agent to trigger when a specific disk drive is low on free space?
- Azure Cosmos DB - Understanding Partition Key
- Get the permissions of users with respect to the repositories via the API of ADO
- Azure graph api to search groups whose displayName contains a specific term
- Azure Functions with VS Code and Python: ModuleNotFoundError: No module named 'azure.storage'
- Azure APIM - VNET injection vs inbound private endpoint, what is a difference?
- My mern project is not running in azure web app
- Split multiple tables from a single sheet in excel using data flows
- How to reduce your outbound ip address list for azure web app to add ip address to Flexible PostregSQL server firewall
- Not able to send localized push notification from Azure Notification Hub after migrating to FCMv1 from FCM Legacy API
- Production slot not using Production as ASPNETCORE_ENVIRONMENT variable
- Azure monitor open telemetry python package raising exception when python app deployed on Azure
- Azure Document Intelligence - RequestFailedException: 'Resource not found Status: 404 (Not Found)
- Parameterize runOnStartup in function.json
- Trouble Passing Boolean Values in Azure Data Factory JSON Template
- Managed Identity for Cosmos DB: "Local Authorization is disabled. Use an AAD token to authorize all requests"
- SFTP connectivity via Jsch fails with "Auth fail for methods 'publickey'"
- How can I add email recipients to a Graph API request programmatically?
- Getting an UnsupportedClassVersionError after updating Java 17 to Java 21
- Issue during update azure vmss trough rest api using curl
- How can I define compile time constants in bicep configuration language?
- How to redact Indian Aadhaar Number, Brazilian CPF number or any other such PII using azure language service
- Timezone error creating SQL instance in Azure using Terraform
- Does Azure's EntraID support dynamic custom claims?
- Can't provide NuGet package source credentials to Azure Function
- How can I use Terraform to run a script to initialise the database on a newly-created Azure mssql_virtual_machine?
- Creating External table in Azure SQL Database using ADLS2 Datasource
- Issue uploading files to S3 from Django in Docker
- Azure DevOps pipeline continues to run despite removing schedule
- Azure Active Directory App service Principal create new client secret