Search code examples
azureazure-active-directoryazure-entra-id

management.azure.com/providers/Microsoft.Capacity/reservationOrders PassthroughTokenValidationFailed Error

I'm trying to list reservation orders for a dummy customer on microsoft azure portal sandbox. The customer has already an azure plan and a reserved instance subscription. I was able to consent the application with which I try to access GET: https://management.azure.com/providers/Microsoft.Capacity/reservationOrders?api-version={{api_version}} All of the relevant permissions are granted to the application accessing my tenant's directory.

I'm also able to get an authentication token. But when I request the URL in the title, I get the following error:

{
    "error": {
        "code": "PassthroughTokenValidationFailed",
        "message": "Token validation failed. A passthrough token was detected without proper resource provider context - request correlation identifier 'correlation id'"
    }
}

Any ideas about this kind of error ? I did not find any relevant resources neither on microsoft forums nor here.

I tried to get a token from my customer azure AD. Which I did. I expected the token to work properly. But it didn't. Getting "PassthroughTokenValidationFailed" when prompting a GET api from Microsoft.Capacity

Solution

  • The error "PassthroughTokenValidationFailed" usually occurs due to passthrough sign-ins that is if the user does not have the access to the tenant. Refer this MsDoc.

    I created an Azure AD application and granted API permissions:

    enter image description here

    I tried to login with the user account that exists in the tenant:

    enter image description here

    Generated access token via Postman by using below parameters:

    https://login.microsoftonline.com/TenantID/oauth2/v2.0/token

client_id:ClientID
grant_type:authorization_code
scope:https://management.azure.com/user_impersonation
code:code
redirect_uri:https://jwt.ms
client_secret:ClientSecret

    enter image description here

    Make sure to decode the access token and check the below:

    enter image description here

    If still the issue persists, check the below:

    • Assign reader role to the user you are using to sign-in.
    • Or assign reader role to the service principal.
    • Make use of other user account to generate the token and call the API.