401 unauthorized

[magaal]

Hi - following the documentation, I may be missing something, but I keep getting 401 unauthorized errors. My config is below and I can't seem to find anything glaring about what I'm missing:

<configuration>
  <appSettings>
    <add key="ADALServiceURL" value="https://login.microsoftonline.com"/>             <!-- Service root URL for ADAL authentication service WITH NO TRAILING SLASH! -->
    <add key="ADALRedirectURL" value="http://yerpderp/"/>                           <!-- Redirect URL for ADAL authentication service MUST MATCH YOUR AAD APP CONFIGURATION! -->
    <add key="ARMBillingServiceURL" value="https://management.azure.com"/>            <!-- Service root URL for ARM/Billing service WITH NO TRAILING SLASH!  -->
    <add key="TenantDomain" value="REMOVED.onmicrosoft.com"/>                         <!-- DNS name for your Azure AD tenant -->
    <add key="SubscriptionID" value="REMOVED"/>          <!-- GUID of Azure Subscription that is trusting AAD tenant specified above -->
    <add key="ClientId" value="REMOVED"/>                <!-- GUID for AAD application configured as Native Client App in AAD tenant specified above -->
  </appSettings>

Console output:

Calling Usage service...
The remote server returned an error: (401) Unauthorized.

[rposbo]

Did you get this working? I'm stuck at the same point and I'm sure I've put in the correct info..

[magaal]

No, still outstanding.

[Robin2009]

ok, I'm facing the same problem about 401. Don't know how to fix that and I'm pretty sure I set the right configurations as followed this instruction.

[Robin2009]

Btw, I just couldn't find out the required "AAD tenant domain name" stuff in my settings page. For my sample I simply used the string I copied from AAD page shown as the default domain. I don't know if that matters.

[moinak3]

Folks, I'd like to try and get you unblocked with these auth issues.

These are some common auth issues that I have found for these samples:

1) The logged-in user for the app is a guest in the tenant - the user cannot be a guest in the tenant in which the Azure sub resides.

2) Logged-in user needs to be added to the READER, OWNER or CONTRIBUTOR role for the scope of the Azure subscription. this can be done in the Azure preview portal (portal.azure.com)

3) App not correctly configured - the app that is accessing the Usage and RC APIs needs to be allowed access to the Azure Service management API, and if you are trying out the multi-tenant app, the app needs to be configured to be "multi-tenant" in the app configuration page.

As for the comment on the AAD tenant domain, an easy way to get this would be to log in to the Azure Management Portal (manage.windowsazure.com) and look at the URL:

https://manage.windowsazure.com/@moinak3live.onmicrosoft.com?hashseg=Workspaces/ActiveDirectoryExtension/directory

moinak3live.onmicrosoft.com is the AAD tenant domain name that you should use. This should be the tenant under which the Azure sub is created, for which you are trying to request usage.

Please let me know how else I can help here.

[BryanLa]

@magaal @rposbo @Robin2009 - The value you enter for SubscriptionID must be a subscription that is associated with the Azure AD tenant you specify for the TenantDomain value. Can you verify and let me know if that is the issue? It's not enough to just specify a valid subscription ID; it must also be associated with (trusting) the specified Azure AD tenant for authentication.

If you enter a valid SubscriptionID that is not associated with the Azure AD tenant you specify for TenantDomain, you will receive a The remote server returned an error: (401) Unauthorized. response. You can verify this in the Azure portal by logging in with a service admin/co-admin account for the given subscription, and navigate to the Settings/Subscriptions page:

https://manage.windowsazure.com/MyTenant.onmicrosoft.com#Workspaces/AdminTasks/SubscriptionMapping

You should see the GUID for the subscription under the "Subscription ID" column, and the DNS name for your Azure AD tenant under the "Directory" column (shown as Friendly-Name (DNS-Name))

As @moinak3 mentioned, because the Billing APIs are implemented under the Azure Resource Manager (ARM), they are also secured by the Role Based Access Control (RBAC) feature it uses. See the bottom of the readme for more details. Basically, the credentials you use for authentication (when prompted), must either be an admin/co-admin on the subscription (which gives the credentials automatic membership in the RBAC "Subscription admins" group), or the credentials must be specifically added to the Owner, Contributor, or Reader RBAC group. If not, you will get a The remote server returned an error: (403) Forbidden response. You will also get a 403/Forbidden if you authenticate with credentials from a directory other than the one you specified for the app registration.

Hope this helps.

[Robin2009]

@BryanLa , thanks for your replying. I run this demo against my own account and that works fine. But for the account ( owned by an EA account ) provided by my client it returns me a 401 error. I can view the detail usage reports for all the subscriptions associated with this account on ea.azure by login with it. So my question is, does this usage API available to the EA accounts?

[BryanLa]

Hi @Robin2009 - AFAIK, the Usage API supports queries for all offer types, including EA, but I've asked @moinak3 to confirm. Regarding the 401 error, can you confirm that the subscription you are specifying for SubscriptionID in your app.config, is configured to trust the Azure AD tenant you specified for TenantDomain, in the Azure management portal? I don't be believe the 401 is related to support (or lack of) for EA offer types.

For more details on the relationship between the Azure subscription and Azure AD, please see How Azure subscriptions are associated with Azure AD. Basically, in order to access the Usage data for a particular subscription, the APIs require that your credentials are authenticated by the Azure AD tenant which the subscription has designated. If this is not the issue, please let me know and I will follow up with engineering.

Regarding the ea.azure.com portal, apologies, but I'm not sure how the authentication/authorization is designed to work, and how they are securing access to each subscription.

[Robin2009]

Hi @Byronr , may I send you an email?

[Robin2009]

@Byronr , I guess I know the reason for getting 401 persistently though I don't have the AA or SA account. I read the article refers to "How Azure subscriptions are associated with Azure AD" then I found this: "but a subscription trusts only one directory". Also in your reply you suggested me to check if the subscriptionId configured in my app.config trust the tenantAD to which this sample is going to be added. I believe this tenantAD is definitely not trusted by this subscription therefore it always returns 401 error.

Thanks @Byronr , thanks for your sharing.

[BryanLa]

Hi @Robin2009 - you're welcome, and good luck w/everything. Let us know if you need help w/anything else.

Bryan

[tinhnv01210]

Hello there, Thanks for sharing. I'm following and I can connect to the RateCard API using the GetOAuthTokenFromAAD() method.

I'm confusing that can I authenticating with this API by using management certificate which uploaded to the Azure portal? When I try to using it, the (401) Unauthorized error occurred.

Thanks in advance, Tinh.

[BryanLa]

Hi @tinhnv01210 - I don't have experience with using a certificate for authentication, but here are a few articles you can check out, mostly from the perspective of needing to use certificates with a daemon/service client. The last 2 are specifically related to Azure Resource Manager authentication :

Build service and daemon apps in Office 365 Authenticating to Azure Resource Manager using AAD and Certificates Developer’s guide to auth with Azure Resource Manager API

Hope this helps.