Open fluffydice opened 2 years ago
dingmeng-xue
commented
2 years ago @fluffydice , Get-AzAccessToken is used for token redeem. It is not only for MSI and also support other auth approach. But user needs to ensure account has enough permission to redeem it.
ghost
commented
1 year ago Hi, we're sending this friendly reminder because we haven't heard back from you in a while. We need more information about this issue to help address it. Please be sure to give us your input within the next 7 days. If we don't hear back from you within 14 days of this comment the issue will be automatically closed. Thank you!
fluffydice
commented
1 year ago @fluffydice ,
Get-AzAccessTokenis used for token redeem. It is not only for MSI and also support other auth approach. But user needs to ensure account has enough permission to redeem it.
I am trying to use a service principal to attempt to obtain ms graph access token. What permissions are required and which resource are these scoped to? Docs advise using a dedicated app registration to manage graph API resources, but this cmdlet can be used with Https://graph.microsoft.com Uri, which is a little confusing.
Thanks
dingmeng-xue
commented
1 year ago @fluffydice , OAuth2 protocol used by MS has 2 steps. The first step is login azure using user account or service account to get refresh token. The second step is to redeem access token for specific endpoint based on refresh token.
For your case,
Connect-AzAccount -ServicePrincipal ....... Once it is succeeded, refresh token is fetched.Get-AzAccessToken to redeem access token, parameter https://graph.microsoft.com is used to identify service of MSGraph. Resource identifier is not always identical with service endpoint.Permission is separate topics. If your script is using service principal, you need to grant application permissions to app you created. For example, you allow your app to access MSGraph API.
Please reference https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/grant-admin-consent
fluffydice
commented
1 year ago @fluffydice , OAuth2 protocol used by MS has 2 steps. The first step is login azure using user account or service account to get refresh token. The second step is to redeem access token for specific endpoint based on refresh token.
For your case,
- You need to login Azure using
Connect-AzAccount -ServicePrincipal ....... Once it is succeeded, refresh token is fetched.- When you call
Get-AzAccessTokento redeem access token, parameterhttps://graph.microsoft.comis used to identify service of MSGraph. Resource identifier is not always identical with service endpoint.Permission is separate topics. If your script is using service principal, you need to grant application permissions to app you created. For example, you allow your app to access MSGraph API.
Please reference https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/grant-admin-consent
Thanks for the advice. I have tried what you have described and I am still struggling to identify how the graph API scopes are being applied as I am seeing that even without any permissions applied to the spn, I am still able to make changes to an aad group membership i.e. add/remove a device object from a group. My requirement is to use automation (azdo agent using application spn) and graph API to make changes to aad group membership (plus other stuff). Simple setup so far; I have two aad groups, 1 - Write-access-group with spn set as owner, 2 - read-only-group with spn not owner.
I have a Service principal created with no graph API permissions with admin consents i.e. groupmember.readwrite.all.
What I am finding is that I can still make changes to group 1 but not group 2. If no graph API permissions are scoped to the spn, how is this able to make changes to group 1?
Thanks
fluffydice
commented
1 year ago Hi again,
Just to add a bit more detail to help progress my issue.
I have followed both step 1 and step 2 above. I just don't understand how in the service principal azure context I am able to read/write to aad groups using Microsoft graph. I have inspected the bearer token returned from 'get-azaccesstoken -resourceurl 'https://graph.microsoft.com'' cmdlet call and what is interesting is that I don't see any 'scp' claims. This is the same whether or not I add ms graph permissions to the spn.
I just need clarification on what is happening here please?
dingmeng-xue
commented
1 year ago @fluffydice , you can find my email address from my profile. Could you email me decoded token? You can decode token via https://jwt.ms/
fluffydice
commented
1 year ago @fluffydice , you can find my email address from my profile. Could you email me decoded token? You can decode token via https://jwt.ms/
Yes of course. I have been using that resource already to decode the token.
fluffydice
commented
1 year ago Sent over a ma
@fluffydice , you can find my email address from my profile. Could you email me decoded token? You can decode token via https://jwt.ms/
Yes of course. I have been using that resource already to decode the token.
Sent over info to your mail. Please can you let me know if you have received this?
Thanks
fluffydice
commented
1 year ago @and-digital-gc
Description
Following doc here - https://learn.microsoft.com/en-us/powershell/module/az.accounts/get-azaccesstoken?view=azps-9.0.0#example-3-get-the-access-token-for-microsoft-graph-endpoint.
command used as GA account within tenant; get-azaccesstoken -resourceURL "https://graph.microsoft.com/" Get-AzAccessToken: ManagedIdentityCredential authentication failed: Service request failed.
Status: 400 (Bad Request) Content: Headers: X-Powered-By: REDACTED ETag: W/"7e-AtyJbQt9VqLG5RxtNN/7cqAVKqA" Date: Thu, 20 Oct 2022 09:26:24 GMT Connection: keep-alive Keep-Alive: REDACTED Content-Type: application/json; charset=utf-8 Content-Length: 126 See the troubleshooting guide for more information. https://aka.ms/azsdk/net/identity/managedidentitycredential/troubleshoot
The doc seems to conflict with best practise MSGraph approach i.e. using a new AAD app registration with msgraph API permissions.