Question 192676 in Azure Question posted in
The official documentation to get you started can be found here.

Azure Service Principal RemoveKey c#

I’m trying to remove a certificate to a service account.
I’m doing this with Microsoft.Graph (5.14.0) with a Service Principal account which is global administrator and has the necessary permissions with Graph.
This master account authenticates via a certificate.

I followed the C# examples like MicrosoftIdentityPlatformProofTokenGenerator here:

I systematically get an Access Token missing or malformed error… indicating that the problem must surely come from the proof field

var requestBody = new Microsoft.Graph.ServicePrincipals.Item.RemoveKey.RemoveKeyPostRequestBody
{
    KeyId = key.KeyId,
    Proof = proof
};

try
{
    await graphClient.ServicePrincipals[sp.Id].RemoveKey.PostAsync(requestBody);
}
catch (ODataError err)
{
    var message = err.Error?.Message;
}

From what I understood:

  • We create the proof with the object id of the application associated with the principalservice that makes the call (I also tried with the id of the sp).
  • We use the certificate of the principalservice to generate a proof token (I use the same certificate as the one with which I identify myself.. and I also tried with the one I want to delete and the identity of the sp but Nothing)
  • Or use Microsoft Graph id as audience (it’s not very clear but I tried with AAD Graph Api as well)
    • 00000002-0000-0000-c000-000000000000 AAD Graph API
    • 00000003-0000-0000-c000-000000000000 Microsoft Graph API
  • I send the pfxFile (private and public key) to generate the proof

What am I doing wrong?

Thanks in advance

Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    Thanks a lot for your answer!

    With your example it seems to me that my token is not correctly created.

    I generate the jwt using the example provided on the documentation [https://learn.microsoft.com/en-us/graph/application-rollkey-prooftoken?tabs=csharp][1]

    1. Application/ServicePrincipal

    When i read your example you POST with postman on /applications/{id}/removeKey but the c# graph api...

    await graphClient.ServicePrincipals[sp.Id].RemoveKey.PostAsync(requestBody);

    Remove a KeyCredentials of servicePrincipal here /servicePrincipals/{id}/removeKey

    2. JWT contents

    The M$ example doesn't talk about the roles to be specified in the token or the possibility of putting https://graph.microsoft.com in aud

    When trying I still get the same error.. My payload :

    {
  "aud": "https://graph.microsoft.com",
  "iss": "f8d5d85a-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
  "roles": [
    "Application.ReadWrite.OwnedBy"
  ],
  "exp": 1687525224,
  "nbf": 1687524624,
  "iat": 1687524626
}

    I illustrate more the context :

    • SP_1 (objectID f8d5d85a-...) is a ServicePrincipal (of APP_1) is Global administrator in my Azure AD and have all GraphApi access with consents
    • SP_1 create an application APP_2 with linked sp SP_2

    Workflow

    • Logon with this SP_1 with graph (ok)
    • SP_1 load SP_2 informations
    • SP_1 removeKey in KeyCredentials of SP_2

    Test the proof jwt sended in POST is generated with :

    • token of login (SP_1) --> KO
    • aud=https://graph.microsoft.com
    • iss={id SP_1} --> KO
    • aud=https://graph.microsoft.com
    • iss={id SP_1}
    • certificate= pfx SP_1 --> KO
    • aud=https://graph.microsoft.com
    • iss={id SP_1}
    • certificate= pfx to delete --> KO
    • aud=https://graph.microsoft.com
    • iss={id SP_2}
    • certificate= pfx to delete --> KO

    -> I test also with aud=00000003-0000-0000-c000-000000000000 and 00000002-0000-0000-c000-000000000000

    -> I test with and without roles

    -> All graph api autorisation was created in APP_1 and APP_2

    :'(


  2. 0

    I generated the access token and when tried to removeKey, I got the error like below:

    enter image description here

    The error "Access Token missing or malformed" usually occurs if you are passing invalid access token to perform the action or the aud is not matching the access resource.

    To resolve the error, check the below:

    • Check if the = padding character is present in the JWT header or payload, if yes then remove it in order to avoid the Authentication_MissingOrMalformed error.

    Make sure to grant Admin consent for the Application.ReadWrite.OwnedBy like below:

    enter image description here

    Decode the token and make sure that the aud is 00000003-0000-0000-c000-000000000000 or https://graph.microsoft.com and required roles are present:

    enter image description here

    var graphClient = new GraphServiceClient(requestAdapter);

var requestBody = new Microsoft.Graph.ServicePrincipals.Item.RemoveKey.RemoveKeyPostRequestBody
{
    KeyId = Guid.Parse("f0b0b335-1d71-4883-8f98-567911bfdca6"),
    Proof = "eyJ0eXAiOiJ...",
};
await graphClient.ServicePrincipals["{servicePrincipal-id}"].RemoveKey.PostAsync(requestBody);

    In the above code, replace the servicePrincipal-id by the below value:

    enter image description here

    Make sure the access token is not expired or test in Postman using the same token.

    After the above changes, I am able to removeKey successfully via Postman like below:

    POST https://graph.microsoft.com/v1.0/servicePrincipals/{id}/removeKey
Content-Type: application/json

{
    "keyId": "KeyID",
    "proof":"Token."
}

    enter image description here

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search