Question 104096 in Azure Question posted in
The official documentation to get you started can be found here.

how to pass correct scope to app registration to query the azure management service

I am new to azure and
I am trying a simple thing but not able to figure out how to set the correct scopes for a service principal.
I want to start and stop a ML compute using rest API. In order to do so, I would need the right token.

below are the steps I have taken :

  • create a service principal
  • created a Oauth query to get the access token

but I get error that

  {
     "error": {
         "code": "InvalidAuthenticationTokenAudience",
         "message": "The access token has been obtained for wrong audience or resource 'api://{<!-- -->{id}}'. It should exactly match with one of the allowed audiences 'https://management.core.windows.net/','https://management.core.windows.net','https://management.azure.com/','https://management.azure.com'."
     }
 }

Now, I am not able to figure out this concept. I have 2 doubts :

  1. how to set this scope at the service principal end (in the portal), I dont see any such option and also I am not able to find the documentation.
  2. how this access works? even if I give some resource level owner access to a service principal, then do I still have to provide access at scope option of app registration?

Please help in coming out of this issue.

Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    I figured it out. I selected the option under API permission of a service principal -> https://management.azure.com/user_impersonation

    After selecting this, I was able to get the token which was needed to work with management.azure.com but I was not able to figure it out how to find this for a service principal.

    I must say that I find azure very confusing. I am not able to find the documents and even if I find it, they seem difficult to me.

    Probably, after some months of struggle I will find it easy.


  2. 0

    Note that: To start/stop a ML compute instance https://management.azure.com/ scope is required not
    api://ClientId.

    I tried to reproduce the same in my environment and got the results like below:

    I created an Azure AD Application and added API permission:

    enter image description here

    Make sure to grant Admin consent to the Api Permission. As user_impersonation is a delegated permission, you should make use of Authorization Grant Flow or Implicit Flow to generate the token.

    I generated the Authorization code by using below parameters:

    https://login.microsoftonline.com/TenantID/oauth2/v2.0/authorize?
&client_id=ClientID
&response_type=code
&redirect_uri=RedirectUri
&response_mode=query
&scope=https://management.azure.com/user_impersonation
&state=12345

    enter image description here

    I generated the access token by using below parameters:

    https://login.microsoftonline.com/TenantID/oauth2/v2.0/token

client_id:ClientID
client_secret:ClientSecret
scope:https://management.azure.com/user_impersonation
grant_type:authorization_code
redirect_uri:RedirectUri
code:code

    enter image description here

    Otherwise, you can also make use of Implicit Grant Flow by running the query like below:

    https://login.microsoftonline.com/TenantID/oauth2/v2.0/authorize?client_id=ClientID&response_type=token&redirect_uri=RedirectUri&scope=https://management.azure.com/user_impersonation&response_mode=fragment&state=12345&nonce=678910

    Access token will be generated redirecting to your redirect Uri like below:

    enter image description here

    Any of the above ways will generate the access token with the aud https://management.azure.com which will allow to start/stop the ML compute instance.

    References:

    Compute – Start – REST API Azure Machine Learning

    Compute – Stop – REST API Azure Machine Learning

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search