how to create access_token to access ARM API for a user and not the service principal
I need to secure my ML endpoints in azure based on user credentials and user accesses.
Right now, we are authorising based on service principal account but now we want to test for each user.
I can see the documentation for REST API to get the access_token to make Rest API requests to ARM (azure resource manager) for a service principal account but not for any azure user.
So any pointers on whether this can be achieved or not?
so, basically what I am trying to do is this :
- when a user tries to access the endpoint, its his credentials which needs to be validated whether he can access the API or not,
- so what I see it that any number of users can be added to a workspace but not all user might have access to the scoring endpoint request.
- in that case, only allowed user should be able to make the request and other users should be denied.
To generate access token based on user credentials, you can make use of ROPC flow.
While calling API with that token, validation will be done depending on Azure user's roles or permissions.
I tried to reproduce the same in my environment and got below results:
I created one Azure AD application and granted consent to API permissions like below:
I got the access token successfully via Postman using user credentials with parameters like below:
POST https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/token
client_id:44xxxx450-xxxx-4be1-axxb-e7xxxxxxxx
grant_type:password
scope:https://management.azure.com/.default
username:sricontri@tenant.onmicrosoft.com
password:xxxxxxxxx
Response:
Using the above access token, user can make Rest API requests to Azure Resource Manager successfully like below:
//To fetch list of resource groups present in the subscription
GET https://management.azure.com/subscriptions/<subscriptionID>/resourceGroups?api-version=2021-04-01
Response:
Please note that, the above user has Contributor role on the subscription that allowed user to make the request.
Now, I generated token for different Azure user via Postman in the same way as below:
POST https://login.microsoftonline.com/<tenantID>/oauth2/v2.0/token
client_id:44xxxx450-xxxx-4be1-axxb-e7xxxxxxxx
grant_type:password
scope:https://management.azure.com/.default
username:sridemo@tenant.onmicrosoft.com
password:xxxxxxxxx
Response:
When the user included above token to make the same request, access is denied with 403 Forbidden error like below:
GET https://management.azure.com/subscriptions/<subscriptionID>/resourceGroups?api-version=2021-04-01
Response:
Please note that, the above user doesn't have required roles or permissions to access Azure resources that denied the request.
- VM has reported a failure when processing extension AzureDiskEncryption
- How to pass secrets downloaded from Azure KeyVault as parameters to an Azure Function?
- Trigger / queue build policy pipeline on ADO PR with Azure CLI
- Azure AD B2C Password Reset
- Batch create mailbox folders with GRAPH API (from Graph Explorer)
- Azure Web App on Linux: "Error: Container didn't respond to HTTP pings on port: 8080" - when using: "start": "pm2 start server.js"
- How can I apply name=value tags to service principals in Azure?
- Visual Studio Code: Could not find $web blob container for storage account
- Error when registering data factory integration runtime on windows VM
- Retrieve list of repositories and their tag versions in one call
- Getting Error while running Azure DevOps Pipeline "Error: building account: could not acquire access token to parse claims: clientCredentialsToken
- Create Resource Group with Azure Management C# API
- Azure LDAP Authentication Connection Refused On Cloud Server or Other Desktops
- Create a gpu nodepool on azure with a student account
- How to set redirect URLs to b2clogin.com for Azure Active Directory B2C in React JS application
- Cannot connect to SQL Server from logic app
- How to Resolve Errors When Running Python Jobs in Azure App Service WebJobs
- How do I open Kudu console in Azure functions consumption plan?
- Azure AutoML Image Classification Job
- Onedrive GRAPH API - 403 when getting user's OneDrive
- Azure Government Get incidents returns 401 Forbidden
- Delta Table Partitioning - why only for tables bigger than 1 TB
- How to check if an Azure storage queue has messages
- Azure WAF exclusion, what's the difference between RequestArgNames and RequestArgValues?
- How to order results of a query by the results of an aggregate function in ComosDb?
- Azure routing between different subscriptions - force one, common outbound IP and share Site-to-site (IPSec) defined in Virtual network gateway
- Bot Framework Python SDK ErrorResponseException: Operation returned an invalid status code 'Unauthorized'
- Azure DevOps - Create a work item from incoming email
- Error: "OrganizationFromTenantGuidNotFound" (even with Microsoft 365 subscription)
- How do I fix SerializationNotSupportedParentType and ThrowNotSupportedException_ConstructorContainsNullParameterNames exception in System.Text.Json?