Cannot get AAD auth token in Logic Apps
My Azure Logic App attempts to make an authenticated HTTP call to another API, but it fails to get an access token.
api, Application ID2222-2222-2222-2222: The app registration for the API.logic, Application ID3333-3333-3333-3333: An app registration for the Logic App.- In
logic, I have created a client secretsecretValue. - In
logic, I have added Application permissionaccess_as_applicationinapi, and inapi, I have granted this permission.
In Logic App, I use these values:
- Authentication type: Active Directory OAuth
- Authority: (blank)
- Tenant:
1111-1111-1111-1111 - Audience:
2222-2222-2222-2222 - Client ID:
3333-3333-3333-3333 - Credential Type: Secret
- Secret:
secretValue
But I get:
The audience '2222-2222-2222-2222' is invalid
Documentation is not clear on the format to use for Audience, so I have tried:
2222-2222-2222-2222api://2222-2222-2222-2222api://2222-2222-2222-2222/.defaultapi://2222-2222-2222-2222/access_as_application
But none of them gives me a token.
In my case, I created two app registrations named API app and LogicApp in Azure AD tenant.
In API app, I configured App ID URI and created one App role named access_as_application as below:
Now, I added this permission in LogicApp and granted admin consent to it like this:
In my Azure Logic App workspace, I ran below HTTP request and got access token successfully in response:
Method: POST
URI: https://login.microsoftonline.com/tenant_id/oauth2/v2.0/token
Headers: Content-Type: application/x-www-form-urlencoded
Body:
client_id="LogicAppId"
&client_secret="LogicAppSecret"
&scope=api://ApiAppId/.default
&grant_type=client_credentials
Output:
When I decoded this token by pasting it in jwt.ms, I got aud and roles claims as below:
- Retrieve all Users from all Groups?
- Cannot get AAD auth token in Logic Apps
- Using Azure Entra Id I cant see `Office 365 Exchange Online` under `APIs my organization uses`
- New tenant b2clogin URL returns error with "removed or changed"
- Azure Entra ID tokens endpoint issues an expired token
- Azure AD B2C password expiration
- Trouble when creating PowerBI report via JavaScript Client Library
- Azure Active Directory Enterprise App OpenID and User Provisioning (SCIM)
- How to select specific app registration based on tenant ID in ASP.NET Core MVC with Microsoft Identity Platform?
- Airflow ERROR - Error authorizing OAuth access token: Invalid JSON Web Key Set. [The request to sign in was denied.]
- Systematic Way to Identify Through Azure UI Required "App Registration" API Permission
- How does Delegated OnlineMeetingRecording.Read.All work?
- How to enable SAML as authentication provider in MS Entra?
- Get domain\username from microsoft graph
- Unable to Add User to Resource Group: Authorization_RequestDenied Error
- Login with Microsoft External Account -Issue when the user cancels the consent prompt during authentication
- Invalid argument error when adding Required Reviewer via Azure DevOps API
- Use Azure AD authentication but manage roles in database in .NET 6
- React Native MSAL - SSO does not work from Native to Web - iOS
- Microsoft: Unable to resolve Configuration with the provided Issuer
- Microsoft Graph filter for onPremisesExtensionAttributes
- Get users from Microsoft Entra by API without Graph
- What are the differences between Service Principal and App Registration?
- Unable to restore a deleted user with graph API
- How can I pass custom claims delivered via assertion into claims returned of access token?
- Custom Azure AD role for full access to Microsoft Cloud App Security
- Getting Redirect URI Mismatch error in Azure AD b2C
- Unable to acquire a token in IAuthDelgate of the microsoft information protection sdk
- Azure AD B2C IEF custom sign-up policy grab query parameters
- Cypress does not log in by cy.setCookie() in AzureDevOps project