Generate a Token for Testing FunctionApp Protected by Entra
This question got me most of the way there. I successfully generate a token, but get a 403.
Function app (FA) serves an API that is consumed by 1 WebApps ApplicationId.
All identites are authorized.
I would like to test without the webapp, preferrably with postman.
My guess is I am not generating the client credential correctly: ClientId: Is this the FA that is serving? Client Secret: Has to be the FA that is serving the API, Object Id: Which Object FA or WA (although I got a token without including) Scope: {FA clientid}/.default Auth endpoint, Token endpoint.
Is ClientCredentials the correct GrantType. I cannot use Password because tenant requires 2-Factor Open to Implicit or AuthCode, but I could not figure out the right parameters for them.
Created an Azure Function app and added identity provider as Microsoft:
Now I edited the Identity provider and allowed requests from specific client application:
In the application and API will be exposed:
In the Microsoft Entra ID application, I granted API permissions like below:
And generated access token for client application:
scope : ClientID/.default
I got the same error:
The 403 error usually occurs if the access token does not have required permissions to perform the action.
To resolve the error, make sure to pass scope as api://ClientAppID/.default not ClientAppID/.default
- And also make sure to include Allowed token audiences in Azure function app as
api://ClientAppIDand save like below:
Now regenerate the access token by passing scope as api://ClientAppID/.default:
GET https://login.microsoftonline.com/TenantID/oauth2/v2.0/token
client_id : ClientID
client_secret : Secret
scope : api://xxx/.default
grant_type : client_credentials
I am able to successfully access the function API:
GET https://rukfapp.azurewebsites.net/api/HttpTrigger2
If you are making use of two different applications, one for identity provider and one more as client application then make sure to either grant API permissions to client application from the identity provider app OR configure client app as allowed audience in identity provider.
- VM has reported a failure when processing extension AzureDiskEncryption
- How to pass secrets downloaded from Azure KeyVault as parameters to an Azure Function?
- Trigger / queue build policy pipeline on ADO PR with Azure CLI
- Azure AD B2C Password Reset
- Batch create mailbox folders with GRAPH API (from Graph Explorer)
- Azure Web App on Linux: "Error: Container didn't respond to HTTP pings on port: 8080" - when using: "start": "pm2 start server.js"
- How can I apply name=value tags to service principals in Azure?
- Visual Studio Code: Could not find $web blob container for storage account
- Error when registering data factory integration runtime on windows VM
- Retrieve list of repositories and their tag versions in one call
- Getting Error while running Azure DevOps Pipeline "Error: building account: could not acquire access token to parse claims: clientCredentialsToken
- Create Resource Group with Azure Management C# API
- Azure LDAP Authentication Connection Refused On Cloud Server or Other Desktops
- Create a gpu nodepool on azure with a student account
- How to set redirect URLs to b2clogin.com for Azure Active Directory B2C in React JS application
- Cannot connect to SQL Server from logic app
- How to Resolve Errors When Running Python Jobs in Azure App Service WebJobs
- How do I open Kudu console in Azure functions consumption plan?
- Azure AutoML Image Classification Job
- Onedrive GRAPH API - 403 when getting user's OneDrive
- Azure Government Get incidents returns 401 Forbidden
- Delta Table Partitioning - why only for tables bigger than 1 TB
- How to check if an Azure storage queue has messages
- Azure WAF exclusion, what's the difference between RequestArgNames and RequestArgValues?
- How to order results of a query by the results of an aggregate function in ComosDb?
- Azure routing between different subscriptions - force one, common outbound IP and share Site-to-site (IPSec) defined in Virtual network gateway
- Bot Framework Python SDK ErrorResponseException: Operation returned an invalid status code 'Unauthorized'
- Azure DevOps - Create a work item from incoming email
- Error: "OrganizationFromTenantGuidNotFound" (even with Microsoft 365 subscription)
- How do I fix SerializationNotSupportedParentType and ThrowNotSupportedException_ConstructorContainsNullParameterNames exception in System.Text.Json?