https://login.microsoftonline.com/tenant_id/oauth2/v2.0/authorize?
client_id=aad_client_id
&response_type=code
&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
&response_mode=query
&scope=api://aad_client_id_which_exposed_api/permission_name
&state=12345
Then using the code in the url to generate access token. You can decode the access token and see it contains the scp
claim which value is the API permission you exposed and consented.
Finally you can call your API
=============================================
If the answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Best Regards,
TinyWang
Thanks guys. Im still getting different error with different apps i.e. if i run in a browser, Postman or via Visual Studio.
To start with i will go over the steps i took from an existing Active Directory subscription.
App Registration:
Application (client) id: ABC123
Object ID:
Directory (tenant) ID: DEF456
Supported Account Types: My organisation only
Client credentials: 0 certificate, 1 secret
Redirect URIs: 2 web (0 for rest)
Application ID URI: https://ourDomain.onmicrosoft.com/ABC123
Managed applicaton: Takes me to another page
Authentication:
I see Web with 2 URLs (might be for 2 different local PCs as both are local URLs)
Front-channel logout URL: localhost URL
Implicit grant and hybrid flows.
Access Tokens is the only one checked
Supported Accounts: Single Tenant
Enable mobile and desktop flows: No
Certificates and Secrets
One listed value is marked with ZZ******** with a secret which is 0987654321 (just for this purpose)
API Permissions
Microsoft Graph
My API listed with
Type: delegated,
Admin consent: Yes
Status: Granted for "directory name"
Expose an API
Application ID URI: https://ourDomain.onmicrosoft.com/ABC123 (seems to be the Client id from above)
Scopes
https://ourDomain.onmicrosoft.com/ABC123/NameOfScope
Who can consent: Admins only
State: Enabled
So i think thats how its set up at present.
When i converted this code replacing the values to mine
https://login.microsoftonline.com/tenant_id/oauth2/v2.0/authorize?
client_id=aad_client_id
&response_type=code
&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
&response_mode=query
&scope=api://aad_client_id_which_exposed_api/permission_name
&state=12345
I got the error
User account 'myname@ourdomain.com' from identity provider 'https://sts.windows.net/MMMUUU/' does not exist in tenant 'Some directory name' and cannot access the application 'ABC123'(NameOfAPI) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
At this stage I thought I may have done something wrong as I felt using a client key and secret was what my application would use or I provide to external companies to use my app?? In my Visual Studio project i have the same code but tweaked the Json file settings to below
"AzureAd": {
"Instance": "https://login.microsoftonline.com/",
"ClientId": "ABC123",
"TenantId": "DEF456",
"Scopes": "https://ourdoman.onmicrosoft.com/ABC123"
The above gives the exact same error as before.
I couldnt get the example working from Postman as i wasnt sure where to get all the token values (grant_type, assertion, requestedtoken_use)
Have i missed something? Or done something wrong?
Thanks
And I added API permission and consent admin consent.
The app I exposed API is the same as the one I added API permission, so I only have one Azure AD app here.
And using the request I mentioned to get auth code:
Using the copy the code value and generate access token:
POST: https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
Content-Type: application/x-www-form-urlencoded
client
id=azuread
app_id&scope=api://xxxx/tiny.read &code=OAAA... &redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F &grant_type=authorization_code&client_secret=JqQX2PNo9bpM0uEihUPzyrh
And copy the access token to generate in jwt.io
to decode it and see if the token contained a scp claim which value is your exposed API value.
891Reputation points
May 1, 2023, 4:40 PM
Can you please double check your Application ID URI it should generally be something like api://<client-id> instead of https://ourdomain.onmicrosoft.com/ABC123 and also double check that you are using the right tenant ID.
@Boris Von Dahle I was thinking the same earlier, but when i go into App Registrations and then Expose an API when i click to Edit it automatically has the domain filled in and i dont have any choice to change it as far as i can tell. Unless i have to take different steps?
@Tiny Wang-MSFT I still dont know how you generated the "code" value? All of the rest of settings seem to be ok
Im going over the advice above to see if i can resolve
@Mr Edge Hi, using auth code flow requires us to generate a code
first, and we need to edit this request then copy and paste into the browser. Next it will ask you to enter user name and password, after sign in successfully, it will redirect to the URL you specified, and you can see the url now, it will contain the code. Sign in request is like this, you can also find it in my answer above.
https://login.microsoftonline.com/tenant_id/oauth2/v2.0/authorize? client_id=aad_client_id &response_type=code &redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F &response_mode=query &scope=api://aad_client_id_which_exposed_api/permission_name &state=12345
@Tiny Wang-MSFT Hi when i run the URL above (replacing it with my values) i am prompted to login. I login with an account and received the message "The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.".
I wanted to use client credentials to access the API and not an account?
Also i have removed all additional code i added originally (just in case this is making any difference)