Issue
I have tried two different APIs from different articles as shown below.
API 1
This API is working and token is getting generated.
Then in next part of API I am using generated token to fetch data:
But it is giving following error as shown in screenshot also.
{
"error": {
"code": "AuthorizationFailed",
"message": "The client '**************' with object id '**************' does not have authorization to perform action 'Microsoft.Web/sites/read' over scope '/subscriptions/**************' or the scope is invalid. If access was recently granted, please refresh your credentials."
}
}
API 2
But in this API, even token is not getting generated and giving following error
{
"error": "invalid_request",
"error_description": "AADSTS901002: The 'resource' request parameter is not supported. Trace ID: ************ Correlation ID: ************ Timestamp: 2023-12-28 07:17:52Z",
"error_codes": [
901002
],
"timestamp": "2023-12-28 07:17:52Z",
"trace_id": "************",
"correlation_id": "************"
}
I searched but couldn't find the solution. I want to fetch data from Azure active directory via Rest API. But that doesn't seems to be working.
Solution
I created an Azure AD application and granted API permissions like below:
I generated access token using below parameters:
https://login.microsoftonline.com/TenantID/oauth2/token
client_id:ClientID
client_secret:ClientSecret
resource:https://management.azure.com
grant_type:client_credentials
Using the above generated access token, I tried to call the API and got the same error:
GET https://management.azure.com/subscriptions/xxxx/providers/Microsoft.Web/sites?api-version=2016-08-01
The error usually occurs if the Azure AD application doesn't have required permissions/roles to access the API.
To resolve the error, make sure to assign Reader role to the Azure AD application like below:
Go to Azure Portal -> Subscriptions -> Select your subscription -> Access control (IAM) -> Add -> Add role assignment -> Select Reader -> Select memebers -> Review and assign
Now generate the token again and you will be able to call the API successfully:
As I do not have any sites in my environment, I am getting empty results
To generate access token to call the Microsoft Graph API, pass https://graph.microsoft.com as resource.
https://login.microsoftonline.com/TenantID/oauth2/token
client_id:ClientID
client_secret:ClientSecret
resource:https://graph.microsoft.com
grant_type:client_credentials
- As you are using v1 endpoint to generate the access token then resource must be
https://management.azure.comandhttps://graph.microsoft.comrespectively. - If you use v2 endpoint to generate the access token then you must pass scope as
https://management.azure.com/.defaultandhttps://graph.microsoft.com/.defaultrespectively.
Answered By - Rukmini Answer Checked By - Candace Johnson (WPSolving Volunteer)