DEVHIDE
Login Or Sign up

Use Azure AD login to connect to another Azure endpoint (reuse token?)

445 Views Asked by At

I'm wondering whether it's possible to reuse an accesstoken or idtoken after logging in to Azure AD. My application asks for Azure AD credentials and I want to reuse those to push telemetry data to an Azure Monitor Data Collection Endpoint.

I can't imagine it's not possible because both working authentications below authenticate to the same App Registration (App ID).

[Works] Requesting an access token for 'https://monitor.azure.com/' (interactive) and push logs to the Data Collection Endpoint but this is where I want a silent login.

$appid = myapplicationGUID
$tenantId = mytenantGUID
$appSecret = myappSecret

$DcrImmutableId = myDCRImmutableId
$DceURI = myDCEURI
$Table = myTable
$log_entry = myLogEntry

## Obtain a bearer token used to authenticate against the data collection endpoint
$scope = [System.Web.HttpUtility]::UrlEncode("https://monitor.azure.com/.default")   
$body = "client_id=$appId&scope=$scope&client_secret=$appSecret&grant_type=client_credentials";
$headers = @{"Content-Type" = "application/x-www-form-urlencoded" };
$uri = "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token"
$bearerToken = (Invoke-RestMethod -Uri $uri -Method "Post" -Body $body -Headers $headers).access_token

$body = $log_entry | ConvertTo-Json
$headers = @{"Authorization" = "Bearer $bearerToken"; "Content-Type" = "application/json" };
$uri = "$DceURI/dataCollectionRules/$DcrImmutableId/streams/Custom-$Table"+"?api-version=2021-11-01-preview";
$uploadResponse = Invoke-RestMethod -Uri $uri -Method "Post" -Body $body -Headers $headers;

[Works] Requesting a token using Get-MsalToken to connect to MgGraph (interactive). This is the token I want to re-use.

$appid = myapplicationGUID
$tenantId = mytenantGUID

Get-MsalToken -ClientId $appid -TenantId $tenantId -Scopes ".default" -Interactive

[Doesn't Work] Authenticate with scope "https://monitor.azure.com/.default"

$appid = myapplicationGUID
$tenantId = mytenantGUID

Get-MsalToken -ClientId $appid -TenantId $tenantId -Scopes "https://monitor.azure.com/.default" -Interactive

[Doesn't Work] Using the AccessToken from the 'Get-MsalToken' command to upload the logs

$appid = myapplicationGUID
$tenantId = mytenantGUID

$DcrImmutableId = myDCRImmutableId
$DceURI = myDCEURI
$Table = myTable
$log_entry = myLogEntry

$bearerToken = (Get-MsalToken -ClientId $appid -TenantId $tenantId -Scopes ".default" -Interactive).AccessToken

$body = $log_entry | ConvertTo-Json
$headers = @{"Authorization" = "Bearer $bearerToken"; "Content-Type" = "application/json" };
$uri = "$DceURI/dataCollectionRules/$DcrImmutableId/streams/Custom-$Table"+"?api-version=2021-11-01-preview";
$uploadResponse = Invoke-RestMethod -Uri $uri -Method "Post" -Body $body -Headers $headers;

[Doesn't Work] Using the IdToken from the 'Get-MsalToken' command to upload the logs

$appid = myapplicationGUID
$tenantId = mytenantGUID

$DcrImmutableId = myDCRImmutableId
$DceURI = myDCEURI
$Table = myTable
$log_entry = myLogEntry

$bearerToken = (Get-MsalToken -ClientId $appid -TenantId $tenantId -Scopes ".default" -Interactive).IdToken

$body = $log_entry | ConvertTo-Json
$headers = @{"Authorization" = "Bearer $bearerToken"; "Content-Type" = "application/json" };
$uri = "$DceURI/dataCollectionRules/$DcrImmutableId/streams/Custom-$Table"+"?api-version=2021-11-01-preview";
$uploadResponse = Invoke-RestMethod -Uri $uri -Method "Post" -Body $body -Headers $headers;
azure-active-directory jwt azure-authentication azure-management-api
Original Q&A
1

There are 1 best solutions below

3
Rukmini On

I tried to reproduce the same in my environment and got the results like below:

As you are trying to reuse the token used for authenticating to Azure AD Application and use it for pushing telemetry data to an Azure Monitor Data Collection Endpoint, then the access token must contain two scopes (Graph and Monitor) to achieve it.

Note : It is not possible to acquire token for multiple audience/scope, only one token can be issued to one audience. And so, reusing the token doesn't work.

  • A bearer token in Azure AD is only valid for one API. It can contain scopes/roles of the calling user/app on that API. Those values can overlap between APIs, and thus a token cannot be valid for two APIs.

I created an Azure AD Application and granted API Permissions like below:

enter image description here

Make sure to generate two tokens separately, one for Authenticating to the Application and the other for accessing Azure Monitor Data.

To Authenticating to the Application, I am using scope as (ex:https://graph.microsoft.com) like below:

GET https://login.microsoftonline.com/TenantID/oauth2/v2.0/token

client_id:ClientID
client_secret:ClientSecret
grant_type:client_credentials
scope:scope

enter image description here

To push telemetry data to an Azure Monitor Data Collection Endpoint, I generated another token with scope as https://api.loganalytics.io like below:

enter image description here

Related Questions in AZURE-ACTIVE-DIRECTORY

Related Questions in JWT

Related Questions in AZURE-AUTHENTICATION

Related Questions in AZURE-MANAGEMENT-API

Trending Questions

Popular # Hahtags

javascript python java c# php android html jquery c++ css ios sql mysql r reactjs node.js arrays c asp.net json

Popular Questions

.

Copyright © 2021 Jogjafile Inc.