Can't create service principals (use Graph API) through Java SDK

Samuel Santos 26 Reputation points
2021-10-14T17:39:15.373+00:00

Hello,

I am having trouble using the Graph API through Java SDK in my java application.

I have an Azure Active Directory Application (created through the App Registrations section in the portal), and I am authenticating my requests with its client id and tenant id, and a secret key.
I believe the problem is not on the client side authentication because I have been using the SDK to make other types of requests with no issues for a long time.

Right now, I am trying to create and manage Service Principals through the SDK but all the requests return forbidden errors.

Code that I'm running: 

AzureTokenCredentials credentials = new ApplicationTokenCredentials(clientId, tenantId, secretKey, AzureEnvironment.AZURE);  
  
Azure azure = Azure.configure()  
		.withLogLevel(LogLevel.BODY)  
		.authenticate(credentials)  
		.withSubscription(subscriptionId);  
  
ServicePrincipal sp = azure.accessManagement()  
	.servicePrincipals()  
	.define("testserviceprincipal")  
	.withNewApplication("https://***********/")  
	.create();

Response: 

Method threw 'com.microsoft.azure.management.graphrbac.GraphErrorException' exception.  
Status code 403, {  
	"odata.error":{  
		"code":"Authorization_RequestDenied",  
		"message":{  
			"lang":"en",  
			"value":"Insufficient privileges to complete the operation."  
		},  
		"requestId":"42011287-9d20-4128-b6a2-3b07497427ff",  
		"date":"2021-10-14T17:07:35"  
	}  
}

I found this topic and gave a lot of different permissions to my AD App (printscreen below), but the 403 errors remained.

140598-image.png

Am I missing something?
Thanks in advance!

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,436 questions
0 comments
Accepted answer
  1. Siva-kumar-selvaraj 15,546 Reputation points
    2021-10-19T17:01:38.767+00:00

    Hello @Samuel Santos ,

    Thanks for reaching out.

    It seem to be acquired token was issued with following audience "Azure Active Directory Graph" https://graph.windows.net but you had configured above API permissions which are part of "Microsoft Graph" https://graph.microsoft.com/ not "Azure Active Directory Graph" hence HTTP 403 Authorization_RequestDenied is expected.

    You can decode and verify AAD access_token from https://jwt.ms , you should see something like below for working scenario when you decode token:

    141824-image.png

    To fix the issue, either assign "Azure Active Directory Graph" API permission for App OR use tokenAudience as https://graph.microsoft.com/ in your code as explained here.

    Note: Azure Active Directory Graph will be deprecated in June 2022. We recommend using Microsoft Graph APIs for your application

    Therefore, when you use Azure SDK which build on MSAL library instead ADAL library for client to get token to call Microsoft Graph then above API permission should work.

    ADAL example for Azure SDK module: https://learn.microsoft.com/en-us/javascript/api/overview/azure/activedirectory?view=azure-node-latest#client-package
    ServicePrincipal interface : https://learn.microsoft.com/en-us/javascript/api/@azure/graph/serviceprincipal?view=azure-node-latest

    Hope this helps.

    ------
    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Shweta Choudhary 601 Reputation points Microsoft Employee
    2021-10-19T15:23:46.787+00:00

    Thank you for reaching out.

    The error you are getting tells token you are using does not have enough privileges. Check the token you have generated to ensure it has the necessary scopes to create service principals.
    Follow documentation here to see how to generate tokens.

    0 comments