How to create Azure AD app using service principal credentials with Microsoft Graph API using GO SDK

Question

I am getting 403 error with below code:
error i am getting
error": "graphrbac.ApplicationsClient#Create: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code=\"Unknown\" Message=\"Unknown service error\" Details=[{\"odata.error\":{\"code\":\"Authorization_RequestDenied\",\"date\":\"2021-12-23T11:41:23\",\"message\":{\"lang\":\"en\",\"value\":\"Insufficient privileges to complete the operation.\"},\"requestId\":\"f192ac37-8b05-4a81-a582-13f0f5ca3594\"}}]"

I am Initializing Appclient using below code and call Create() function to create app.

appClient := graphrbac.NewApplicationsClient(tenantID)
credConfig := auth.NewClientCredentialsConfig(clientID, clientSecret, tenantID)
//credConfig.Resource = azure.PublicCloud.ResourceIdentifiers.Graph
credConfig.Resource = "https://graph.microsoft.com"
authorizer, err := credConfig.Authorizer()
if err != nil {
return appClient, err
}
appClient.Authorizer = authorizer`

Also below are the API Permission from MS Graph API.

Answer

Hello @Akhlesh, Verma ,

Thanks for reaching out.

As per the request id and timestamp ("requestId":"f192ac37-8b05-4a81-a582-13f0f5ca3594" & date:"2021-12-23T11:41:23"), I see that the token was still created with the Azure AD Graph audience "https://graph.windows.net/" rather than the Microsoft Graph audience "https://graph.microsoft.com/", which results in the HttpStatusCode:403:Authorization RequestDenied error.

As a result, I'd like to request that you revisit and decode your code to ensure that the audience (aka resource) is set to Microsoft Graph: https://graph.microsoft.com/. Additionally, you may check the audience by decoding access token from https://jwt.ms.

Based on my research, I believe you should develop an AuthenticationProvider object as explained below articles which authenticate request to Microsoft Graph. See select a Microsoft Graph authentication provider for an example of how to obtain an authentication provider.

msgraph-sdk-go: https://github.com/microsoftgraph/msgraph-sdk-go
sdk-go-core: https://github.com/microsoftgraph/msgraph-sdk-go-core
msgraph-beta-sdk-go: https://github.com/microsoftgraph/msgraph-beta-sdk-go

-----
Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Answer

Hi @sikumars-msft ,
I tried to create authorisation provider as per your suggestion from https://github.com/microsoftgraph/msgraph-sdk-go-core example, but getting error as it is not inherited autorest.Authorizer interface.

below is the code :

func getApplicationsClient(clientID, clientSecret, tenantID string) (graphrbac.ApplicationsClient, error) {

appClient := graphrbac.NewApplicationsClient(tenantID)
cred, err := azidentity.NewClientSecretCredential(
    tenantID,
    clientID,
    clientSecret,
    nil,
)
if err != nil {
    log.Error(err, "Failed to get Secret Credential")
    return appClient, err
}
auth, err := azureauth.NewAzureIdentityAuthenticationProvider(cred)
if err != nil {
    log.Error(err, "Failed to get authentication provider")
    return appClient, err
}
  appClient.Authorizer = auth
appClient.AddToUserAgent("cloudcasa-agent")
return appClient, nil

}

It is giving me compilation error,
*microsoft_kiota_authentication_azure.AzureIdentityAuthenticationProvider does not implement autorest.Authorizer (missing WithAuthorization method)
../../amdslib/s3provider/provider/azure/azurebackupprovider.go:286:22: cannot use auth (type *microsoft_kiota_authentication_azure.AzureIdentityAuthenticationProvider) as type autorest.Authorizer in assignment:

Also there is nothing i found in microsoft Graph code which is using "autorest" package i.e.
"github.com/Azure/go-autorest/autorest"
"github.com/Azure/go-autorest/autorest/azure"

Answer

Hi,

I am trying to create Azure AD app using the code present on https://github.com/Azure-Samples/azure-sdk-for-go-samples/blob/b49c4162aa1d96bc2b1b42afecbf4a21b420e568/graphrbac/graph.go#L53 , but since the Windows Active directory Graph API are obsolete and we need to use Microsoft Graph API instead.

I am getting this 403 error. So my question is how we can create Azure AD app using https://github.com/Azure-Samples/azure-sdk-for-go-samples/blob/b49c4162aa1d96bc2b1b42afecbf4a21b420e568/graphrbac/graph.go#L53 this code by calling Microsoft Graph API from this code.

The code you mentioned above is same as i have posted in my previous comment, but as i said i am having compilation error with that and the reason is type *microsoft_kiota_authentication_azure.AzureIdentityAuthenticationProvider has not implemented autorest.Authorizer interface.

Answer

Hi @Zehui Yao_MSFT ,

Please find screenshot for the decoded access token:

Answer

Just to update you that I can create app using postman with the help of Microsoft Graph API, but from my code i am getting 403 error, it seems that azure-sdk-for-go is still using windows Graph API.

Is there any way we can tweak it and use Microsoft Graph API ?
https://github.com/Azure-Samples/azure-sdk-for-go-samples/blob/master/graphrbac/graph.go#L53 I am basically pointing to this function.

How to create Azure AD app using service principal credentials with Microsoft Graph API using GO SDK

5 answers