question

NickDowmon-0537 avatar image
0 Votes"
NickDowmon-0537 asked sikumars commented

How can I authorize an App Registration to access the unsupported https://main.iam.ad.ext.azure.com/ APIs?

I am trying to hit the (unsupported) https://main.iam.ad.ext.azure.com/api/Directories/Properties endpoint. I would like to authenticate an Application that I have created under App registrations.

My Application has the following API Permissions:

85320-screen-shot-2021-04-07-at-115032-am.png

I have created an access token by sending a POST request to https://login.microsoftonline.com/{tenantId}/oauth2/token?api-version=1.0, with the following body:

grant_type=client_credentials
client_secret={clientSecret}
client_id={clientId}
resource=https://main.iam.ad.ext.azure.com/


Using this access token, the https://main.iam.ad.ext.azure.com/api/Directories/Properties endpoint responds with 401 - Unauthorized: Access is denied due to invalid credentials.

What API Permissions & token request do I need to make in order to authorize this service principal to fetch resources from this endpoint?

azure-ad-app-registration
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.


Hi @NickDowmon-0537,
Just checking in to see if the below answer helped. If this answers your query, please don’t forget to click "Accept the answer" and Up-Vote for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know.
Thanks,

0 Votes 0 ·

1 Answer

sikumars avatar image
0 Votes"
sikumars answered

Hello @NickDowmon-0537,

Thanks for reaching out.


This API endpoint "https://main.iam.ad.ext.azure.com/" meant for handling requests originated "https://portal.azure.com", in addition to that you won't be able to delegate any API permission for application related with this API as this one is hidden for Tenant.

Therefore, 401 - Unauthorized: Access denied is expected message since application doesn't have access to API.

Similar ask from Tech community forum

with that said, Microsoft Graph API is recommended and supported way for programmatically manage, administrate and automate Azure AD directory.

For more details, read:

Working with Azure Active Directory resources in Microsoft Graph: https://docs.microsoft.com/en-us/graph/api/resources/azure-ad-overview?view=graph-rest-1.0

Beta: https://docs.microsoft.com/en-us/graph/api/resources/azure-ad-overview?view=graph-rest-beta

Hope this helps.


Please "Accept the answer" if the information helped you. This will help us and others in the community as well.


5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.