How to create Azure AD app using service principal credentials with Microsoft Graph API using GO SDK

Question

question

AkhleshVerma-4607 asked Dec 24, '21 AkhleshVerma-4607 commented Jan 11, '22

How to create Azure AD app using service principal credentials with Microsoft Graph API using GO SDK

I am getting 403 error with below code:
error i am getting
error": "graphrbac.ApplicationsClient#Create: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code=\"Unknown\" Message=\"Unknown service error\" Details=[{\"odata.error\":{\"code\":\"Authorization_RequestDenied\",\"date\":\"2021-12-23T11:41:23\",\"message\":{\"lang\":\"en\",\"value\":\"Insufficient privileges to complete the operation.\"},\"requestId\":\"f192ac37-8b05-4a81-a582-13f0f5ca3594\"}}]"

I am Initializing Appclient using below code and call Create() function to create app.

appClient := graphrbac.NewApplicationsClient(tenantID)
credConfig := auth.NewClientCredentialsConfig(clientID, clientSecret, tenantID)
//credConfig.Resource = azure.PublicCloud.ResourceIdentifiers.Graph
credConfig.Resource = "https://graph.microsoft.com"
authorizer, err := credConfig.Authorizer()
if err != nil {
return appClient, err
}
appClient.Authorizer = authorizer`

Also below are the API Permission from MS Graph API.

microsoft-graph-sdk azure-ad-app-registration microsoft-graph-applications

api-permission.png (205.1 KiB)

· 6

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ZehuiYaoMSFT-7151 · Dec 27, 2021 at 02:33 AM

Hello, @AkhleshVerma-4607, 403 error usually represents a permission issue. As I don't know the specific permission you want to request, I recommend using the Graph Explorer or postman first to request API, in order to check if your account has the privilege to request API or use JWT to check if your access token contain the permission that your need.

0 ·

AkhleshVerma-4607 · Dec 27, 2021 at 12:17 PM

Thanks for the response @zehuiyaomsft-7151, Actually the 403 error is due to Windows AD Graph API call, you can see in code snippet that by default azure-sdk-for-go call Windows AD Graph API instead of Microsoft Graph API call, so i tried changing endpoint as you can see below :

appClient := graphrbac.NewApplicationsClient(tenantID)
credConfig := auth.NewClientCredentialsConfig(clientID, clientSecret, tenantID)
//credConfig.Resource = azure.PublicCloud.ResourceIdentifiers.Graph
credConfig.Resource = "https://graph.microsoft.com"
authorizer, err := credConfig.Authorizer()
if err != nil {
return appClient, err
}
appClient.Authorizer = authorizer`

where azure.PublicCloud.ResourceIdentifiers.Graph is endpoint for windows azure ad Graph API(i.e. "https://graph.microsoft.net") and "https://graph.microsoft.com" is for Microsoft Graph API, which is not working with current code present in https://github.com/Azure/azure-sdk-for-go/blob/main/services/graphrbac/1.6/graphrbac/applications.go#L121

I am referring code present in https://github.com/Azure-Samples/azure-sdk-for-go-samples/blob/master/graphrbac/graph.go#L25

0 ·

ZehuiYaoMSFT-7151 AkhleshVerma-4607 · Dec 28, 2021 at 02:28 AM

Hi, @AkhleshVerma-4607, thanks for your reply, and I wonder if the code is worked? So that we can continue to discuss this issue.

0 ·

AkhleshVerma-4607 · Dec 28, 2021 at 03:45 AM

Code is working but having 403 issue from the Create() function https://github.com/Azure/azure-sdk-for-go/blob/main/services/graphrbac/1.6/graphrbac/applications.go#L121

0 ·

ZehuiYaoMSFT-7151 AkhleshVerma-4607 · Dec 28, 2021 at 06:48 AM

Yeah I see, I suggest that it would be batter to decode your access token to make sure you can use Azure Ad Graph to acquire MS Graph permission.

0 ·

AkhleshVerma-4607 ZehuiYaoMSFT-7151 · Jan 03 at 07:51 AM

From where i can get access token for the api request ? do i need to enable some debug print ?
Please suggest as i am unaware about the access token for api.

0 ·

Answer 1 · 2021-12-29T15:38:50.217Z

sikumars answered Dec 29, '21

Hello @AkhleshVerma-4607,

Thanks for reaching out.

As per the request id and timestamp ("requestId":"f192ac37-8b05-4a81-a582-13f0f5ca3594" & date:"2021-12-23T11:41:23"), I see that the token was still created with the Azure AD Graph audience "https://graph.windows.net/" rather than the Microsoft Graph audience "https://graph.microsoft.com/", which results in the HttpStatusCode:403:Authorization RequestDenied error.

As a result, I'd like to request that you revisit and decode your code to ensure that the audience (aka resource) is set to Microsoft Graph: https://graph.microsoft.com/. Additionally, you may check the audience by decoding access token from https://jwt.ms.

Based on my research, I believe you should develop an AuthenticationProvider object as explained below articles which authenticate request to Microsoft Graph. See select a Microsoft Graph authentication provider for an example of how to obtain an authentication provider.

msgraph-sdk-go: https://github.com/microsoftgraph/msgraph-sdk-go
sdk-go-core: https://github.com/microsoftgraph/msgraph-sdk-go-core
msgraph-beta-sdk-go: https://github.com/microsoftgraph/msgraph-beta-sdk-go

Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

image.png (9.8 KiB)

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Answer 2 · 2021-12-30T06:32:42.957Z

AkhleshVerma-4607 answered Dec 30, '21 sikumars commented Dec 30, '21

Hi @sikumars-msft ,
I tried to create authorisation provider as per your suggestion from https://github.com/microsoftgraph/msgraph-sdk-go-core example, but getting error as it is not inherited autorest.Authorizer interface.

below is the code :

func getApplicationsClient(clientID, clientSecret, tenantID string) (graphrbac.ApplicationsClient, error) {

appClient := graphrbac.NewApplicationsClient(tenantID)
cred, err := azidentity.NewClientSecretCredential(
tenantID,
clientID,
clientSecret,
nil,
)
if err != nil {
log.Error(err, "Failed to get Secret Credential")
return appClient, err
}
auth, err := azureauth.NewAzureIdentityAuthenticationProvider(cred)
if err != nil {
log.Error(err, "Failed to get authentication provider")
return appClient, err
}
appClient.Authorizer = auth
appClient.AddToUserAgent("cloudcasa-agent")
return appClient, nil
}

It is giving me compilation error,
*microsoft_kiota_authentication_azure.AzureIdentityAuthenticationProvider does not implement autorest.Authorizer (missing WithAuthorization method)
../../amdslib/s3provider/provider/azure/azurebackupprovider.go:286:22: cannot use auth (type *microsoft_kiota_authentication_azure.AzureIdentityAuthenticationProvider) as type autorest.Authorizer in assignment:

Also there is nothing i found in microsoft Graph code which is using "autorest" package i.e.
" github.com/Azure/go-autorest/autorest"
" github.com/Azure/go-autorest/autorest/azure"

· 1

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

sikumars · Dec 30, 2021 at 09:50 AM

I'm assuming you're using the client credential flow provider to authenticate and obtain tokens for Microsoft Graph via the Go SDK; the sample below serves as a reference. I've added the tag 'microsoft-graph-sdk' to this thread in order to get assistance from the Graph SDK team. Additionally, please keep in mind that the Microsoft Graph SDK for Go is currently in preview. This SDK is not recommended for production use.

Here is similar thread for your reference: https://github.com/Azure/azure-sdk-for-go/issues/4265. Hope this helpful.

 import (
     "context"
    
     azidentity "github.com/Azure/azure-sdk-for-go/sdk/azidentity"
     a "github.com/microsoft/kiota/authentication/go/azure"
     msgraphsdk "github.com/microsoftgraph/msgraph-sdk-go"
 )
    
 cred, err := azidentity.NewClientSecretCredential(
     "TENANT_ID",
     "CLIENT_ID",
     "CLIENT_SECRET",
     nil,
 )
    
 auth, err := a.NewAzureIdentityAuthenticationProviderWithScopes(cred, []string{"User.Read"})
    
 adapter, err := msgraphsdk.NewGraphRequestAdapter(auth)
    
 client := msgraphsdk.NewGraphServiceClient(adapter)
    
 result, err := client.Me().Get(nil)

0 ·

Answer 3 · 2021-12-30T11:01:00.78Z

AkhleshVerma-4607 answered Dec 30, '21 ZehuiYaoMSFT-7151 commented Jan 4, '22

Hi,

I am trying to create Azure AD app using the code present on https://github.com/Azure-Samples/azure-sdk-for-go-samples/blob/b49c4162aa1d96bc2b1b42afecbf4a21b420e568/graphrbac/graph.go#L53 , but since the Windows Active directory Graph API are obsolete and we need to use Microsoft Graph API instead.

I am getting this 403 error. So my question is how we can create Azure AD app using https://github.com/Azure-Samples/azure-sdk-for-go-samples/blob/b49c4162aa1d96bc2b1b42afecbf4a21b420e568/graphrbac/graph.go#L53 this code by calling Microsoft Graph API from this code.

The code you mentioned above is same as i have posted in my previous comment, but as i said i am having compilation error with that and the reason is type *microsoft_kiota_authentication_azure.AzureIdentityAuthenticationProvider has not implemented autorest.Authorizer interface.

· 3

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ZehuiYaoMSFT-7151 · Dec 31, 2021 at 09:40 AM

Hello, @AkhleshVerma-4607 , Could you please decode your access token in JWT and share your screenshot? As we can acquire many useful information from it, so that we can better find the cause of the 403 error.

0 ·

AkhleshVerma-4607 ZehuiYaoMSFT-7151 · Jan 03 at 07:51 AM

From where i can get access token for the api request ? do i need to enable some debug print ?
Please suggest as i am unaware about the access token for api.

0 ·

ZehuiYaoMSFT-7151 AkhleshVerma-4607 · Jan 04 at 01:48 AM

Hello @AkhleshVerma-4607 , you can use Postman to get access token.

0 ·

Answer 4 · 2022-01-04T04:23:45.69Z

AkhleshVerma-4607 answered Jan 4, '22 AkhleshVerma-4607 edited Jan 4, '22

Hi @zehuiyaomsft-7151,

Please find screenshot for the decoded access token:

graph-token.png (167.6 KiB)

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Answer 5 · 2022-01-04T04:52:01.603Z

AkhleshVerma-4607 answered Jan 4, '22 AkhleshVerma-4607 commented Jan 11, '22

Just to update you that I can create app using postman with the help of Microsoft Graph API, but from my code i am getting 403 error, it seems that azure-sdk-for-go is still using windows Graph API.

Is there any way we can tweak it and use Microsoft Graph API ?
https://github.com/Azure-Samples/azure-sdk-for-go-samples/blob/master/graphrbac/graph.go#L53 I am basically pointing to this function.

· 7

5 |1600 characters needed characters left characters exceeded

Attachments: Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

ZehuiYaoMSFT-7151 · Jan 04 at 10:43 AM

Hi @AkhleshVerma-4607 , I need to discuss with my colleagues and I’ll reply you immediately if there are any updates.

0 ·

ZehuiYaoMSFT-7151 · Jan 05 at 02:56 AM

@AkhleshVerma-4607 , can you use your access token to request API in postman? Like this, if it succeeds, we can infer that the problem lies in the code. I just tested it locally with the same permissions as you, and it worked.

0 ·

image.png (33.6 KiB)

AkhleshVerma-4607 ZehuiYaoMSFT-7151 · Jan 05 at 03:37 AM

Hi @ZehuiYaoMSFT-7151,

I already did that, I can create application using postman, please see the attached image below:

0 ·

app-graph.png (163.8 KiB)

ZehuiYaoMSFT-7151 AkhleshVerma-4607 · Jan 05 at 10:28 AM

Hi @AkhleshVerma-4607, Can you provide the latest error message, including request Id and date, and then we can try to analyze the error from the background.

0 ·

Show more comments

question