Skip to content

Azure MSI, AD B2C and Graph API access #123

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
arek-avanade opened this issue Mar 6, 2020 · 2 comments
Closed

Azure MSI, AD B2C and Graph API access #123

arek-avanade opened this issue Mar 6, 2020 · 2 comments
Assignees
@darrelmiller
Labels
Auth enhancement New feature or request P2 Request: Feature
Milestone
Backlog

Comments

@arek-avanade
Copy link

arek-avanade commented Mar 6, 2020
edited by azure-boards bot
Loading

I need to use Microsoft Graph API in my Azure App Service to manage accounts in Azure AD B2C tenant. So far I've been using traditional service principal (App Registration) in my AD B2C tenant. I had my Graph API permissions configured and I was using clientId and secret to get access token. All working fine.
Now I want to move to Managed Identity (MSI) for authentication. I've read a few articles which describe how to configure MSI to access Microsoft Graph API - this is possible at least with Powershell Azure AD or Microsoft Graph modules. My script looks more or the less like this:

$tenantId = "xxx"   # This is my Azure AD B2C tenant id
$msiObjectId = "yyy"   # Object ID of my Managed Identity
$graphAppId = "00000003-0000-0000-c000-000000000000"  # Well-known Graph API app ID

Connect-Graph -Scopes "User.ReadWrite.All","Directory.ReadWrite.All" -TenantId $tenantId
$graph = Get-MgServicePrincipal | Where-Object { $_.AppId -eq $graphAppId }
$permission = $graph.AppRoles | Where-Object Value -Like "User.ReadWrite.All"
New-MgServicePrincipalAppRoleAssignment -AppRoleId $permission.Id -ServicePrincipalId $msiObjectId -ResourceId $graph.Id

I think this would work fine if we want to set up Graph API access to normal Azure AD tenant to which MSI also belongs. However in my scenario I'm getting the following error:
Resource 'xxx' does not exist or one of its queried reference-property objects are not present.
where 'xxx' is my Managed Identity object id. This error actually makes sense - my MSI exists in my normal Azure AD where I have my Azure subscription and all Azure resources, while I'm trying to give access to use Graph API in a different (B2C) tenant.

Is my scenario actually possible to achieve at all with Azure AD B2C? Is there a way to somehow register my MSI also in B2C so that I can set up proper appRole for Graph API correctly?
AB#7433
@ghost ghost added the ToTriage label Mar 6, 2020
@ghost ghost removed the ToTriage label Mar 12, 2020
@darrelmiller darrelmiller mentioned this issue Mar 17, 2020
Closed
@ddyett ddyett added the promote label Jan 11, 2021
@peombwa peombwa added enhancement New feature or request Request: Feature labels May 5, 2021
@peombwa peombwa added this to the Backlog milestone May 5, 2021
@peombwa peombwa added P2 and removed promote labels May 5, 2021
@peombwa
Copy link
Member

peombwa commented May 5, 2021

Related to #125

@peombwa
Copy link
Member

peombwa commented Jun 15, 2021

The SDK does not support Managed Identity (MSI) at the moment. This will be added in #125.

Closing as duplicated of #125.

@peombwa peombwa closed this as completed Jun 15, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@darrelmiller darrelmiller

Labels
Auth enhancement New feature or request P2 Request: Feature
Projects
None yet
Milestone
Backlog
Development

No branches or pull requests
4 participants
@darrelmiller @peombwa @ddyett @arek-avanade