Forum Discussion
Trying to create token with scope https://cnt-prod.loadtesting.azure.com
Hello.
I have created a web app, and updated its permissions within Azure App registration. To be able to access Graph, and Azure Management (user impersonation)
Using Microsoft.identity.Web I am able to add a downstreamAPI, and make a successful call to it.
response = await downstreamApi.GetForUserAsync<HttpResponseMessage>("Azure Management", options =>
{
options.RelativePath = relativePath;
});
if (response?.IsSuccessStatusCode ?? false)
{
string responseData = await response.Content.ReadAsStringAsync();
}
However when I try to create a token with a different scope, for example.
var token = await tokenAcquisition.GetAccessTokenForUserAsync(new[] { "https://cnt-prod.loadtesting.azure.com/.default" });
The general error I get is that my app is trying to access a resource its not allowed to. However I cant find this resource at all to give it access (Within App Registration and API permissions)
With Azure Load Testing, I have learned there is a resource plane and a data plane. The resource plane requires management.azure.com, but the access to the data plane requires https://cnt-prod.loadtesting.azure.com/.default (from the tests I have done in powershell).
Anyone else come across this similar issue?
Any assistance is greatly appreciated. Thank you
Take this:
- Register the API: Ensure that the API (https://cnt-prod.loadtesting.azure.com) is registered in your Azure AD tenant. This might involve creating an App Registration for the API if it doesn't already exist.
- Grant API Permissions: In your App Registration, grant the necessary API permissions for the data plane. This typically involves adding the https://cnt-prod.loadtesting.azure.com/.default scope to the API permissions.
- Admin Consent: After adding the permissions, ensure that admin consent is granted for the new permissions. This can be done in the Azure portal under the "API permissions" section of your App Registration.
- Update Your Code: Ensure that your code is correctly requesting the token with the new scope. Your code snippet looks correct, but double-check that the scope is accurately specified:
var token = await tokenAcquisition.GetAccessTokenForUserAsync(new[] { "https://cnt-prod.loadtesting.azure.com/.default" });- Check API Configuration: Verify that the API (https://cnt-prod.loadtesting.azure.com) is configured to accept tokens from your Azure AD tenant. This might involve setting up the API to validate tokens issued by your Azure AD.
Thank you for your message. This is the sticking point unfortunately. Makes me think I must be doing somethign wrong. But this suggestion
- Grant API Permissions: In your App Registration, grant the necessary API permissions for the data plane. This typically involves adding the https://cnt-prod.loadtesting.azure.com/.default scope to the API permissions.
When searching to add API permissions, I am unable to find this at all. Could it be called something else? or be a part of another API.
