I am trying to fetch the list of azure subscription admins (service admin and co-admin) programatically from API with Azure AD client credentials authentication.
I have a Azure AD application to which I have provided "Reader" RBAC role in the subscription. I have added the Azure service management API in the permission to other application section. In code, I am able to get the token using the Azure AD App's client Id and certificate. But when I try to query the subscription user accounts list API as per this link, I get a forbidden error. Please help in resolving this or suggest an alternate approach if required.
X509Certificate2 cert = GetCertificate();
ClientAssertionCertificate certCred = new ClientAssertionCertificate("<ClientId>", cert);
AuthenticationContext context = new AuthenticationContext((new Uri(new Uri("<AadInstance>"), "Tenant>")).ToString());
// Able to get the token here
AuthenticationResult result = await context.AcquireTokenAsync("https://management.core.windows.net/", certCred);
var request = new HttpRequestMessage()
{
RequestUri = new Uri("https://management.core.windows.net/<subscriptionid>/principals"),
Method = HttpMethod.Get,
};
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", result.AccessToken);
request.Headers.Add("x-ms-version","2013-08-01");
using (HttpClient httpClient = new HttpClient())
{
// Getting a forbidden error in response
HttpResponseMessage httpResponse = await httpClient.SendAsync(request);
}
I have a Azure AD application to which I have provided "Reader" RBAC role in the subscription. I have added the Azure service management API in the permission to other application section. In code, I am able to get the token using the Azure AD App's client Id and certificate. But when I try to query the subscription user accounts list API as per this link, I get a forbidden error. Please help in resolving this or suggest an alternate approach if required.
X509Certificate2 cert = GetCertificate();
ClientAssertionCertificate certCred = new ClientAssertionCertificate("<ClientId>", cert);
AuthenticationContext context = new AuthenticationContext((new Uri(new Uri("<AadInstance>"), "Tenant>")).ToString());
// Able to get the token here
AuthenticationResult result = await context.AcquireTokenAsync("https://management.core.windows.net/", certCred);
var request = new HttpRequestMessage()
{
RequestUri = new Uri("https://management.core.windows.net/<subscriptionid>/principals"),
Method = HttpMethod.Get,
};
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", result.AccessToken);
request.Headers.Add("x-ms-version","2013-08-01");
using (HttpClient httpClient = new HttpClient())
{
// Getting a forbidden error in response
HttpResponseMessage httpResponse = await httpClient.SendAsync(request);
}
<Error xmlns="http://schemas.microsoft.com/windowsazure" xmlns:i="http://www.w3.org/2001/XMLSchema-instance"><Code>ForbiddenError</Code><Message>The server failed to authenticate the request. Verify that the
certificate is valid and is associated with this subscription.</Message></Error>