I have an MVC web application (WebAPI + Angular) deployed to Azure as a web application (and not an API application) that is configured to be protected using Settings → Authentication / Authorization → AAD → Express. This created an AD application with the same name as the web application, and as a regular web user (in a directory using OAuth), this works as expected.
But I also have external automation that should directly access the WebAPI controllers, so I need to programmatically obtain a carrier token to transmit along with these requests.
Everything works fine when "PURPOSE FOR THE USER IS NECESSARY FOR ACCESS TO THE APPLICATION" == NO. But this will not be enough, because everyone in the Directory should not have access to this application.
Switching this switch results in an error:
The AppId application is not assigned a role for the AppId application.
Used code:
var aadLoginUri = "http://login.microsoftonline.com/{0}";
var tenantId = "[xxx].onmicrosoft.com";
var authority = String.Format(CultureInfo.InvariantCulture, aadLoginUri, tenantId);
var clientId = ConfigurationManager.AppSettings["ClientId"];
var clientSecret = ConfigurationManager.AppSettings["ClientSecret"];
var authContext = new AuthenticationContext(authority);
ClientCredential clientCredential = new ClientCredential(clientId, clientSecret);
AuthenticationResult authResult = authContext.AcquireToken(clientId, clientCredential);
How to add role assignment for an application?
(unlike user)
" ", . , , [App Name]. , , , . AcquireToken() .
, , API Angular, API API ( ), . , , Auth " " , , : " , - ", , , , (, ), graph/service-mgmt api, powershell ..