Azure active directory - Get access token using Azure CLI
Question
My objective is to get access token for a user for a resource( an AD app present in the tenant)
I have been able to get access token for a service principal by using
az login --service-principal -u -p --tenant --allow-no-subscriptions
az account get-access-token --resource
Now when I try to achieve the same for a user by switching service-principal login by user login(az login)
az login
az account get-access-token --resource
This however gives an error
Get Token request returned http error: 400 and server response: {"error":"invalid_grant","error_description":"AADSTS65001: The user or administrator has not consented to use the application with ID 'abc'. Send an interactive authorization request for this user and resource.\r\nTrace ID: 19fdf309-f9ef-423b-8c18-7cd9269b0700\r\nr\nTimestamp: 2019-11-21 09:03:25Z","error_codes":[65001],"timestamp":"2019-11-21 09:03:25Z","trace_id":"19fdf309-f9ef-423b-8c18-7cd9269b0700","correlation_id":"2aafc4e4-0c1b-42b3-ba59-afe09bbe9fb5","suberror":"consent_required"}
Can someone help me understand why this is the case?
Thanks in advance!
1 answers
solution1
1 ACCPTED 2019-11-22 01:37:51
You are trying to get token from <APP ID Uri> using Azure CLI, which client ID is exactly 04b07795-8ddb-461a-bbee-02f9e1bf7b46 .
Go to the resource(App in AD)->Expose an API->Add client application with 04b07795-8ddb-461a-bbee-02f9e1bf7b46 and check scope.
Then get the access token again.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.