1

I'm wondering whether it's possible to reuse an accesstoken or idtoken after logging in to Azure AD. My application asks for Azure AD credentials and I want to reuse those to push telemetry data to an Azure Monitor Data Collection Endpoint.

I can't imagine it's not possible because both working authentications below authenticate to the same App Registration (App ID).

[Works] Requesting an access token for 'https://monitor.azure.com/' (interactive) and push logs to the Data Collection Endpoint but this is where I want a silent login.

$appid = myapplicationGUID
$tenantId = mytenantGUID
$appSecret = myappSecret

$DcrImmutableId = myDCRImmutableId
$DceURI = myDCEURI
$Table = myTable
$log_entry = myLogEntry

## Obtain a bearer token used to authenticate against the data collection endpoint
$scope = [System.Web.HttpUtility]::UrlEncode("https://monitor.azure.com/.default")   
$body = "client_id=$appId&scope=$scope&client_secret=$appSecret&grant_type=client_credentials";
$headers = @{"Content-Type" = "application/x-www-form-urlencoded" };
$uri = "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token"
$bearerToken = (Invoke-RestMethod -Uri $uri -Method "Post" -Body $body -Headers $headers).access_token

$body = $log_entry | ConvertTo-Json
$headers = @{"Authorization" = "Bearer $bearerToken"; "Content-Type" = "application/json" };
$uri = "$DceURI/dataCollectionRules/$DcrImmutableId/streams/Custom-$Table"+"?api-version=2021-11-01-preview";
$uploadResponse = Invoke-RestMethod -Uri $uri -Method "Post" -Body $body -Headers $headers;

[Works] Requesting a token using Get-MsalToken to connect to MgGraph (interactive). This is the token I want to re-use.

$appid = myapplicationGUID
$tenantId = mytenantGUID

Get-MsalToken -ClientId $appid -TenantId $tenantId -Scopes ".default" -Interactive

[Doesn't Work] Authenticate with scope "https://monitor.azure.com/.default"

$appid = myapplicationGUID
$tenantId = mytenantGUID

Get-MsalToken -ClientId $appid -TenantId $tenantId -Scopes "https://monitor.azure.com/.default" -Interactive

[Doesn't Work] Using the AccessToken from the 'Get-MsalToken' command to upload the logs

$appid = myapplicationGUID
$tenantId = mytenantGUID

$DcrImmutableId = myDCRImmutableId
$DceURI = myDCEURI
$Table = myTable
$log_entry = myLogEntry

$bearerToken = (Get-MsalToken -ClientId $appid -TenantId $tenantId -Scopes ".default" -Interactive).AccessToken

$body = $log_entry | ConvertTo-Json
$headers = @{"Authorization" = "Bearer $bearerToken"; "Content-Type" = "application/json" };
$uri = "$DceURI/dataCollectionRules/$DcrImmutableId/streams/Custom-$Table"+"?api-version=2021-11-01-preview";
$uploadResponse = Invoke-RestMethod -Uri $uri -Method "Post" -Body $body -Headers $headers;

[Doesn't Work] Using the IdToken from the 'Get-MsalToken' command to upload the logs

$appid = myapplicationGUID
$tenantId = mytenantGUID

$DcrImmutableId = myDCRImmutableId
$DceURI = myDCEURI
$Table = myTable
$log_entry = myLogEntry

$bearerToken = (Get-MsalToken -ClientId $appid -TenantId $tenantId -Scopes ".default" -Interactive).IdToken

$body = $log_entry | ConvertTo-Json
$headers = @{"Authorization" = "Bearer $bearerToken"; "Content-Type" = "application/json" };
$uri = "$DceURI/dataCollectionRules/$DcrImmutableId/streams/Custom-$Table"+"?api-version=2021-11-01-preview";
$uploadResponse = Invoke-RestMethod -Uri $uri -Method "Post" -Body $body -Headers $headers;
Hofa
  • 51
  • 6
  • the tokens have expiration timestamp, can be reused within that window and the same user and service the token was initially created for. – MZM Nov 30 '22 at 17:06
  • I created new tokens for each test so expiration isn't the problem. One service is Graph and the other is Monitor. – Hofa Nov 30 '22 at 17:22

1 Answers1

0

I tried to reproduce the same in my environment and got the results like below:

As you are trying to reuse the token used for authenticating to Azure AD Application and use it for pushing telemetry data to an Azure Monitor Data Collection Endpoint, then the access token must contain two scopes (Graph and Monitor) to achieve it.

Note : It is not possible to acquire token for multiple audience/scope, only one token can be issued to one audience. And so, reusing the token doesn't work.

  • A bearer token in Azure AD is only valid for one API. It can contain scopes/roles of the calling user/app on that API. Those values can overlap between APIs, and thus a token cannot be valid for two APIs.

I created an Azure AD Application and granted API Permissions like below:

enter image description here

Make sure to generate two tokens separately, one for Authenticating to the Application and the other for accessing Azure Monitor Data.

To Authenticating to the Application, I am using scope as (ex:https://graph.microsoft.com) like below:

GET https://login.microsoftonline.com/TenantID/oauth2/v2.0/token

client_id:ClientID
client_secret:ClientSecret
grant_type:client_credentials
scope:scope

enter image description here

To push telemetry data to an Azure Monitor Data Collection Endpoint, I generated another token with scope as https://api.loganalytics.io like below:

enter image description here

Rukmini
  • 6,015
  • 2
  • 4
  • 14
  • Thanks for taking the time but with this solution, I only have the permission 'data.read' on the log analytics workspace and I still can't write events/telemetry to a table. – Hofa Dec 02 '22 at 14:38
  • Does this help? [Azure Log Analytics API permissions](https://stackoverflow.com/questions/64809857/azure-log-analytics-api-permissions-on-west-us2-region). Check [**this**](https://i.imgur.com/W1Uc4GW.png). – Rukmini Dec 02 '22 at 15:32
  • Unfortunately not, because it goes back to needing a client_secret – Hofa Dec 05 '22 at 08:40