AADSTS700016 while obtaining credential using Python SDK and a Service Principal Account

[kmai]

While instantiating a ServicePrincipalAccount:

from azure.graphrbac import GraphRbacManagementClient
from azure.common.credentials import ServicePrincipalCredentials

rbac_credentials = ServicePrincipalCredentials(
    client_id=azure_cfg['azure']['client_id'],
    secret=azure_cfg['azure']['secret'],
    tenant_id=azure_cfg['azure']['tenant'],
    resource="https://graph.windows.net"
)

print("RBAC Credentials created")

graphrbac_client = GraphRbacManagementClient(
    rbac_credentials,
    azure_cfg['azure']['tenant']
)

Even though I have proper permissions with the configured Application SPA (graph API access plus resource management), I get the following message:

{
    "error":"unauthorized_client",
    "error_description":"AADSTS700016: Application with identifier '844711df-d6fa-45ef-b83d-1bf9c0dcca88' was not found in the directory 'graph.windows.net'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.
    Trace ID: f9ec488e-6bd1-4b5e-a315-dc6cca186800
    Correlation ID: b869d0fc-8179-4c2e-9348-6b985263a865
    Timestamp: 2018-11-05 13:17:58Z",
    "error_codes":[700016],
    "timestamp":"2018-11-05 13:17:58Z",
    "trace_id":"f9ec488e-6bd1-4b5e-a315-dc6cca186800",
    "correlation_id":"b869d0fc-8179-4c2e-9348-6b985263a865"
}

Are Application SPAs supported? Besides API Permissions on App Registrations (Azure Active Directory), is there anything else I'm missing? There aren't many examples about this.

[lmazuel]

Hi @kmai
Based on the error:

Application with identifier '844711df-d6fa-45ef-b83d-1bf9c0dcca88' was not found in the directory 'graph.windows.net'

it seems azure_cfg['azure']['tenant'] is the string 'graph.windows.net, which is incorrect. It should be the tenant where the application was created.

Could you confirm 100% there is no mistake in your dictionnary?

[kmai]

Hi, as per the documentation here, the resource scope for the credentials should be https://graph.windows.net

azure_cfg['azure']['tenant'] contains the tenant id. If I change the resource to point towards https://graph.microsoft.com (the new Graph API) or towards something like https://mytenant.onmicrosoft.com, it doesn't work either.

[lmazuel]

Hum, your service principal might not have the necessary permissions on the tenant actually.
@yugangw-msft opinions?

[yugangw-msft]

@kmai, you need to give your service principal some permissions to the AAD Graph or MS Graph, based on your app's need. Though for other e2e, but this doc has the relevant steps which can help you.
Note, Python SDK already has the API which you can potentially automate everything. For now, please follow the UI to get familiar with the concept.

[kmai]

@yugangw-msft actually, I do have those (and more) permissions assigned:

[yugangw-msft]

But your code uses GraphRbacManagementClient which only works for AAD Graph, not with the MS graph like your screen snapshot reveals.
Also make sure you clicked the grant permission button

[yugangw-msft]

And reopen if you have any other questions our help is needed

[kmai]

@yugangw-msft the permissions are actually granted.

Is there a Python Module to query the MS Graph API? I'm really trying to avoid writing abstractions against the REST API if there's something out there that does the job.

• If I use my Azure Profile with ~azure.common.credentials.get_azure_cli_credentials(resource='https://graph.windows.net'), I'm able to query the AAD Graph.
• If I try to use ~azure.common.credentials.get_azure_cli_credentials.ServicePrincipalCredentials by defining client_id, tenant, secret and resource (where resource is https://graph.windows.net), it doesn't work.

I need this to query user membership to groups and to check if groups exist.

[lmazuel]

MS Graph repo might help you and have Python samples:
https://github.com/microsoftgraph?utf8=%E2%9C%93&q=&type=&language=python

[GilGald]

@yugangw-msft the permissions are actually granted.

Is there a Python Module to query the MS Graph API? I'm really trying to avoid writing abstractions against the REST API if there's something out there that does the job.

• If I use my Azure Profile with ~azure.common.credentials.get_azure_cli_credentials(resource='https://graph.windows.net'), I'm able to query the AAD Graph.
• If I try to use ~azure.common.credentials.get_azure_cli_credentials.ServicePrincipalCredentials by defining client_id, tenant, secret and resource (where resource is https://graph.windows.net), it doesn't work.

I need this to query user membership to groups and to check if groups exist.

I'm also in the same situation as you,were you able to use the graph with ServicePrincipalCredentials?

[lmazuel]

Azure AD Graph API is now deprecated. We do not support SDK fixes to this product anymore. Please refer to this issue for additional way to get support to move to Microsoft Graph API:
azure-deprecation/dashboard#60