AADSTS501051: Application '{API GUID}'(DEV-API) is not assigned to a role for the application '{API GUID}'(DEV-API)

Question

I want to access one API by its Client Credential directly not via any web application

private async Task<string> GetAutheticationToken(string APITypeSelected, string APIKeySelected=null)
    {
        string aadInstance = ConfigurationManager.AppSettings["ida:AADInstance"];
        string tenant = ConfigurationManager.AppSettings["ida:AADTenant"];
        string appKey = ConfigurationManager.AppSettings[APIKeySelected];
        string apiID = ConfigurationManager.AppSettings[APITypeSelected];
        //appKey = HttpUtility.UrlEncode(appKey);
        string authority = String.Format(CultureInfo.InvariantCulture, aadInstance, tenant);
        using (HttpClient client = new HttpClient())
        {
            Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext authContext = null;
            ClientCredential clientCredential = null;
            authContext = new Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext(authority);
            //encodeURIComponent(client_secret);
            clientCredential = new ClientCredential(apiID, appKey);
            AuthenticationResult authResult = null;
            authResult = await authContext.AcquireTokenAsync(apiID, clientCredential);

            return authResult.AccessToken;
        }
    }

while executing I am getting bellow error(AADSTS501051) in this line

authResult = await authContext.AcquireTokenAsync(apiID, clientCredential);

AADSTS501051: Application '{API GUID}'(DEV-API) is not assigned to a role for the application '{API GUID}'(DEV-API).

Do I have to give API permission to itself.

What I need to do.

Thanks,

Answer 1

This error message indicates that you need to add an "App role" to your app registration. You can do so by first adding a new App role on {API GUID}

and then assign the app {API GUID} this role (don't forget to give admin consent)

Essentially what is happening here is that your app registration {API GUID} got a role on {API GUID} to create access tokens for the audience {API GUID}, so: itself.

Answer 2

First you need to make a user role for application if app assignment is required. if not there is no problem. If app assignment is required, Go back to api permission and in my api give permission for the created role, see Microsoft documentation url

https://learn.microsoft.com/en-us/azure/active-directory/develop/scenario-protected-web-api-app-registration