How to change audience in token used for Azure Analysis Services REST API?

Emmett Cregg 0 Reputation points
2024-07-26T17:37:15.8333333+00:00

We use the Azure Analysis Services REST API to trigger model updates and refreshes. We received the following email from Microsoft indicating that the audience for the token used to make those requests needs to be changed.

You’re receiving this notice for awareness about the update in Authorization header token for asynchronous refresh REST API. The token must have the audience set to exactly ‘https://*.asazure.windows.net’. Please keep in mind that * is neither a placeholder or wildcard, and the audience must have the * character as the subdomain. Specifying an invalid audience will result in authentication failures in new applications starting 3 August 2024. For more information about authentication for asynchronous refresh REST API, please reference the product documentation here. Required action To ensure the correct functioning of the asynchronous refresh REST API, set the audience in the Authorization header token to 'https://*.asazure.windows.net'.

However, my understanding is that the audience is not something that we can manage - it's controlled by the token issuer (Microsoft Entra). My question is whether there's actually any change needed on our side with the token request, or if it will be managed by Entra.

I noticed that if I make a token request with the scope set to https://canadacentral.asazure.windows.net/.default, the returned token has an audience of https://canadacentral.asazure.windows.net. Does this imply that as part of this change, we're expected to change our requested scope to https://*.asazure.windows.net/.default?

Azure Analysis Services
Azure Analysis Services
An Azure service that provides an enterprise-grade analytics engine.
461 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
22,269 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Bhargava-MSFT 31,121 Reputation points Microsoft Employee
    2024-07-26T19:32:25.8333333+00:00

    Hello Emmett Cregg,

    Based on the information provided, the audience for the token must be set to exactly https://*.asazure.windows.net, where the * character is not a placeholder or wildcard, but an actual character that must be included in the subdomain.

    and your understanding is correct that the audience is typically controlled by the token issuer, which in this case is Microsoft Entra. However, the email indicates that you need to ensure the audience in the Authorization header token is set correctly to https://*.asazure.windows.net to avoid authentication failures starting from 3 August 2024.

    Regarding the token request with the scope set to https://canadacentral.asazure.windows.net/.default, and the returned token having an audience of https://canadacentral.asazure.windows.net, it does imply that you should update your token request to use the new scope (https://*.asazure.windows.net/.default). This should ensure that the returned token has the correct audience and prevent any authentication failures.

    I hope this helps.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.