Use oauth token from EntraID to access AAP's API

We have AAP 2.5 setup with AzureAD auth type. I would like to know if it is possible to use a token from my user via an App Registration to access AAP API’s.

So far, I have setup an App Registration that works for AAP SSO. The RedirectURI is <fqdn>/api/gateway/social/complete/authenticator-azuread/.

I would like to az cli to get a token that works with AAP.

The app registration is setup as follows:

  • Under “Expose an API”. Add an Application ID URI. Which looks like api://9585754c-4bcb-4db1-8953-xxxxxxxxx
  • Under “Expose an API/Scopes defined by this API”. Add a new scope and allow “Admins and Users” consent. The new scope is api://9585754c-4bcb-4db1-8953-xxxxxxxxx/API.Write
  • Under “Expose an API/Authorized client applications”. Add 04b07795-8ddb-461a-bbee-02f9e1bf7b46 for the azure-cli.
  • Under “API permissions”, add the new scope as “Delegated” type.

The enterprise application is setup as follows:

  • Under “Permissions/Admin consent”. Add “API.Write”

Login and get the token:

az login --scope api://9585754c-4bcb-4db1-8953-xxxxxxxxx/API.Write --allow-no-subscriptions --tenant <tenant>
az account get-access-token --resource "api://9585754c-4bcb-4db1-8953-xxxxxxxxx" --scope "api://9585754c-4bcb-4db1-8953-xxxxxxxxx/API.Write" --query accessToken -o tsv

Try to use the AWX CLI with the token:

export AWXKIT_API_BASE_PATH='/api/controller/'
awx --conf.host https://aap-dev.ds.acc.co.nz --conf.token "<AZCLITOKEN>" hosts list -k -v

This has an error:

Valid credentials were not provided.
<class 'awxkit.exceptions.Unauthorized'>

And trying to use this token on the API:

curl --location 'https://fqdn/api/gateway/v1/status/' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer <AZCLITOKEN>'

Has an error:

Authentication credentials were not provided.

Is it possible to use an oauth token from an app registration that is used for SSO to AAP?