TS Report & Marketdata API Authentication: Register Application in Microsoft Entra Id

Created by Elin Stenrud, Modified on Tue, 3 Dec, 2024 at 5:17 PM by Pontus Klämfeldt

This guide is based on https://learn.microsoft.com/en-us/azure/databricks/admin/users-groups/service-principals

 

Note  - This is something your IT department sets up


Short version

  1. Register a new application
  2. Add a credential
  3. Write down client Id, tenant Id, secret and object id

 

Register a new application

 

En bild som visar text, skärmbild, Teckensnitt, nummer

Automatiskt genererad beskrivning

Navigate to the overview and write down the following Id:s 

  • Application (client) ID
  • Directory (tenant) ID
  • Object id

En bild som visar text, skärmbild, Teckensnitt, linje

Automatiskt genererad beskrivning

 

Create the secret

Navigate to Certifices & Secrets => Client Secrets click New Client Secret

En bild som visar text, skärmbild, programvara, Teckensnitt

Automatiskt genererad beskrivning

Choose a name and expire date then copy the value 

En bild som visar text, Teckensnitt, linje, skärmbild

Automatiskt genererad beskrivning



 

Test the application / credentials


Please see examples in TS API Authentication

  

Troubleshooting

When acquiring the token you might get an error “AADSTS501051 _invalid_client: AADSTS501051: Application \<application name\> isn't assigned to a role for the \<web API\>”. This happens in case you have chosen to limit access to Treasury Systems SaaS under “Enterprise Applications” in Entra.
If this happens you need to either remove assignment required or explicitly grant the registered application access to Treasury Systems SaaS.
The later requires scripting since it is not, at the time of writing, available in the UI. [DS4] For instructions see https://learn.microsoft.com/en-us/entra/identity/enterprise-apps/assign-user-or-group-access-portal?pivots=aad-powershell 

 

En bild som visar text, skärmbild, programvara, Datorikon

Automatiskt genererad beskrivning


Here is a powershell script for granting access. Replace <YOUR APP DISPLAYNAME> with your chosen name, 'TS API App' in the example above.


# "Get the 'Treasury Systems SaaS' Application"

$tsSaas = Get-AzADServicePrincipal -Filter "displayName eq 'Treasury Systems SaaS'"

 

# Get the service principal to grant access to"

$myApiClient = Get-AzADServicePrincipal -Filter "displayName eq '<YOUR APP DISPLAYNAME>'"
 # show client info 

$myApiClient | ft AppDisplayName, Id, AppId

 

echo "Granting Application '$($myApiClient.AppDisplayName)' access to '$($tsSaas.AppDisplayName)'"

New-AzADServicePrincipalAppRoleAssignment -ResourceId $tsSaas.Id -ServicePrincipalId $myApiClient.Id -AppRoleId 00000000-0000-0000-0000-000000000000




Was this article helpful?

That’s Great!

Thank you for your feedback

Sorry! We couldn't be helpful

Thank you for your feedback

Let us know how can we improve this article!

Select at least one of the reasons
CAPTCHA verification is required.

Feedback sent

We appreciate your effort and will try to fix the article