API returns 403 when using client-credential flow because IPAM validates only scp (delegated) tokens and not roles (application permissions)

[rachit22test]

When calling the Azure IPAM Engine API using a service principal (client-credentials flow), the request fails with 403 Forbidden even though the service principal has been granted the correct App Role under “Expose an API”.
The access token contains a roles claim, but the API rejects it because IPAM appears to validate only delegated-permission (scp) tokens.

Expected Behavior

IPAM Engine API should accept tokens obtained via application permissions (client-credential flow), using the roles claim.
This would allow automation tools, DevOps pipelines, and backend services to call IPAM without interactive login.

Actual Behavior

Service principal token contains:

"aud": "<ENGINE_APP_ID>",
"roles": ["ipam-access-via-pipeline"]

API call returns: 403 Forbidden

Debug logs show token is parsed, but authorization fails because no scp claim is present.

If I request a token as a user (delegated grant), token contains scp, and the API works correctly.

This strongly suggests the engine checks only for scp and does not process roles.

[DCMattyG]

Hi @rachit22test, thanks so much for reaching out and of course I'm happy to help however I can.

For adding Users or Service Principals to the application, you should use the "Admin Users" page. From there, you can click the icon pictured in the screenshot below to toggle between searching for Users or Principals.

I think this will provide the outcome you are looking for, but please do test it out and let me know if you're able to call the Azure IPAM API using a Service Principal after adding them in here.

[rachit22test]

Hi @DCMattyG
Thanks for the inputs, I already added my service principal to the admin list in IPAM portal, yet I get 403 error

my sample pipeline looks like below

trigger: none

pool:
vmImage: 'ubuntu-latest'

variables:
TENANT_ID: ""
CLIENT_ID: ""
#this has been already added as admin in ipam portal via gui
CLIENT_SECRET: "$(client-secret)" # our ClientID secret
API_APP_ID_URI: "api://"
IPAM_URL: "https://.azurewebsites.net/api/spaces"

steps:

• task: Bash@3
  displayName: "Get Access Token and Call IPAM API"
  env:
  TENANT_ID: $(TENANT_ID)
  CLIENT_ID: $(CLIENT_ID)
  CLIENT_SECRET: $(CLIENT_SECRET)
  API_APP_ID_URI: $(API_APP_ID_URI)
  IPAM_URL: $(IPAM_URL)
  inputs:
  targetType: "inline"
  script: |
  echo "===== 1. Requesting access token using client credentials ====="

  TOKEN_RESPONSE=$(curl -s -X POST \
    -H "Content-Type: application/x-www-form-urlencoded" \
    -d "client_id=${CLIENT_ID}" \
    -d "client_secret=${CLIENT_SECRET}" \
    -d "grant_type=client_credentials" \
    -d "scope=${API_APP_ID_URI}/.default" \
    "https://login.microsoftonline.com/${TENANT_ID}/oauth2/v2.0/token")
  
  ACCESS_TOKEN=$(echo "$TOKEN_RESPONSE" | jq -r '.access_token')
  
  if [ -z "$ACCESS_TOKEN" ] || [ "$ACCESS_TOKEN" = "null" ]; then
    echo "Failed to retrieve access token"
    echo "Response: $TOKEN_RESPONSE"
    exit 1
  fi
  
  echo " Access token retrieved successfully"
  echo "===== DEBUG: INSPECTING TOKEN CLAIMS ====="
  echo                                                #### token gets generated and then api call fails in step 2
  echo "===== 2. Calling IPAM API /spaces endpoint ====="
  
  API_RESPONSE=$(curl -s -w "\nHTTP_STATUS:%{http_code}" \
    -H "Authorization: Bearer ${ACCESS_TOKEN}" \
    -H "Content-Type: application/json" \
    "${IPAM_URL}")
  
  # Separate body and HTTP status
  HTTP_BODY=$(echo "$API_RESPONSE" | sed -e 's/HTTP_STATUS\:.*//g')
  HTTP_STATUS=$(echo "$API_RESPONSE" | tr -d '\n' | sed -e 's/.*HTTP_STATUS://')
  
  echo "----- API RESPONSE BODY -----"
  echo "$HTTP_BODY" | jq  # Pretty print JSON
  
  echo "----- HTTP STATUS -----"
  echo "$HTTP_STATUS"
  
  if [ "$HTTP_STATUS" -ne 200 ]; then
    echo "API call failed with status code $HTTP_STATUS"
    exit 2
  fi
  
  echo "API call succeeded"
  

The token generation does pass but then subsequent API calls do not work and send 403

If i decrypt the token that gets generated, some of the fields inside it are
{
"aud": "ipam engine app registration",
"iss": "https://login.microsoftonline.com/our tenant id/v2.0",
"azpacr": "1",
"oid": "someval",
"rh": "1.someotherval.",
"roles": [
"app role name which i added to ipam engine app registration"
],
so if my app role name is "my_npr_ipam_access" then roles is roles: ["my_npr_ipam_access"] not ["api://my_npr_ipam_access"].
I am not sure, if this is causing the issue here or not.
}

[DCMattyG]

Hey @rachit22test, I tested using the exact commands you provided above against my installation and everything works fine using a net-new Service Principal I created just for this testing.

Did you deploy the Azure IPAM application and the App Registrations entirely from the deployment script I've provided, or were some components (like the App Registrations) created manually or through a different process?

[rachit22test]

Hi @DCMattyG
thanks for testing. The things work perfectly when executed as on terminal but fails when trying to do same thing in azure devops pipeline.

[rachit22test]

Hi @DCMattyG
any luck with azure devops pipeline based executions rather than manual execution ?