Authentication failed. The ‘Authorization’ header is missing – Invoke-WebRequest Azure ARM

While building an automation procedure I had to POST the management API of Azure.

Invoke-WebRequest -Uri https://management.azure.com/subscriptions/pool/xxx/xxxx/xxxx/xxxx -Method POST

When I used the Invoke-WebRequest without Authentication it failed. The error that you will get when you do not have Authentication headers set can be found below.

Invoke-WebRequest: {"error":{"code":"AuthenticationFailed","message":"Authentication failed. The 'Authorization' header is missing."}}

In order to authenticate with azure you can get an access-token using az cli.

az account get-access-token

The output will look like the below output:

{
  "accessToken": "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxVG-hTDHECYJxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx-B5FA9l9RvqOls3iaDDYw5O86acvLIwxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx-ixxxxxxxxxxxxxxxxx3eoeKlxZfxxxxxxxxxxfGW2O6oA",
  "expiresOn": "2022-05-05 14:51:08.000000",
  "subscription": "a23eef11-f200-4722-866c-248ca45142f6",
  "tenant": "1efa646f-3fc3-4554-bd8c-651879a2b110",
  "tokenType": "Bearer"
}

You should take the output of the token and use it on your call.

For example using POSTMAN you should place your token under the Authorization tab. You will then be able to get the result from Azure ARM api.

The specified module ‘MSAL.PS’ was not loaded because no valid module file was found in any module directory.

Recently when I used Dynamics 365 Finance and Operation tools plugin for Azure Devops I faced an issue with a missing Powershell module.

Error message:

##[error]The specified module 'MSAL.PS' was not loaded because no valid module file was found in any module directory.

In order to bypass this issue, add a PowerShell step with the below commands:

Set-PSRepository PSGallery -InstallationPolicy Trusted
Install-Module MSAL.PS
Import-Module MSAL.PS

Your final pipeline should look like the one below.

An additional issue you may face, could relate with the service connection authentication endpoint. The error indicates that the common endpoint cannot be used and the specific tenant-endpoint should be used instead.

##[error]AADSTS9001023: The grant type is not supported over the /common or /consumers endpoints. Please use the /organizations or tenant-specific endpoint.

Go and edit your service connection details

Endpoint URL:

https://login.microsoftonline.com/organizations

Be sure that your user has sufficient privileges and that prerequisites are met as documented from Microsoft.

LCS doesn’t support service-to-service authentication. Therefore, only regular user credentials (that is, a user name and password) can be used. Because the pipelines don’t run interactively, multifactor authentication must not be set up for the account that you use. We recommend that you set up a separate user account that has limited access and strong credentials that can regularly be rotated for security purposes.

Create an LCS connection in Azure Pipelines

https://docs.microsoft.com/en-us/dynamics365/fin-ops-core/dev-itpro/dev-tools/pipeline-lcs-connection