I'd like to authenticate to the Azure Service Management API using Azure AD through curl.

I set up an application within my default directory. In this free trial subcription that's the only directory I have.

When I target the oauth token endpoint I receive a JWT.

curl --data "grant_type=client_credentials&client_id=<my_client_id>&client_secret=<my_encoded_secret>&resource=https%3A%2F%2Fmanagement.core.windows.net" https://login.windows.net/<my_tenant_id>/oauth2/token

But when I use that token to list my subscription details I receive an error:

curl -H "x-ms-version: 2014-06-01" \
     -H "Authorization: Bearer <my_token>" \
     https://management.core.windows.net/<my_subscription_id>/

    <Error xmlns="http://schemas.microsoft.com/windowsazure" xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
      <Code>ForbiddenError</Code>
      <Message>The server failed to authenticate the request. Verify that the certificate is valid and is associated with this subscription.</Message>
    </Error>

I have granted permissions to the Service Management API for the application as "Delegated permissions", because "Application permissions" are not available.

What am I missing?

This isn't possible due to the Application Permissions: 0 setting for the Service Management API. The client_credentials grant type uses credentials from the application (client_id and client_secret), and since the application does not have permissions for this API the call fails.

Since the Service Management API will not allow application permissions of any kind, we must use the authorization_code grant type or some other method to obtain a user token.