Skip to content
adatum
  •  SCOM Web API
  • About adatum
Azure Active Directory

Azure token from a custom app registration

  • 20/01/202220/01/2022
  • by Martin Ehrnst

There’s no secret you can get an Azure AD token and access API resources like Microsoft Graph, Azure Resource Manager (ARM), etc. It’s also pretty straightforward to authenticate a custom API using client credentials. In fact, I have written about how to do that previously where we accessed a custom API built on Azure Functions. Authentication-wise, I also wrote a post on how to access the Azure Monitor REST APIs using client credentials (app registration).

Get an Azure token with delegated user credentials from a custom API

The above examples are fine. But they both use a separate app registration for authenticating against our custom API, the Azure Function, and against ARM to access Azure Monitor. But what if I want to use my own, personal credentials instead of client credentials. For ARM resources, like Azure Monitor, Resource Graph, etc. You can do that already using Azure CLI, or the PowerShell example below.

Connect-AzAccount
Get-AzAccessToken -ResourceUrl "https://management.azure.com"

Wheater you use Az CLI or PowerShell, the output is similar to the above. you can decipher the token using jwt.io. And get a human-readable output.

Always be careful when using services like JWT.io Your token is after all your credentials and can give access to resources.


App registration expose an API

Instead of specifying ARM as we did above, you can also generate a token against your custom app registration using delegated permissions from Azure CLI or PowerShell. The secret lies in the “expose and API”, or more specifically, “Authorized client applications”.

To allow delegated access and the ability to receive a token from your custom app registration do the following

  • Make sure your user is allowed to access the app, you can add that in the enterprise app blade.
  • Create a scope under “expose and API”
  • Add client application(s) to the scope
    • Azure CLI client application ID: 04b07795-8ddb-461a-bbee-02f9e1bf7b46
    • Azure PowerShell client application ID: 1950a258-227b-4e31-a9cf-717495945fc2

Get access token from custom API using Azure CLI or PowerShell

Pull out your favorite shell and change you’re ResourceUrl from management.azure.com to your app id or URI. In my case, this is api://adatum-auth-test-app

After getting the token you can again use JWT.io and see the details. Pay attention to the appId and aud. AppId in this case is Azure PowerShell.

Final words

This post has been laying around in my draft for more than a year. But yesterday I got a question from a colleague about this and figured it was time to release it to the masses.

The reason I had it laying in drafts is that I am unsure of the supportability from Microsoft and the potential security vulnerability it may add to your services. However, keep that in mind and use the feature when needed.
If you want to learn more about application registrations, enterprise apps, and managed identities in general. Please read my other post about the topic.

Share this:

  • LinkedIn
  • Twitter
  • Reddit

Related

Share Bicep modules with private registry
How to move Azure blobs up the path
api authentication Azure Powershell

Related articles

microsoft social sign-in
Azure Application registrations, Enterprise Apps,…
Azure Logo
Creating Azure AD Application using…

Engage by commenting Cancel reply

Top Posts & Pages

  • Azure Application registrations, Enterprise Apps, and managed identities
  • Azure AD authentication in Azure Functions
  • Automate Azure DevOps like a boss
  • Azure token from a custom app registration
  • How to move Azure blobs up the path
  • Access to Blob storage using Managed Identity in Logic Apps - by Nadeem Ahamed
  • Multi subscription deployment with DevOps and Azure Lighthouse
  • Azure Bicep modules, variables, and T-shirt sizing
  • Track changes to Azure resources
  • Script to add SCOM agent management group

Tags

agent announcements api ARM authoring Automation Azure AzureAD Azure Bicep AzureDevOps AzureFunctions AzureLighthouse AzureMonitor AzureSpringClean Bicep Community CSP database EventGrid ExpertsLive ExpertsLiveEU IaC Infrastructure as code Integrations LogAnalytics management pack monitoring MSIgnite MSIgnite2017 MSOMS MSP nicconf Nordic Virtual Summit OperationsManager OpsMgr Powershell QUickPublish rest SCOM SCOM2016 Serverless SquaredUP SysCtr system center Webasto

Follow Martin Ehrnst

  • Twitter
  • LinkedIn

RSS feed RSS - Posts

RSS feed RSS - Comments

Microsoft Azure MVP

Martin Ehrnst Microsoft Azure MVP
Adatum.no use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it. Cookie Policy
Theme by Colorlib Powered by WordPress