Blog Post

Azure PaaS Blog
2 MIN READ

Use Azure Storage Table REST API with AAD token via PostMan

jumontoy's avatar
jumontoy
Icon for Microsoft rankMicrosoft
Aug 18, 2021

You can refer to below steps for scenarios in which you have an application special requirement and need to call raw Storage table REST API from your dev environment via Postman. It consists of two main HTTP requests: first, to authenticate directly using AD security principal to get access token, second an authenticated storage REST API call for Table Storage.

 

Documentation related

 

Prerequisites

 

To follow the steps in this article you must have:

  • Azure subscription
  • An Azure AD tenant
  • Registered application (AD Service principal)

 

Steps to reproduce this scenario:

 

  1. Acquire oAuth 2.0 token:

 

  1. Created security principal for application (Azure portal > AAD > app registrations). Documentation reference: https://docs.microsoft.com/en-us/rest/api/servicebus/get-azure-active-directory-token#register-your-app-with-azure-ad
  2. Assigned Storage Table Data Reader role at storage account level to SP created in step #1 (waited for 30 mins)

     

  3. Used Postman to get the Azure AD token:

 

  • Launch Postman.
  • For the method, select GET.
  • For the URI, enter https://login.microsoftonline.com/<TENANT ID>/oauth2/token. Replace <TENANT ID> with the tenant ID value you copied earlier.
  • On the Headers tab, add Content-Type key and application/x-www-form-urlencoded for the value.

 

 

  • Switch to the Body tab and add the following keys and values.
  • Select form-data.
  • Add grant_type key, and type client_credentials for the value.
  • Add client_id key, and paste the value of client ID you noted down earlier.
  • Add client_secret key, and paste the value of client secret you noted down earlier.
  • Add resource key, and type https://storage.azure.com/ for the value

 

 

  • Select Send to send the request to get the token. You see the token in the result. Save the token (excluding double quotes). You will use it later

                                       

  1. Called Query Entities storage REST API and passed the oAuth 2.0 token from previous step

 

  • In Postman, open a new tab.
  • Select GET for the method.
  • Enter URI in the following format: https://<account>.table.core.windows.net /<table>(). Replace <account> with the name of the Storage Account name. Replace <table> with the name of the table.
  • On the Headers tab, add the following three headers.
  • Add Authorization key and value for it in the following format: Bearer <TOKEN from Azure AD>. When you copy/paste the token, don't copy the enclosing double quotes.

 

 

  • Select Send to get the entities from table. You see the status as OK with the code 200 as shown in the following image.

 

 

Published Aug 18, 2021
Version 1.0
azure storage
  • Joao_Alhinho's avatar
    Joao_Alhinho
    Brass Contributor
    Oct 28, 2021

    I get an the following error when placing the second request :

    <?xml version="1.0" encoding="utf-8"?>
        <m:code>AuthenticationFailed</m:code>
        <m:message xml:lang="en-US">Server failed to authenticate the request. Make sure the value of Authorization header is formed correctly including the signature.
    RequestId:e3a694ee-2002-0057-150f-cc3533000000
    Time:2021-10-28T15:18:16.2285581Z</m:message>
    </m:error>

    I could get successfully the bearer key. I've tried with and without x-ms- header 

     

    any ideas or hints...? 



  • jumontoy's avatar
    jumontoy
    Icon for Microsoft rankMicrosoft
    Sep 21, 2021

    kedar2021 for this to be adapted to blob, it will require to adjust some aspects. For example: The role assigned to the security principal should be Blob based (Storage Blob Data Reader as minimum), also for the second part of the steps, it should be done against blob endpoint and call a blob REST API as per https://docs.microsoft.com/en-us/azure/storage/blobs/reference. Please share more details about your repro in order to understand better in which step of all the process are you seeing that message. Thanks in advance.

  • kedar2021's avatar
    kedar2021
    Copper Contributor
    Sep 15, 2021

    Does this work for blobs as well? and i am unable to get it working as it says 'The required field 'scope' is missing from the credential, is scope required

  • Adrian_Ganea's avatar
    Adrian_Ganea
    Copper Contributor
    Sep 10, 2021

    Nice article!

    Is it possible to get the token without the client secret?

    I've been trying to use msal.js 2 to get the token but can't figure out which scope to use(.default) does not seem to work.

     

    If I use user_impersonation (and grant this api permission to the app registration) it is working, but it is using the user's permissions and I don't want to grant the users access at the table level. I want to set permissions only through the app registration like in this article.

     

    Any thoughts on this?

     

    Many thanks,

    Adrian