Just Give Me an Access Token

Published Apr 22 2022 05:09 AM 1,464 Views
Microsoft

Emerging OpportunitiesEmerging Opportunities

Use the Azure CLI to Get Access Tokens

One of my least favorite parts about developing custom APIs secured with Azure AD is figuring out how to acquire an access token when I am testing or debugging. Usually, this involves creating additional client app registrations, managing callback URLs, creating (and properly handling) secret keys, etc. In this video, I'll demonstrate how to use the Azure CLI as a client that can quickly and easily acquire access tokens for your custom APIs.

 

 

Try It!

  • First, I'll assume you already have an API project and created an app registration for it in Azure AD. Also, make sure you've assigned an Application ID URI and exposed a delegated scope. For more information (and a sample) see the Protected web api Overview.
  • Next, register a Service Principal in your Azure AD tenant for the Azure CLI. This will allow you to grant custom permissions to it.
  • Finally, grant permissions to your API and then use the CLI to get an access token for it. 

Use this PowerShell script to perform these steps.

 

 

 

$appId = "04b07795-8ddb-461a-bbee-02f9e1bf7b46" #global appId for az CLI
$apiId = "your-app-id-here" #appId of your custom API
$requestScope = "api://your-app-id-here/.default" #scope exposed by your custom API app registration

## First time only
az login
az ad sp create --id $appId
az ad app permission grant `
  --id $appId `
  --api $apiId `
  --scope "your-scope-name" #example: "access_as_user" or "user_impersonation"

## Get new token
az account get-access-token --scope $requestScope --query accessToken

 

 

 

Hopefully you find this to be a useful time saver!

%3CLINGO-SUB%20id%3D%22lingo-sub-3292215%22%20slang%3D%22en-US%22%3EJust%20Give%20Me%20an%20Access%20Token%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3292215%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Emerging%20Opportunities%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F366107i26CF41BECB063F1B%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%221-Emerging%20Opportunities-Emerging%20Opportunities(1).png%22%20alt%3D%22Emerging%20Opportunities%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EEmerging%20Opportunities%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId-395543358%22%20id%3D%22toc-hId-415919445%22%3EUse%20the%20Azure%20CLI%20to%20Get%20Access%20Tokens%3C%2FH2%3E%0A%3CP%3EOne%20of%20my%20least%20favorite%20parts%20about%20developing%20custom%20APIs%20secured%20with%20Azure%20AD%20is%20figuring%20out%20how%20to%20acquire%20an%20access%20token%20when%20I%20am%20testing%20or%20debugging.%20Usually%2C%20this%20involves%20creating%20additional%20client%20app%20registrations%2C%20managing%20callback%20URLs%2C%20creating%20(and%20properly%20handling)%20secret%20keys%2C%20etc.%20In%20this%20video%2C%20I'll%20demonstrate%20how%20to%20use%20the%20Azure%20CLI%20as%20a%20client%20that%20can%20quickly%20and%20easily%20acquire%20access%20tokens%20for%20your%20custom%20APIs.%3C%2FP%3E%0A%3CP%20data-unlink%3D%22true%22%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%20data-unlink%3D%22true%22%3E%3C%2FP%3E%3CDIV%20class%3D%22video-embed-center%20video-embed%22%3E%3CIFRAME%20class%3D%22embedly-embed%22%20src%3D%22https%3A%2F%2Fcdn.embedly.com%2Fwidgets%2Fmedia.html%3Fsrc%3Dhttps%253A%252F%252Fwww.youtube.com%252Fembed%252Fiu_6H6fCkwI%253Ffeature%253Doembed%26amp%3Bdisplay_name%3DYouTube%26amp%3Burl%3Dhttps%253A%252F%252Fwww.youtube.com%252Fwatch%253Fv%253Diu_6H6fCkwI%26amp%3Bimage%3Dhttps%253A%252F%252Fi.ytimg.com%252Fvi%252Fiu_6H6fCkwI%252Fhqdefault.jpg%26amp%3Bkey%3Db0d40caa4f094c68be7c29880b16f56e%26amp%3Btype%3Dtext%252Fhtml%26amp%3Bschema%3Dyoutube%22%20width%3D%22600%22%20height%3D%22337%22%20scrolling%3D%22no%22%20title%3D%22Azure%20CLI%20-%20get-access-token%22%20frameborder%3D%220%22%20allow%3D%22autoplay%3B%20fullscreen%22%20allowfullscreen%3D%22true%22%3E%3C%2FIFRAME%3E%3C%2FDIV%3E%3CP%3E%3C%2FP%3E%0A%3CH2%20id%3D%22toc-hId--1411911105%22%20id%3D%22toc-hId--1391535018%22%3E%26nbsp%3B%3C%2FH2%3E%0A%3CH2%20id%3D%22toc-hId-1075601728%22%20id%3D%22toc-hId-1095977815%22%3ETry%20It!%3C%2FH2%3E%0A%3CUL%3E%0A%3CLI%3EFirst%2C%20I'll%20assume%20you%20already%20have%20an%20API%20project%20and%20created%20an%20app%20registration%20for%20it%20in%20Azure%20AD.%20Also%2C%20make%20sure%20you've%20assigned%20an%20Application%20ID%20URI%20and%20exposed%20a%20delegated%20scope.%20For%20more%20information%20(and%20a%20sample)%20see%20the%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Fdevelop%2Fscenario-protected-web-api-overview%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EProtected%20web%20api%20Overview.%3C%2FA%3E%3C%2FLI%3E%0A%3CLI%3E%3CSPAN%3ENext%2C%20register%20a%20Service%20Principal%20in%20your%20Azure%20AD%20tenant%20for%20the%20Azure%20CLI.%20This%20will%20allow%20you%20to%20grant%20custom%20permissions%20to%20it.%3C%2FSPAN%3E%3C%2FLI%3E%0A%3CLI%3EFinally%2C%20grant%20permissions%20to%20your%20API%20and%20then%20use%20the%20CLI%20to%20get%20an%20access%20token%20for%20it.%26nbsp%3B%3C%2FLI%3E%0A%3C%2FUL%3E%0A%3CP%3EUse%20this%20PowerShell%20script%20to%20perform%20these%20steps.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CPRE%20class%3D%22lia-code-sample%20language-powershell%22%3E%3CCODE%3E%24appId%20%3D%20%2204b07795-8ddb-461a-bbee-02f9e1bf7b46%22%20%23global%20appId%20for%20az%20CLI%0A%24apiId%20%3D%20%22your-app-id-here%22%20%23appId%20of%20your%20custom%20API%0A%24requestScope%20%3D%20%22api%3A%2F%2Fyour-app-id-here%2F.default%22%20%23scope%20exposed%20by%20your%20custom%20API%20app%20registration%0A%0A%23%23%20First%20time%20only%0Aaz%20login%0Aaz%20ad%20sp%20create%20--id%20%24appId%0Aaz%20ad%20app%20permission%20grant%20%60%0A%20%20--id%20%24appId%20%60%0A%20%20--api%20%24apiId%20%60%0A%20%20--scope%20%22your-scope-name%22%20%23example%3A%20%22access_as_user%22%20or%20%22user_impersonation%22%0A%0A%23%23%20Get%20new%20token%0Aaz%20account%20get-access-token%20--scope%20%24requestScope%20--query%20accessToken%3C%2FCODE%3E%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EHopefully%20you%20find%20this%20to%20be%20a%20useful%20time%20saver!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-3292215%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22Emerging%20Opportunities%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F366106i7AFCA951F64B5419%2Fimage-size%2Flarge%3Fv%3Dv2%26amp%3Bpx%3D999%22%20role%3D%22button%22%20title%3D%221-Emerging%20Opportunities-Emerging%20Opportunities(1).png%22%20alt%3D%22Emerging%20Opportunities%22%20%2F%3E%3CSPAN%20class%3D%22lia-inline-image-caption%22%20onclick%3D%22event.preventDefault()%3B%22%3EEmerging%20Opportunities%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3ELearn%20how%20to%20use%20the%20Azure%20CLI%20to%20easily%20acquire%20access%20tokens%20for%20APIs%20secured%20by%20Azure%20AD.%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-3292215%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EHLS_Hack%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Co-Authors
Version history
Last update:
‎May 05 2022 10:02 AM
Updated by: