Azure AD for REST Requests Authentication
Operators who operate the ARM using the official ARM REST API can also use Azure AD for authentication.
| ➢ | To use the ARM REST API with an Azure AD user: |
| 1. | Configuration in Azure portal: |
In Azure Active Directory under Manage select App registrations, select the default ARM application. Under Manage, select Expose an API:
| a. | Click Add a scope |
| b. | Click Save and continue; the default value is created: “api://{client-id}”. |
Register your own REST application for REST authentication.
In the Azure Active Directory pane, click App registrations and choose New registration.
In the new application:
| c. | Create a client secret – as described previously. |
| d. | Add permission to access the default ARM application: |
Under API permissions click Add permission.
Select my APIs, select application and then select the exposed API previously defined in the app and select the role for the REST authentication (from the app roles defined previously in the application).
Click Grant admin consent.
| 2. | Acquire an access token from Microsoft. To acquire access token from Microsoft using REST client: |
Send a request to Microsoft Identity platform’s token endpoint, as follows:
POST
https://login.microsoftonline.com/<tenant-id>/oauth2/v2.0/token
Using x-www-form-urlencoded as ‘Body content type’ and the following ‘Body’ content:
grant_type=client_credentials&
client_id=<rest-app-client-id>&
client_secret=<rest-app-client-secret>&
scope = api://<client-id>/.default
Replace tenant-id and client-id with tenant id and client id of the default ARM application.
Replace rest-app-client-id and rest-app-client-secret with the client id and client secret of your own REST application.
A successful response will contain an access token:
{
"token_type": "Bearer",
"expires_in": 3599,
"ext_expires_in": 3599,
"access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsI…"
}
| 3. | Access ARM’s REST API using the access token: |
To access ARM’s REST API using the access token, send a Post request with the token received from Microsoft to:
POST <ARM_Configurator_IP>/ARM/v1/login/microsoft/authentication/token
with the following body:
{
accessToken: String,
authenticationType: ACCESS_TOKEN
}
The ARM validates the Microsoft access token and generates an ARM token with the received role.
| 4. | In any REST Request to the ARM, use the received token in the authorization Header like this: |
Authorization Header
