Saturday, April 4, 2020

Azure AD Token Generator using .NET Core

10 min to read.


Change is inevitable. With .NET Framework becoming legacy and .NET core stated as future; many migration projects are getting triggered. Also for new projects, development choice is .NET core by default.

Last year in April 2019 I wrote a blog post on How to create service principal or App registration in Azure AD.

This is one of the most visited blog post. Reason is simple. Any functionality having requirement of invoking Azure REST API requires Azure AD token generation. This helps in performing management tasks against Azure environment; and hence it is crucial.

The last year blog is based on .NET framework.

With .NET core becoming more and more obvious choice, I thought it is time to have new blog post and new code base for “.NET core based Azure AD Token generator using Service principal.”

Let’s go!

Why I need to generate the Azure AD Token?

This is common question I get. What are the scenarios where I need to generate Azure Ad token from code and use it? Therefore below diagram lists few tasks where I will use Azure AD token generator code. Click on below diagram to get better view.

App registration and assign permissions to Azure AD application

The concepts of Azure AD Service principal, application registration, process of creating service principal remains same for .Net core too.

The only change we will see is in codebase.

So follow my earlier blog and perform below tasks –
       1.       Create Azure Service Principal by app registration
2.      Record Tenant ID, Application ID and Secret key
3.      Assign correct permissions to Azure AD app

By following earlier blog if you are still not clear then refer to document to understand – How and Why applications are added to Azure AD.

.NET Core code base for Azure AD token generation

Let us understand the code base for .NET core. The code now fundamentally is different than .NET framework. However Tenant ID, Application ID and Secret Key of Azure AD will be leveraged same as .NET framework code.
Build confidential client application as below – [click to enlarge]

This class is present in Nuget package Microsoft.Identity.Client and I am using 4.10.0 version for this project.

Azure AD authentication has many flows applicable. The current flow we are using in our code is “Azure AD Client Credentials” flow. For client credential flow we have to provide scope.

Scope is a boundary for which granted access token will be valid. If you request token for one scope and use for another; request will be denied. Example, you provide scope while requesting token from Azure AD as [Log analytics resource scopes].

Means with generated token we can perform operation ONLY on Log Analytics. Post getting token if you try to access Azure Storage resource with scope as then it will be denied. So providing correct scope is crucial.

The format of scope for “Client Credentials” is always of the shape “resource/.default”. So configure the scope as below. In my example I am leveraging scope for Azure Log Analytics. [click to enlarge below].

Now for this scope we retrieve the Access Token as below – [click to enlarge].

Further we can use this token with Postman to perform Azure management operation. Alternatively, we can also integrate this code in Azure functions, or applications to get token at runtime without user credentials and perform required administrative operation against azure environment.

Download  code

Entire code is available for download from github at the link  -


Hope this article helped you to get quick code for generating Azure AD token using .NET core. Let me know your views in comments section below to improve and what are your thoughts on this approach.
Happy token generating!!

A humble request!

Internet is creating a lot of digital garbage. If you feel this a quality blog and someone will definitely get benefited, don't hesitate to hit share button present below. Your one share will save many precious hours of a developer. Thank you.

Next Related Posts

Start stop multiple Azure VMs and save cost. This uses Azure AD application behind the scenes.

No comments:

Post a Comment