10 min to read.
Abstract
Change is inevitable. With .NET Framework becoming
legacy and .NET core stated as future; many migration projects are getting
triggered. Also for new projects, development choice is .NET core by default.
Last year in April 2019 I wrote a blog post on How to create service principal or App registration in Azure AD.
This is one of the most visited blog post. Reason is simple. Any functionality
having requirement of invoking Azure REST API requires Azure AD token
generation. This helps in performing management tasks against Azure environment;
and hence it is crucial.
With .NET core becoming more and more obvious choice, I
thought it is time to have new blog post and new code base for “.NET core based
Azure AD Token generator using Service principal.”
Let’s go!
Why I need to generate the Azure AD Token?
This is common question I get. What are the scenarios where
I need to generate Azure Ad token from code and use it? Therefore below diagram
lists few tasks where I will use Azure AD token generator code. Click on below diagram
to get better view.
App registration and assign permissions to Azure AD application
The concepts of Azure AD Service principal, application
registration, process of creating service principal remains same for .Net core
too.
The only change we will see is in codebase.
So follow my earlier blog and perform below tasks –
1. Create
Azure Service Principal by app registration
2. Record Tenant ID, Application ID and Secret key
3. Assign correct permissions to Azure AD app
By following earlier blog if you are still not clear then refer to document to understand – How and Why applications are added to Azure AD.
2. Record Tenant ID, Application ID and Secret key
3. Assign correct permissions to Azure AD app
By following earlier blog if you are still not clear then refer to document to understand – How and Why applications are added to Azure AD.
.NET Core code base for Azure AD token generation
Let us understand the code base for .NET core. The code
now fundamentally is different than .NET framework. However Tenant ID,
Application ID and Secret Key of Azure AD will be leveraged same as .NET
framework code.
Build confidential client application as below – [click
to enlarge]
This class is present in Nuget package Microsoft.
Azure
AD authentication has many flows applicable. The current flow we are using
in our code is “Azure AD Client Credentials” flow. For client credential flow
we have to provide scope.
Scope is a boundary for which granted access token will
be valid. If you request token for one scope and use for another; request will
be denied. Example, you provide scope while requesting token from Azure AD as https://api.loganalytics.io/ [Log
analytics resource scopes].
Means with generated token we can perform operation ONLY
on Log Analytics. Post getting token if you try to access Azure Storage resource
with scope as https://storage.azure.com/
then it will be denied. So providing correct scope is crucial.
The format of scope for “Client Credentials” is always
of the shape “resource/.default”. So configure the scope as below. In my example
I am leveraging scope for Azure Log Analytics. [click to enlarge below].
Now for this scope we retrieve the Access Token as below
– [click to enlarge].
Further we can use this token with Postman to perform
Azure management operation. Alternatively, we can also integrate this code in
Azure functions, or applications to get token at runtime without user
credentials and perform required administrative operation against azure environment.
Download code
Entire code is available for download from github at the
link - https://github.com/kunalchandratre1/AzureADTokenGeneratorNETCore
Conclusion
Hope this article helped you to get quick code for
generating Azure AD token using .NET core. Let me know your views in comments
section below to improve and what are your thoughts on this approach.
Happy token generating!!
A humble request!
Internet is creating a lot of digital garbage. If you
feel this a quality blog and someone will definitely get benefited, don't
hesitate to hit share button present below. Your one share will save many
precious hours of a developer. Thank you.
Start stop multiple Azure VMs and save cost. This uses Azure AD application behind the scenes.
No comments:
Post a Comment