Azure REST API – Part 02 – Register Client Application

In the last blog I went over the Azure REST API and the format of the URI’s. I also explained that we require an OAuth2 Bearer token in order to authenticate with the REST API. In this blog I will show how we register a client application in Azure in order to request a bearer token.

Application Registration

In order for an application to obtain a bearer token we need to create two Azure Active Directory objects:

Application Object

This represents your client application and contains properties that are specific to your application. URI’s, keys, etc.

Service Principal Objects

We have two types of users. We have user principals that represent you and me and we have application principals that are called Service Principals. These are application users which are authenticated and define what the policies and permissions the principal can do. When we create a Service Principal we can either use a password or a certificate in order for the client app to authenticate. My example below uses a password.

Creating AAD Objects

One of the problems with the Azure portal and the PowerShell cmdlets is that there is not a one to one correlation between the two. The portal creates both objects simultaneously but does not grant access to the subscription automatically. The PowerShell cmdlets create each object independently but automatically grants access to the subscription.

First thing we need to do is create an Application. We can set the identifierUris to localhost. It’s only used to uniquely identify a web application within its Azure AD tenant.

New-AzureRmADApplication -DisplayName “PostmanDemo” -IdentifierUris http://localhost

Next we need to create the Service Principal. First create a secure string password “secretpassword”

Add-Type -Assembly System.Web

$securePassword = ConvertTo-SecureString -Force -AsPlainText -String “secretpassword”

Next create the Service Principal passing in the application ID from the application we created above.

$aa = Get-AzureRmADApplication -DisplayName “PostmanDemo”

New-AzureRmADServicePrincipal -ApplicationId $aa.ApplicationId -Password $securePassword

Let’s check the retention period on the password.

$sp = Get-AzureRmADServicePrincipal -DisplayName PostmanDemo

Get-AzureRmADServicePrincipalCredential -ObjectId $sp.Id

By default the password will expire in one year from creation.

Let’s check what permission has been granted to this service principal in the current subscription.

Get-AzureRmRoleAssignment -ObjectId $sp.Id

The service principal has been granted Contributor role. If you want to change it follow the steps here. This is the step that is done automatically in PowerShell but you need to do manually in the portal.

Finally let’s check the retention period on the password.

Get-AzureRmADServicePrincipalCredential -ObjectId $sp.Id

The password is set to expire in one year from the creation date which is the default when it was created above. You cannot extend it but you can add a new credential using New-AzureRmADServicePrincipalCredential.

If we navigate to the Azure portal, click on Azure Active Directory and then App registrations, we see our application registered.

In the next blog I will show you how to request a Bearer token in Postman.