How to authenticate to Azure REST API using username and password (no App Id)

4
votes

I need to acquire access token for accessing resources in Azure (https://management.azure.com endpoint) using REST API. Every article a have read, was counting with Appliction Id. In my case, the Azure tenant was just created (programatically) and I have to create some resources in it.

Only thing I have is tenant id, subscription id, user name and password of admin account. How can I authenticate using only information I have? How it works in PowerShell, that does not need to use an Application Id?

2
restpowershellazureauthentication
AFAIK, you always need an application. Azure PowerShell is an application too.juunas
Wondering if you tried using bearer token, az account get-access-token -s <subscription-id> or use user-name and password to get bearer token to call API, example here. The try me on the Azure API pages use bearer token.N Singh

2 Answers

5
votes

Based on my knowledge, it is impossible. As junnas said, even you use user/password authentication, client id is also required.

It is easy for you to create a service principal on Azure, you could check this link.

After the sp is created, you will get the client id, client secret. You also need give the sp Owner role on subscription, you could check this link.

Now, you could use the sp to call rest api in Power Shell, for example.

##get token
$TENANTID=""
$APPID=""
$PASSWORD=""
$result=Invoke-RestMethod -Uri https://login.microsoftonline.com/$TENANTID/oauth2/token?api-version=1.0 -Method Post -Body @{"grant_type" = "client_credentials"; "resource" = "https://management.core.windows.net/"; "client_id" = "$APPID"; "client_secret" = "$PASSWORD" }
$token=$result.access_token

##set subscriptionId and resource group name
$subscriptionId=""
$resourcegroupname="shui5"

$Headers=@{
    'authorization'="Bearer $token"
    'host'="management.azure.com"
    'contentype'='application/json'
}
$body='{
    "location": "northeurope",
     "tags": {
        "tagname1": "test-tag"
    }
 }'
Invoke-RestMethod  -Uri "https://management.azure.com/subscriptions/$subscriptionId/resourcegroups/${resourcegroupname}?api-version=2015-01-01"  -Headers $Headers -Method PUT -Body $body
2
votes

You can use the Microsoft PowerShell Application ID to authenticate without having your own Application ID. This code snipet will give you the token:

Import-Module MSOnline      # IMPORTANT! Loads type assembly Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext
$TENANTID = ""  # Your Tenant ID
$clientId = "1b730954-1685-4b74-9bfd-dac224a7b894"      # PowerShell Client Id
$MSMgmtURI = "https://management.core.windows.net"
$authority = "https://login.microsoftonline.com/$TENANTID"
$redirectUri = "urn:ietf:wg:oauth:2.0:oob"
$authContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" -ArgumentList $authority
$authResult = $authContext.AcquireToken($MSMgmtURI, $clientId, $redirectUri, "Always")  
$token = $authResult.AccessToken
$headers = @{'Authorization' = "Bearer $token", 'host'="management.azure.com", 'Content-Type' = "application/json"}

This is good for getting an access token using the login dialog. I suspect that the Client ID for PowerShell could be used in the Oath2 call above.