Skip to main content

Working With Azure AD Using Application Token




Introduction

This tutorial explains how to generate an application token using the Client ID and Client Secret in Microsoft Entra ID (formerly Azure AD). This token is necessary to authenticate API requests to Microsoft services such as Microsoft Graph API.

Prerequisites

Before proceeding, ensure you have the following:

  1. An Azure AD Application registered in the Azure portal.
  2. A Client ID (Application ID) obtained from the Azure portal.
  3. A Client Secret generated from the Azure portal.
  4. A Tenant ID (Directory ID) from your Azure AD instance.
  5. The necessary API permissions assigned to the application (e.g., Microsoft Graph API permissions).

Step 1: Register an Application in Azure AD

  1. Log in to the Azure Portal.
  2. Navigate to Microsoft Entra ID (Azure Active Directory).
  3. Click on App registrations > New registration.
  4. Enter a Name for your application.
  5. Select Accounts in this organizational directory only (or as required).
  6. Click Register.
  7. After registration, note down the Application (Client) ID and Directory (Tenant) ID.

Step 2: Generate a Client Secret

  1. In your registered application, go to Certificates & secrets.
  2. Under Client secrets, click New client secret.
  3. Enter a description and select an expiration period.
  4. Click Add and copy the Client Secret Value (this will not be visible later).

Step 3: Assign API Permissions

  1. In your application, go to API permissions.
  2. Click Add a permission > Microsoft Graph.
  3. Select Application permissions.
  4. Choose necessary permissions:
    • User.Read.All (Read all users)
    • Group.Read.All (Read all groups)
    • GroupMember.Read.All (Read all group memberships)
  5. Click Add permissions.
  6. Click Grant admin consent (admin privileges required).

Step 4: Obtain an Access Token Using cURL

Now, use the following cURL command to obtain an access token:

curl --location 'https://login.microsoftonline.com/{TENANT_ID}/oauth2/v2.0/token' \

--header 'Content-Type: application/x-www-form-urlencoded' \

--data-urlencode 'client_id={CLIENT_ID}' \

--data-urlencode 'client_secret={CLIENT_SECRET}' \

--data-urlencode 'scope=https://graph.microsoft.com/.default' \

--data-urlencode 'grant_type=client_credentials'

Explanation of Parameters:

  • TENANT_ID: Your Azure Directory (Tenant) ID.
  • CLIENT_ID: Your Application ID.
  • CLIENT_SECRET: The secret value generated earlier.
  • scope: Defines access permissions (.default uses API permissions assigned in Azure AD).
  • grant_type=client_credentials: Indicates that we are requesting a token using client credentials.

Step 5: Using the Access Token

Once the command executes successfully, you will receive a JSON response containing the access token:

{

  "token_type": "Bearer",

  "expires_in": 3600,

  "access_token": "eyJ0eXAiOiJKV1QiLCJhbGci..."

}

Use this token in API requests, such as retrieving users and groups from Microsoft Graph API:

# Get all users

curl --location 'https://graph.microsoft.com/v1.0/users' \

--header 'Authorization: Bearer {ACCESS_TOKEN}'

 

# Get all groups

curl --location 'https://graph.microsoft.com/v1.0/groups' \

--header 'Authorization: Bearer {ACCESS_TOKEN}'

 

# Get all group members

curl --location 'https://graph.microsoft.com/v1.0/groups/{GROUP_ID}/members' \

--header 'Authorization: Bearer {ACCESS_TOKEN}'

Replace {ACCESS_TOKEN} with the obtained token and {GROUP_ID} with a valid group ID.

Security Considerations

  • Do not expose your Client Secret publicly.
  • Store sensitive credentials securely, such as in Azure Key Vault.
  • Use environment variables instead of hardcoding values.

.

 

Popular posts from this blog

Get Documents Signed Using Adobe Sign API in C#

Electronic signatures have revolutionized the way businesses handle document workflows. Instead of dealing with cumbersome paper-based processes, electronic signatures offer a streamlined and efficient way to obtain legally binding signatures. Adobe Sign API takes this concept to the next level by providing developers with the tools to seamlessly integrate electronic signature capabilities into their applications. In this blog post, we will explore how to use the Adobe Sign API to send documents for signature via email using C#   Understanding Electronic Signatures and Adobe Sign API Electronic signatures, also known as e-signatures, are digital representations of a person's intent to agree to the content of a document. They hold the same legal weight as traditional ink signatures but offer the advantage of speed and convenience. Adobe Sign API allows developers to programmatically incorporate e-signatures into their applications, automating the signature process and enhancing the ...
Read more

Test Azure AD secured API with Postman

API deployed on Azure and secured by Azure AD. For example, we will create a simple Azure Function that returns weather data.  public static async Task Run( [HttpTrigger(AuthorizationLevel.Function, "get", "post", Route = null)] HttpRequest req, ILogger log) { log.LogInformation("C# HTTP trigger function processed a request."); try { HttpResponseMessage response; AuthenticationContext authenticationContext = new AuthenticationContext("https://login.microsoftonline.com/xxxxxxxxx"); ClientCredential clientCredential = new ClientCredential("xxxxx-xxxxx", "xxxxxx"); AuthenticationResult authenticationResult = authenticationContext.AcquireTokenAsync("xxxx-xxxxx-xxxxx", clientCredential).Result; using (var httpClient = new HttpClient()) ...
Read more

Working with RabbitMQ using C#

RabbitMQ Topology A Queue  that works on the basis of FIFO (first in first out).  A Publisher is the component that generates some data that is pushed to the queue.  Installation Install the correct version of Erlang based on the operating system you are using. Download and install RabbitMQ server . Now  install the RabbitMQ .Net client from NuGet Package Manager. Sample Codes using RabbitMQ.Client; using RabbitMQ.Client.Events; using System; using System.Text; using System.Threading; namespace PracticeRabbitMQ {     class Program     {         static void Main()         {             SendMessage("MessageID", "{MessageID: 1, MessageBody: 'Sample Message' }");             ReceiveMessage("MessageID");             Console.ReadLine();         }   ...
Read more