
To get an Azure AD bearer token for OAuth authorization, you'll need to use the Azure AD v2.0 endpoint. This endpoint provides a simpler and more secure way to authenticate users and obtain tokens.
The Azure AD v2.0 endpoint requires you to register your application in the Azure portal. This registration process involves creating an application and adding the necessary permissions to access the resources you need.
Once you've registered your application, you can use the client ID and tenant ID to obtain an access token. The client ID is a unique identifier for your application, while the tenant ID identifies the Azure AD tenant where your application is registered.
To obtain an access token, you'll need to make a POST request to the Azure AD v2.0 endpoint, passing in the client ID, tenant ID, and a redirect URI. This request will redirect the user to the Azure AD login page, where they can enter their credentials to authenticate.
Take a look at this: Azure Ad Connect V2
Azure Active Directory
Azure Active Directory is where all of our organization's users are stored. To retrieve a valid access token from the Graph API, we need to use Azure Active Directory Services.
Azure Active Directory Services is based on the OAuth 2.0 protocol and acts as an Identity Provider. This means we can issue access tokens for the Graph methods using these services.
The Azure Active Directory Authorization endpoint has a specific URL format, which includes the tenant directory name or ID. To find the directory name, hover over your name in the Azure Portal.
Here's a breakdown of the authorization endpoint URL format:
To get an access token, we need to send a message to the authorization endpoint. The type of message we send depends on the OAuth authentication flow we choose.
Azure Active Directory Overview
Azure Active Directory is where all of our organization's users are stored, making it the perfect place to start when working with the Graph API.
Azure Active Directory Services is based on the OAuth 2.0 protocol and acts as an Identity Provider, which is an OAuth term for "where the users sit".
The Azure Active Directory Authorization endpoint has a specific URL format that includes the tenant directory name, which can be found by hovering over our name in the Azure Portal.
Every tenant directory has its own URL, so it's essential to know the directory name or ID to use the correct endpoint.
The directory ID can be found in the Azure Portal under the AAD Properties blade, and it's an alternative to using the directory name.
The Azure Active Directory ID can be found in the Azure Portal > AAD Properties blade.
Discover more: Azure Active Directory Portal
Prerequisites
Before you dive into Azure Active Directory, there are a few things you need to understand. You should have a grasp of the authentication and authorization concepts in the Microsoft identity platform.
To get started, you'll need to register your app with Microsoft Entra ID. This will give you the necessary values to move forward.
You'll want to save the following values from the app registration:
- Client ID
- Tenant ID
- Directory (tenant) ID
These values will be your key to unlocking the features of Azure Active Directory.
Registering an OAuth App
To register an OAuth app for the Graph API, you can follow these steps. First, create a new app in the target directory from the Azure Portal.
Navigate to Azure Active Directory, then click on App Registration, and select New Application Registration. This will get you started with the process.
In the Create screen, enter the required information. Note that the Application ID is also known as the Client ID, so make sure to jot that down.
To create a new Client Secret, navigate to the App settings, then click on Keys, and select Passwords. From there, you can add a new key.
Here are the steps in a concise list:
- Create a new app in the target directory
- Enter the required information in the Create screen
- Note the Application ID (also known as the Client ID)
- Create a new Client Secret by navigating to App settings, then Keys, and selecting Passwords
Prerequisites
Before diving into Azure AD and getting a bearer token, you need to have a solid understanding of the basics. Understand the authentication and authorization concepts in the Microsoft identity platform.
To get started, you'll need to register your app with Microsoft Entra ID. This involves saving specific values from the app registration, such as the client ID and tenant ID.
To register your app, you'll need to follow these steps:
- Understand the authentication and authorization concepts in the Microsoft identity platform.
- Register the app with Microsoft Entra ID.
Registering an OAuth App
To register an OAuth app for the Graph API, you'll need to create a new app in the Azure Portal. The first step is to navigate to Azure Active Directory > App Registration > New Application Registration.
In the Create screen, you'll need to enter some information. This includes the name of your app, which will be visible to users.
You'll also need to note the Application ID, which is the Client ID. This is a critical piece of information that you'll use later.
To create a new Client Secret, navigate to App > Keys > Passwords and add a new key. This will generate a new secret that you can use to authenticate your app.
Here's a summary of the steps:
- Create a new app in the Azure Portal.
- Enter the necessary information in the Create screen.
- Note the Application ID (Client ID).
- Create a new Client Secret.
Authorization Request
To make an authorization request, you need to call the /authorize endpoint and specify the required and recommended properties as query parameters. The app requests the User.Read and Mail.Read Microsoft Graph permissions, which allow the app to read the profile and mail of the signed-in user respectively.
For another approach, see: Get Azure Ad User
The offline_access permission is a standard OIDC scope that's requested so that the app can get a refresh token. The app can use the refresh token to get a new access token when the current one expires.
Here are the required and recommended properties that you need to specify in the request URL:
Scopes
Scopes are a crucial part of the authorization request process. They allow you to specify the permissions your app needs to function, and are used by the web API to implement scope-based access control.
To acquire multiple permissions in a single request, you can add multiple entries in the scope parameter, separated by spaces. This is shown in the example: "The scope parameter can include multiple entries separated by spaces."
The scope parameter can include multiple entries separated by spaces. For example, you might request both read and write access to a user's profile, like this: "User.Read Mail.Read". If you request more scopes than what is granted for your client application, the call succeeds if at least one permission is granted.
The scp claim in the resulting access token is populated with only the permissions that were successfully granted. This means that if you request multiple scopes, but not all of them are granted, the access token will only contain the scopes that were actually granted.
Curious to learn more? Check out: Azure Ad User
Authorization Request
To make an authorization request, you need to call the /authorize endpoint and specify required and recommended properties as query parameters. The app requests the User.Read and Mail.Read Microsoft Graph permissions, which allow the app to read the profile and mail of the signed-in user respectively.
The offline_access permission is a standard OIDC scope that's requested so that the app can get a refresh token. You can use this token to get a new access token when the current one expires.
The tenant property is required and can be used to control who can sign into the application. The allowed values are common for both Microsoft accounts and work or school accounts, organizations for work or school accounts only, consumers for Microsoft accounts only, or tenant identifiers such as the tenant ID or domain name.
The client_id property is also required and is the Application (client) ID that the registration portal assigned the app. The response_type property must include code for the OAuth 2.0 authorization code flow.
Discover more: Azure Active Directory App
Here's a breakdown of the required and recommended properties for the authorization request:
The redirect_uri property is recommended and is the redirect URI of the app, where authentication responses are sent to and received by the app. It must exactly match one of the redirect URIs you registered in the app registration portal, except it must be URL encoded. For native and mobile apps, you should use the default value of https://login.microsoftonline.com/common/oauth2/nativeclient.
Check this out: Azure Ad App Registration
Getting the Bearer Token
To get the Bearer Token, you need to send a POST message to the Azure Active Directory Authentication endpoint with specific body parameters.
The most basic option is to use the Client ID and Secret in a flow called Client Credentials Grant, which is suitable for machine-to-machine authentication where a specific user's permission to access data is not required.
To achieve this, you need to send the following parameters in the POST message: grant_type, client_id, client_secret, and resource. The grant_type should be set to client_credentials.
If this caught your attention, see: Azure Ad Connect Client
Here are the parameters you need to send:
- grant_type: client_credentials
- client_id: The Client ID (Application ID) of the application you created
- client_secret: The Client Secret you created
- resource: The name of the resource you would like to get access to, https://graph.microsoft.com in this case
The response will include the access token, which you can use to access the Graph API.
Renewing and Using the Token
Access tokens are short-lived, expiring after a certain period, so your app must refresh them to continue accessing resources.
To renew an expired access token, your app submits a POST request to the /token endpoint, providing the refresh token instead of the code in the request body.
You'll need to specify refresh_token as the grant_type and include the tenant, client_id, scope (if applicable), refresh_token, and client_secret (required for web apps) in the request.
Here's a breakdown of the required parameters:
A successful token response includes the requested access token, token type, expiration time, scope, and a new OAuth 2.0 refresh token.
Sources
- https://learn.microsoft.com/en-us/azure/active-directory-b2c/access-tokens
- https://medium.com/@nikhilshinde57/retrieving-azure-ad-bearer-access-token-to-access-azure-app-services-5926f7f7ac99
- https://dzone.com/articles/getting-access-token-for-microsoft-graph-using-oau
- https://learn.microsoft.com/en-us/graph/auth-v2-user
- https://matthijs.hoekstraonline.net/2020/04/27/v1-and-v2-identity-and-access-tokens-with-azure-active-directory/
Featured Images: pexels.com