Task: Access the Azure REST API

Video: Manage API Access to Azure Subscriptions and Resources

Estimated time: 15 minutes

Goal

In this task you will create an application registration in Azure AD and verify that it works by using the Azure management REST API to create a resource group.

Pre-requisites

Non-production Azure subscription

Note: This task requires forming and sending HTTP requests to the Azure management endpoint. It is possible to do this through tools such as the wget command (available in Linux and current Windows 10 versions) but is much easier with the Postman application. If possible, I recommend downloading and installing Postman. If you cannot install Postman locally, consider provisioning a Windows virtual machine in Azure and using it for the task.

Requirements

Create a service principal
Generate a token
Provision a resource group

Requirement 1: Create a service principal

To begin this task you need to provision a service principal named task-sp in your Azure AD tenant. The service principal needs contributor rights in your subscription. Record the client ID, secret, tenant id, and subscription id. These will be required later.

*Note: The easiest way to set up a service principal is with the Azure CLI command "az ad sp create-for-rbac".**

Requirement 2: Generate a token

Calls to the Azure REST API require a valid bearer token. This token is created via a POST request sent to the Azure AD authentication endpoint. Generate a POST request with the following settings:

Setting	Value
Verb	POST
URI	https://login.microsoftonline.com/{{TenantID}}/oauth2/token
Body
	grant_type:client_credentials
	client_id:<service principal id>
	client_secret:<service principal secret>
	resource:https://management.azure.com/

NOTE: The format of the input depends on the encoding selected.

Record the access_token that is returned from the request.

Requirement 3: Provision a resource group

Finally, you will provision a new resource group named task-restapi-rg via the Azure management REST API. You will use an HTTP PUT request with the following settings:

Setting	Value
Verb	PUT
URI	PUT https://management.azure.com/subscriptions/{subscriptionId}/resourcegroups/task-restapi-rg?api-version=2019-10-01
Headers
	Authorization:Bearer <token from requirement 2>
Body

{
  "location": "eastus"
}

Clean up

Delete the task-restapi-rg resource group.
Delete the task-sp service principal.

Solution

Having trouble completing this task? View the demonstration video to see how to do it.