Odtnhj

I plan to implement a C# app that will create Azure resources using REST APIs (API calls to Azure Resource Manager). When calling a REST API you have to authenticate by passing an authentication header "Authorization: Bearer yJ0eXAiOiJKV...".

How do I get this Bearer token? Looking online all that I found is having a Web App , you use its application_id. However i don't have any application and I don't want to create one.

I can replicate the calls that I intercept with Fiddler but I think that that is not the "recommended" way.

Have anyone faced this problem and has a solution?

Short answer: If you're developing a C# application that is going to use Azure REST APIs, then in order to get the bearer token for authentication you do need to have an Azure AD application registration (no way around that, as it's required for you to be able to authenticate using any of the supported OAuth 2.0 grant flows).

There are a few ways to make things more convenient for you though:

• 
  

  Use CLI to create a service principal for RBAC

  
  
  

  From Azure Portal, open up the CLI by clicking on highlighted icon.
  

  
  
  

  Now run below mentioned command

  
  
  

  az ad sp create-for-rbac -n "MyTestSPForAzureRESTAPIs"
  

  
  
  

  This does multiple things for you in a single command and provides a great way to get started with testing the REST APIs.

  
  
  

  The created service principal is added as a "Contributor" to your Azure subscription. You can always go to Subscriptions > Your Subscription > Access control (IAM) and change that as per your requirements.

  
  
  

  You get an application ID as well as Password/client secret that you can then use in C# code to get bearer token.

  
  
  

  Sample output
  

  
  
  

  NOTE: Since this approach gives you a client secret, you should use this only from server side applications (like a web API or Web App or Daemon service). Do NOT use client secrets from a desktop based app (like console app or WPF app) or SPA in a production scenario.

  
  
  

  I say this because desktop based apps or SPAs are not secure enough to handle client secrets and there are other different authentication flows recommended for them. If your case happens to be any of those, look at delegated permissions from your Azure AD application where you can prompt an end user for credentials. Just comment on the answer and I can add more specific guidance around those.

  
  


• 
  

  Use Managed Identity in case of App Service or Azure Function

  
  
  

  If you plan to host the C# application that you mention, using App Service or as an Azure Function, then you can make use of MSI. Even in this case an application will be created in Azure AD, but you don't need to do that or manage keys (change them regularly etc.). It's a great option, highly recommended if it suits your scenario.

  
  
  

  Read here for more details: How to use managed identities for App Service and Azure Functions

  
  

If you just want to get the bearer token. I recommand that you could login in your account in the Azure API document. After we login then we could get the bearer token.

If we want to use code to get access token to access or modify resources, create an identity for the Azure AD application is required . This identity is known as a service principal. Then we can then assign the required permissions to the service principal.

How to registry an Azure AD application and assign role to the application, please refer to this document.

The following is demo code how to get the access token with applicationId and sercet key

public static async Task<string> GetAccessToken(string tenantId, string clientId, string clientSecretKey)
 

 var context = new AuthenticationContext("https://login.windows.net/" + tenantId);
 ClientCredential clientCredential = new ClientCredential(clientId, clientSecretKey);
 var tokenResponse = await context.AcquireTokenAsync("https://management.azure.com/", clientCredential);
 var accessToken = tokenResponse.AccessToken;
 return accessToken;