从Web应用程序访问Azure Management API

Question

Is it possible to gain access to the Azure Management APIs through the client ID and secret for a web app?

I have a web app through which i want to be able to manage Azure. I want to do this using the credentials of the application itself so that the current user does not have to be an azure administrator.

I have given the web app the necessary role on my subscriptions and obtained the access token through the client credentials grant flow in AD but i still get an unauthorized.

This is probably because the azure management API has no permission set other than delegated - the access works fine if i use the authorization code grant flow for the logged in user, but thats not what i want.

So to reiterate, if, given a web app that has RBAC to a subscription and is able to obtain an access token from AD, is there any way, without an interactive user, that the web app is able to use the management API??

Answer 1

Yes, you can obtain a token from AAD for a service principal and use that to manage resources as long as that service principal has all the access you need.

Make sure the token you get has a resource/audience of " https://management.azure.com " and is for the tenantId that the subscription is associated with.

Answer 2

You can also see this article from Brady Gaster that explains how to use Azure AD applications to manage Azure Services from an external app : http://www.bradygaster.com/post/using-windows-azure-active-directory-to-authenticate-the-management-libraries

EDIT : Azure AD supports Service to Service calls using OAuth 2.0 client credentials: https://msdn.microsoft.com/en-us/library/azure/dn645543.aspx

Hope this helps,

Julien