How to access Azure WebApp via Powershell using client secret

Question

I have created an WebApp in Azure with Azure Authentication enabled. This works as expected when authenticating using a user. But the WebApp has one specific endpoint that excepts posting JSON data so it can be parsed and represented into a Chart. What I'd like to do is post this data that has been collected by numerous Powershell script. I can do that if I run the Powershell scripts in the context of a user account, but I would like to authenticate with an SPN (so using the Application ID and the secret key that has been set). Is this even possible? I've tried the code below, which actually does obtain an access token, but when sending it in the header of the post request, I get an

"You do not have permission to view this directory or page."

error message.

$RequestAccessTokenUri = "https://login.microsoftonline.com/tenantID/oauth2/token"

$ClientId = "Application Id"

$ClientSecret = "Client Secret"

$Resource = "URL of the WebApp"

$body = "grant_type=client_credentials&client_id=$ClientId&client_secret=$ClientSecret&resource=$Resource"

$Token = Invoke-RestMethod -Method Post -Uri $RequestAccessTokenUri -Body $body -ContentType 'application/x-www-form-urlencoded'

$Headers = @{}

$Headers.Add("Authorization","$($Token.token_type) $($Token.access_token)")

$AppUri = $Resource + "/upload/post"
$json = <This will contain the actual JSON objects that will be posted>

invoke-RestMethod -Uri $AppUri -Method Post -Headers $Headers -body $json

Is it even possible to gain access from Powershell to an Azure WebApp by authenticating using an SPN? Any help will be much appreciated.

Answer 1

Is it even possible to gain access from Powershell to an Azure WebApp by authenticating using an SPN?

Yes, it is possible. But we need to use a session token(not access token) to access app resources.

User the access token to get authenticationToken .

Request:

POST https://<appname>.azurewebsites.net/.auth/login/aad HTTP/1.1
Content-Type: application/json

{"id_token":"<token>","access_token":"<token>"}

Response:

{
    "authenticationToken": "...",
    "user": {
        "userId": "sid:..."
    }
}

Once you have this session token, you can access protected app resources by adding the X-ZUMO-AUTH header to your HTTP requests

GET https://<appname>.azurewebsites.net/api/products/1
X-ZUMO-AUTH: <authenticationToken_value>

Here is the working powershell script.

$RequestAccessTokenUri = "https://login.microsoftonline.com/{tenantId}/oauth2/token"

$ClientId = "{Application Id}"

$ClientSecret = "{client secret}"

$Resource = "{Application Id}"

$body = "grant_type=client_credentials&client_id=$ClientId&client_secret=$ClientSecret&resource=$Resource"

$Token = Invoke-RestMethod -Method Post -Uri $RequestAccessTokenUri -Body $body -ContentType 'application/x-www-form-urlencoded'
#get authentication token url
$RequestAuthenticationTokenUri="https://webapi-productsapp2093.azurewebsites.net/.auth/login/aad"

$bodystr = "{" + '"' + "access_token" + '"' + ":"  +  '"' +      $Token.access_token +  '"' + "}"

$authenticationToken=Invoke-RestMethod -Method Post -Uri $RequestAuthenticationTokenUri -Body $bodystr -ContentType 'application/json'

$Headers = @{}
$Headers.Add("X-ZUMO-AUTH",$authenticationToken.authenticationToken)

$website="http://webapi-productsapp2093.azurewebsites.net/api/products/1"
invoke-RestMethod -Uri $website -Method Get -Headers $Headers

Reference:

Validate tokens from providers