Detailed Video - Microsoft Azure REST API Tutorial | Postman | Oauth2.0 Authorization Code Flow

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hi everyone hope you're all doing well welcome back to my channel in this video I'm going to get started with Microsoft Azure rest apis and I'm going to show you how you can use Port 2.0 authorization code flow to access these apis with the help of Postman now since this is the first video so the agenda is fairly simple I'll show you a method to register an application in Azure ready a very high level overview of how authorization code flow is working when you're trying to access an API then structure of azure management apis or endpoints should be very precise how you can generate one or how you can construct one in terms of the resource that you're trying to access and lastly I'll just show you how you can use that endpoint to access a specific resource with the help of Postman now there are many different concepts which I'm going to use as a reference point in this particular video so it's my suggestion that if by any chance you don't know how Azure ad application work practically speaking either application or service principle object or what is the purpose of API permission or what is the purpose of authorization code flow how exactly the interaction happens between the application and IDP or even role-based access console I would sincerely recommend you to please go ahead and watch this first video which is role based access control I mean I created this long back but practically nothing has been changed and this is going to help you end to end in terms of understanding what is role-based Access Control then this video is application and service principle object which is going to let you know how exactly the entire consent framework works and you can watch this playlist if you want to know how exactly all the protocols are working in terms of interaction between the application and the IDP now without any delay let's get started with this particular video as I've said the very first thing that you need is an Azure area application so let me switch to my machine where I've signed into portal.azure.com and this account with which I am signed in this account has access permissions for two different subscriptions let me just remove this filter so that we will get to see all the subscriptions yeah okay wait let me click on apply yeah so this account has access to these two subscriptions and if I click on all resources anything that is practically getting listed over here exists in either one of these two subscriptions so in this video I'm going to show you methods for let's say four to five different examples of how you can create or how you can construct one specific endpoint that you have to reach for a specific resource type okay so now I'm going to click on Azure 80 and I'm going to complete my first step and that is creation of an application okay so now I'm inside app registration and I'm going to click on new registration and now I'm going to type let's say CW Azure API and rest okay this is the name of my application now I'll keep this first option selected and here I'm going to type web and here I'm going to say https localhost that's it okay and then I'm going to click on register now as of now since I'm creating this application uh obviously the application object on the service principle object is getting created in this Azure ID itself okay now there is a specific permission which is required for this application to access API but I am intentionally not granting those permissions and this will help me to Showcase you two different use cases I mean two different scenarios wherein if you are getting a specific error how you should troubleshoot okay so imagine right now I just have an application and I'm going to use this application to access Azure Resources with oauth 2.0 authorization code flow okay now I'm going to switch to postman so on this particular machine I have just installed Postman and I'm going to use this console to perform my next step which is requesting token and let's see how far it goes okay so I'm going to click on this option which says new and then I'm going to click on http and I'm just going to minimize this now this first section is the console where we are actually going to type the endpoints which are required okay to access a specific resource for example management dot azure.com forward slash subscription forward slash subscription ID okay so this console will be typically used for typing Azure endpoints which we are trying to reach but before we even go there the very first thing that we need is the token itself so for that I'm going to click on authorization and then I'm going to click on this option of oauth 2.0 so for now if you see I don't have any token available so I'm not going to make any change here or even here I'll just scroll down and in the token name I'm going to type Azure rest okay in the grant type I'll keep it authorization code itself and now in the Callback URL you need to typically type the same address which you have given while registering application so you see over here https colon forward slash forward slash localhost and this is something which should match was one of the values that you have given and that exist here okay so I'll come back to my Postman console now it is asking me for auth URL which basically means the authorizing point right so now I have clicked on overview and then I have clicked on end points from the same console where my application exists okay now I'm going to zoom in and for this particular demo I'm going to use we one endpoints now again what is the purpose of this endpoint how exactly the flow Works everything has been covered already so I'm just keeping uh these uh you know Concepts as a reference point we one endpoint and the one which we have selected is the authorized endpoint where the first request will reach okay now here token endpoint I'm going to copy this and I'm going to paste that value in token URL okay now it is asking me for my client ID so I'll close this I'll zoom out I'll copy my application or client ID and then here it is asking me for a secret so I'll go here and I'll click on new client secret I'll choose the least possible value available on the console and I'll click on ADD and now I'm going to copy this value I'll come back and I'll paste that value here now since we are using V 1.0 and points scope is not required okay rather what is required is a value called token so how to populate that for that you have to scroll down and go to this particular section which says token request okay now here just go ahead and type resource and in the value type https management dot core dot Windows dot net let me just show you this value in the notepad but bigger font size this is what you have to type https management dot Co Dot windows.net okay now I'll go back and I'll click on get new access token so for now on Postman I have not mentioned anything here because here exactly your available token gets listed in the header prefix it's Bearer and token name it's Azure rest ground type authorization code callback URL localhost the one that we have given both the endpoints client ID client secret and then in the token request a key has been added as resource and then the value is management.co.windows.net in this particular section you have to choose this option which says request body don't choose these two options it has to be request body only okay now the moment I'll click on this the expected behavior is I will get prompted to sign in with an account that has privilege to access Azure resources because there is a user interaction which is required in authorization code and since this is the first time I am signing in I should be presented with the consent prompt okay now the consent should be whether I allow this application to access Azure resources or not okay so let's see what happens so I've clicked on that option of get new access token and as you can see I'm getting this prompt now I might have used Postman for some other demo so that's why one of the entry exists here for my account so I'm just going to click on this and then I'm going to quickly type my password and then click on sign in now you can see I'm getting this consent prompt but wait a second see the information that I'm getting over here is related to graph it's not related to Azure now with this being said again those of you who have seen application and service principle object or who know how the consent framework part Works will be able to relate okay so I'm getting this prompt because currently in my application there is only one specific permission has been mapped now which is this one okay so now even if I approve this even if I click on accept this authentication will fail because the resource that I'm trying to access is different and the permission that I'm getting is different right now let me show you what do I mean by this okay let me just copy this entire error and paste it here okay now what you see over here is unauthorized client invalid resource the client has requested access to a resource which is not listed in the requested permission of the client's application registration okay and this is my application so let's say you have created an application and you tried accessing uh azure rest apis or endpoints and you are getting this error it typically means that you have to come back to this particular console and then click on ADD permission and then you have to click on this option of azure service management okay now see this section is where user interaction is possible this section typically used for client credential flow now since we are using oauth 2.0 authorization code flow I'm going to click on this option and I'm going to delegate this permission by clicking on ADD permission now there is also one more documentation which says that it also supports implicit flow I have not discussed that in detail but hopefully with this series we'll complete that as well okay so as of now I have given the permission of user impersonation okay for the API which is azure service management to my application which we have just registered which means the expected behavior is that if I come back to my console okay everything should work as expected but it will still not work now the reason behind that is even though I have added the permission okay there was this time there was no consent prompt if you remember right so even though the permission has been added it can't be consented because there is an active session that's working with my account so assume if this is something that you get in your uh use case or when you're trying to reproduce or when you're trying to do this in your environment in this case you can typically come back to your application console which is portal.azure.com and then click on this option which says Grant admin consent for Concepts work that's all you have to do once this application is consented for this particular uh you know instance then a user or let's say any user who's trying to access this particular application would the oauth 2.0 authorization code flow for them it should work okay so now if I click on this option of get new access token the entire authentication should work as expected okay so now if I click on proceed I can see my token okay and if I copy this value and if I go to jwt.ms you can see my token is getting listed over here okay now I'll just click on this option of use token that means this token is now added in this particular section of header token right you see this use token type access token and then I can see it here okay now since we have a requested token uh I mean the next step is to go ahead and make sure you have the rights uh access or let's say the right API permission has already been assigned so while I was showing you the process of requesting token I've shown you how the assignment typically works for an application the next thing is to go ahead and access an Azure resource itself right now see typically what happens that there is a specific endpoint that you have to reach for a specific resource type so if I talk about this particular example I'm trying to access a resource Group which is azure VM okay but then there are so many other components as well for example https management.azure.com this will remain constant if you are trying to access any resource that is available in your Azure subscription this part that you see over here subscription then subscription ID then you know a specific resource crop and then the resource Group name this is basically nothing but the resource ID itself okay I'll show you this in a lot more detail and then things will make a lot more sense and the last part is API version so practically speaking a typical endpoint that you will be accessing will be divided into these three different categories endpoint which is this section itself then the resource ID and then the API version now in the official documentation of Microsoft this has been described in a different manner altogether but I am describing it here so that you know you can just log into Azure portal and figure out what exactly you need okay or which set of information you should refer to to incorporate that in a specific request that you're trying to send to uh you know to azure so let's access the first endpoint you know watches these subscriptions I mean I just want to know that how many subscriptions exist where my account has access about this so it is management.azure.com subscriptions that's it and then a API version okay now if I come back here I'll go here and click on send and then let me bring up yeah you can see I'm getting this response now now one more very important aspect which is related to authorization code flow or practically speaking overall API access very specific to management.azure.com which is azure rest apis and that is since we are using user impersonation it typically means that you will only be able to access those resources which an account is allowed to access so what do I mean by this the account that I have used why is signing in here is the co-admin of these two subscriptions so I can practically access any resource that exists so let's say there could be a scenario that your account has different permissions for different subscriptions in this case whatever permission you is available to you for a specific scope okay those are the only actions which you can perform so for example in a subscription you might be having owner access so you can go ahead and even create resources like this or you know go into a specific endpoint and creating resource but if on the other subscription you only have reader permission then with the same account with the same token everything being same you will not be able to perform any other action apart from just querying and reading that particular resource type that's it okay now let me come back to my browser and show you a couple of things okay so if you remember what I was showing you in the deck that a typical endpoint is having three different components okay which is management.azure.com then this particular section and then API version now let me show you how you can actually construct this for any of the resource type let's start from a resource Group itself okay in the overview section if I go I get this option of Json view if I click on this I'm getting resource ID and a specific API version but if I scroll down and if I click on properties I can also check resource ID from here but I would always suggest you to use this option of Json view because you'll also know how many API versions are available for this particular resource type okay and this is something which is really important I mean I'm just telling you all the methods so you can choose one according to your requirement okay so I'm going to copy this and let me paste this in a notepad okay now let's come back here and I can see 2020 hyphen zero six hyphen 0 1. which is this one itself okay so no change I'm just going to copy this from here and I'm going to add it here and then what you need is management dot azure.com that's it I'm going to paste it here and now I'm going to do this space I'm going to copy this new URL I'll come back to my Postman and I'll paste that while you're here and send perfect you can see now I can access a specific Resource Group the name is azure Sentinel now let's move on to one more uh the resource and in this case let's consider the example of Exchange Server okay this is one of my VM so here I'm going to copy the resource ID I'll again come back to my notepad this is the resource ID perfect the API version is 2021 hyphen zero three hyphen 0 1 so I'm going to copy this I'm going to add it here and I'm just going to change this it's two zero two one I suppose okay perfect so I'm going to remove this as well so jbi version 2021 hyphen03 hyphen 0 1 and then again the last piece which is https management dot azure dot com okay so I'll place this value here perfect now I'm going to copy this and I'll again go back to my Postman and let's see if I can access okay there's something wrong okay I'm going to copy this again I think again I've made the same mistake give me a moment copy paste yes send perfect you can see now I'm getting the access to my VM I can actually go ahead and you know query any of these properties and perform any of these actions uh related to this particular resource type which is virtual machine now as we move on with this playlist I'm going to Showcase a different set of examples but for now this is how you can construct uh the end point for practically speaking any resource I mean I can just go ahead and click on this log analytics workspace I can click on Json view I can copy this from here and I can just again construct this with the help of API version and this particular section that's all you have to do and you will be able to access everything now there is one more thing which is very important and that I would like to show you and that is the purpose of using different API versions okay and let me show you this with the one of the known resource type and then things will make a lot more sense so this is my Exchange Server and let's say if I go ahead and uh query this particular API version then I'm getting this set of information which is having around 73 lines I mean I'm just giving you a very naive example and then I'll click on this and I'll choose the latest one and you can see I can see couple of stroll bars right and if I go ahead and copy this value now to a different Notepad I can see here it was around 73 and here it is around 76. now since I know this I'm quickly highlighting this that if I'm using this version of API which is 2023 hyphen zero seven hyphen zero one I'm getting one more additional field which is Time created in this particular last section of provisioning State okay so this is just an FYI that if you use different API versions you there could be a possibility that there are some additional attributes or values that you get okay so this was all about knowing how to access Azure rest apis with the help of Postman step number one just go ahead and create an application in your Azure 80 which we have just created now I was showing you multiple scenarios wherein you can get certain errors but what you should do the moment you create this particular application you should just go ahead and assign the respective apis permissions that should work out of the box okay then once you have all this then what you can do is you can go ahead and request an authorization token here but make sure you have all the right sort of values the resource and everything once you have the token then go ahead and construct a specific endpoint for you and that's it I mean I've shown you the method how you can go to a specific resource and get everything created for you okay so now let's talk about a quick summary of what all we have discussed in this video we have discussed about registration of an application in Azure ready how it is working in authorization code flow because there is a user interaction structure of azure management API endpoint I mean the resource ID API version and https management dot azure.com combining all these three values and then I've shown you how you can access Azure rest API with Postman in the next video I'm going to show you how you can access Azure rest API with oauth client credential flow so if you think that this channel is helping you to learn anything new please feel free to subscribe and share this video with your Technical Community thank you so much thanks for your time

Info

Channel: Concepts Work

Views: 18,057

Rating: undefined out of 5

Keywords: Azure, microsoft, Azure ARC, Infrastructure, Defender, Microsoft, Security, CISO, Microsoft Security, Endpoint Security, Endpoint Detection and Response, Microsoft Endpoint Security, Microsoft azure, Threat and Vulnerability Management, Microsoft Threat Experts, MITRE, MDATP, Microsoft Defender Advanced Threat Protection, SOC, Security operations centers, Application Security, Vulnerability Management, Vulnerability, ciso, basics of security, security, identity, endpoint, network

Id: pfBc2EIbgQw

Channel Id: undefined

Length: 27min 9sec (1629 seconds)

Published: Tue Sep 05 2023