Microsoft Azure REST API Tutorial | Postman | Oauth2.0 Client Credential Flow

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

bye everyone hope you all doing well welcome back to our channel in this video I'm going to show you how you can access Microsoft Azure rest API uh using oauth 2.0 client credentials flow now if you're watching the series from the beginning in the last video we have discussed about accessing Microsoft Azure rest API using authorization code flow now there are many different aspects which I have already covered in the last video so if you have not seen it it's my sincere request go ahead and watch that video first because there are many Concepts that I have covered and I'm just going to use them as a reference point in this particular video okay so there was a dedicated application which we have already created in this video we are going to assign the permission to that application itself because there is no user interaction it's client credential flow right the application is directly going to request a token then we'll request Azure ready token using client credential flow and lastly we'll just go ahead and access Azure rest endpoints okay so this will be a complete kind of a demo video no more deck everything should be on Postman console itself so this is where we left Lost in You Know in you know in our last video wherein we tried accessing this particular endpoint and we were able to see our VM right but here we were using authorization code flow okay now since if you already know that for client credential flow there is only one specific endpoint that is required which is token URL authorization code or let's say authorize endpoint practically speaking is not required so this is something which I want you all to closely observe and that is the moment from this particular console of authorization in Postman I choose client credential instead of authorization code okay you see I'm not even getting the option of auth URL anymore so this console I was using to request a token by authorization code flow now I have just changed the option to client credential and the entire flow will be changed because only this particular endpoint will be used that's it now since I'm using the same application okay so this was the application that we have created in our last video I'm going to use the same application and client ID and client secret will also be same right now again this key value should exist which is a resource management.co.windows.net now let me go ahead and get a new access token and click on proceed and you can see I am getting an access token okay without any user interaction there is no prompt okay so let me do something let me just clear the last authentication as well so that there should be no doubt okay so I'll go ahead and again initiate logout request so that everything you know should completely be cleared okay you see I'm getting this option because uh you know it's directly going to the Token endpoint or let's say if I go here now and let me paste this URL here let me just clear you know the last login because at times it creates issues perfect so I have I'm signed out authentication failed yes that's exactly what I want now I'll change to client credential again now here we need token endpoint I'll just click on endpoints and I'm going to copy token and point and I'm going to paste it here okay so this is where we left my grand type should be client credential access token URL client ID client secret perfect resource uh management.co.windows.net get new access token so you can see practically there is no user interaction and I am getting a token now okay let's name it as client okay and I'm going to click on use token now even though we have token still this will fail and I'll show you how you see authorization failed because the client ID this with object ID this does not have authorization to perform action for this particular scope okay so let me show you this here you see this is the air that we are getting now just relate this client with object ID this does not have authorization to perform action for this particular scope now if you have seen the rbac video you'll come to know what I'm referring to that every role has a predefined scope okay now since this application as an identity think about it this application as an identity does not have any privilege to access any of the resource and in this particular flow of client credential there is not even a user authentication so that somebody else can authorize this application so now think about this in a nutshell what exactly you need you just need a role assigned to this particular application that's all so assume that I want to access some resource from this particular subscription okay which is the first one which is visual studio and I'm going to click on apply now I have to access certain resources from this particular subscription I'll close this I'll go to let's say all resource or let's all go to Resource Group hypothetically assume okay and I'm going to select my first subscription perfect now I want to access certain resources or let's say I'm creating a service that is going to access certain resources for this particular Resource Group which is azure Sentinel just assume in this case what I have to do is I have to come to this particular console add just add my application to have privileges okay so what I'm going to do now I'm inside access control for this particular Resource Group I'm going to click on ADD role assignment and since it's a demo I can just add contributor role to my application itself let me just copy the name from here it's CW hyphen Azure API hyphen test okay this is my application name I'm just going to copy this value and I'm going to give it here that's it now next put a view and assigned okay now once this process is completed I mean once you see your application getting listed in the role that you have assigned as you can see it here then you have to come back to your Postman okay get a new access token get a new access token so I'm going to name it as Azure rest client new okay and I'm going to click on use token now I'll go back to my Resource Group I'll click on Azure Sentinel I'll click on Json View and I'm going to create you know the URL that we need to access this resource which can be practically I can just paste it here itself to save time and you can see on this particular subscription go ahead and access a resource Group which is azure Sentinel and now let me just copy this link and come back to postman and just try accessing this link that's it that's all we need to do and let's see if it works perfect you can see I can access Azure Sentinel now one more thing which I would like to show you and that is assume that from the same application somebody tries to access a different resource altogether let's say this time the resource Group is azure VM okay so now if I go ahead and replace this value okay management.azure.com subscription subscription ID Resource Group Azure VM yeah this access should fail because this is exceptionally very much predefined in the role itself that what scope access I have and what the client is supposed to access or what is the upper limit of the access itself okay now since I am contributor I can choose different https operations from here we'll come to this in a lot more detail but if it would have been only reader I will be only be able to read or query uh that particular resource that's it nothing else more than that okay perfect so this was all about knowing how exactly you can access these endpoints with the help of client credential flow with this particular section or with this particular use case type you need the app to have permission or role assigned directly to that particular resource or resource type so if you want to access let's say VM for example to perform a specific task then if you have to use client credential flow your application should have access to that particular resource itself okay let me just quickly show you for example you want to make any change to this VM get post or whatever you want to do right then if you want to use client credential flow which is basically for scheduling task and different kind of scenarios will come to that your application should have a role assignment here if there is no user interaction which means there is uh no implementation of oauth 2.0 authorization code flow or implicit flow okay so let's talk about a quick summary of what all we have discussed in this video we have discussed about assigning permission as I've shown you in the video itself how you should use one specific permission for a specific scope then requesting the token again with the help of client credential flow and then we have access rest endpoints now in the next video I'm going to Showcase how you can create Powershell scripts to go ahead and query a specific endpoint which is azure rest API okay so if you think that this channel is helping you to learn anything new please feel free to subscribe and share this video with your technical community thank you so much thanks for your time

Info

Channel: Concepts Work

Views: 5,751

Rating: undefined out of 5

Keywords: Azure, microsoft, Azure ARC, Infrastructure, Defender, Microsoft, Security, CISO, Microsoft Security, Endpoint Security, Endpoint Detection and Response, Microsoft Endpoint Security, Microsoft azure, Threat and Vulnerability Management, Microsoft Threat Experts, MITRE, MDATP, Microsoft Defender Advanced Threat Protection, SOC, Security operations centers, Application Security, Vulnerability Management, Vulnerability, ciso, basics of security, security, identity, endpoint, network

Id: AN83mSfAlC4

Channel Id: undefined

Length: 12min 18sec (738 seconds)

Published: Wed Sep 13 2023