Microsoft Azure REST API Tutorial | PowerShell | Oauth2.0 Client Credential Flow

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

hi everyone hope you're all doing well welcome back to our channel in this video I'm going to Showcase how you can access Microsoft Azure rest apis with the help of oauth 2.0 client credential flow and in this video I'm going to use Powershell to access the Azure resources now in the last video we have discussed how to use Postman with client credential flow whereas in this video I'm going to write a script from scratch and I'll tell you the methods to replace a specific section called URL wherein you will be giving the endpoints of the resource that you're trying to access and then this can help you to access multiple resource from the same script itself now since this is the first video related to Powershell for Azure rest API so I'm just going to show you how you should access a specific resource but as we move on we will cover multiple use cases likewise managing VMS or managing log analytics workspace or managing Sentinel or different services okay so this will be a complete demo video no more deck so what I'll do is I'll switch to my machine where I've signed into portal.azure.com now when it comes to Powershell the very first thing that should be sorted is which endpoint I should reach to initiate authentication right so in my last two videos I was very specific that we are going to use these two endpoints so this is the authorized endpoint and this is the token endpoint now when it comes to client credential flow this is the endpoint that we have to reach but I have explained this before but just a quick recap this is the link which can be accessed to know all the endpoints that can practically exist for a specific tenant you can see and it's not only about endpoints you'll also come to know about what are the Scopes uh which are supported and there are multiple other different categories as well which is available in this particular link okay which is this one so what we'll do is we'll access this link itself okay because as we move along with the playlist I'm going to use this link for multiple methods or let's say multiple details are there which I will be querying so I'm going to use this first link just to save this in a variable and then get to token endpoint okay so since this is open ID I'm going to name it as open ID itself and then I'm going to say invoke rest method and then go to this particular URI on which URI is that the one that we have just copied okay so let me expand this slightly yeah so this is the first command so I'm going to run this and now if I go and open this particular variable or access this variable I'll see all the endpoints will exist here you can see now it is slightly more sorted as compared to what we were seeing on the browser right so we can see token endpoint and then the methods which are supported what are claims supported I mean this is slightly more descriptive to what you were seeing on the browser okay now from this we need token endpoint okay so what we'll do is from this particular outcome that we are getting which is open ID I have to select token endpoint which is this one so I'm going to save this value again to a different variable and I'm going to name it as token okay so now let's run these two command and see what exactly we have in token and this is my token endpoint this is the same information which was available on the browser but if you will see I am getting this V2 which we don't need which means what while we have copied this address we have selected the option of V 2.0 because for now this is the only option which is available okay so if I come back here and if I try to search for metadata document for let's say V1 I can't find it so in this case the process is exceptionally simple you have to just delete this that's it now once you again initiate these two commands and now if you try to access token you can see I'm getting V1 token endpoint which is this one now the next thing is moreover related to the set of parameters that we have to send in body okay so for that I have already created a sample which I'll just paste here and I'll explain you what exactly is happening under the hood okay so the first section here says I'm going to incorporate the client ID then client secret then redirect URI is something that you have to use in terms of sending the Callback URL which is https localhost then my grant type is client credentials so if I'll come back to postman you will see Grant type and here also it is client credential now this resource that you see over here is something that we were sending in the body right so if I'll scroll down this you can see token request resource a specific value and then it has to be sent in request body that's exactly what I have done here okay and then in the tenant I am naming Concepts work now see this is something uh which if you want you can include or if you want you can ignore this value as well that's not going to make any difference okay now the next step is to go ahead and initiate an Authentication right that means by capturing all these details I should go to token endpoint which is this one uh that we see over here and then I should get a token right so let's see what's happening okay so let me just replace this with token endpoint okay I'm going to invoke a request through by URL which is this one I mean the one that we see over here and then I'm going to send this body in the form of a variable or let's say a request variable in this request itself and the method that I'm using is post because this is how the client credential flow works now if I run this script the expected behavior is I should get the token that I can use with this script to query multiple resources now what you can see that I'm getting an error where it says the application with this identifier was not found that means what even though I'm sharing this script what you have to do is you have to update client ID and client Secret so let me just do this quickly I'm keeping all these mistakes as well in the video so that you know you should understand that if anything goes wrong how you should relate okay these are all intentional mistakes I suppose you'll agree with me Okay so now I'm going to clear the screen and that's it I have the access token now this is the token that I have to incorporate while sending the request okay so now let's do something let's copy the first URL that we have to access okay which was my subscription URL right which is management.azure.com subscriptions and then the specific API version now in the next line what I'm going to do is I'm going to query subscriptions right so for that in the subscription variable go ahead and save the response that you're getting from here now let me just show you what exactly is happening over here I'm again initiating a rest method or a rest request to this particular URL which is this one and in the headers I'm including Bearer and my access token now if I come back to my Postman see this is exactly what was happening over here as well there is a value which is token and then the header prefixes be error so I'll come back to my script now the expected behavior is the moment I'll run this there must be some response that I should get in this particular variable and let's see if we get any response okay perfect so I think the response is completed so now if I go ahead and say uh subscription I'm getting some response now if I select the value part as you can see now I am getting uh a specific subscription where my client ID has access now if you remember I was talking about having or granting permission for a client ID to a specific location altogether which means what for this particular subscription there is a very dedicated resource that I can access if you guys remember last time in the last video itself I have granted this client ID the permission to access a specific resource altogether that's why it is showing me only one subscription which is Visual Studio okay now let's say I want to manage multiple subscriptions from the same client okay which is CW hyphen Azure API hyphen rest so I'll go to my subscription and for this subscription it is already having uh the respective access so I'll go to other subscription now and this time I'll click here and I'll click on ADD and then I'll add a role assignment and this time the privileged access let's say for contributor privilege for this particular application which is CW hyphen CW hyphen Azure API hyphen rest okay and I'll click on review and assign so now the expected behavior is if I'll refresh the token again and again go to this particular section or go to this particular URL now I should get two subscriptions listed let's see what is the expected result that we are getting okay so again I'll go ahead and type subscription and if this time I'll go ahead and see value I am getting two entries okay so the concept of Access Control remains same now for this second subscription Visual Studio subscription this second one I have granted contributor privilege at the subscription level itself okay which means what if I customize this I can actually go ahead and query any information okay so let's say if I copy my subscription ID from here okay and then go to Resource Group URL okay the expected behavior is all the resource Group should get listed okay sorry it's resource groups let's see what happens this time I've changed this okay perfect now let's see what we are getting in subscription just give me one minute value perfect you can see I'm getting all the resource Group now okay similarly I can go ahead and change this to any other resource right so let's say I go back to my subscription I click on let's say all resource and here if I apply a filter that show me all the resource that exist in this particular subscription I can practically choose any of these resource and access them from my Powershell script itself so let's say I want to query this DCR for Linux okay I just want to see uh some of the configuration which is related to this particular DCR itself I'm going to copy this value I'll come back to my notepad and I'm going to follow the same process which I was showing you before in the notepad let me open that to recall what I was explaining this is something that I've explained in my last video so this is what we need added with management Dot azure.com I will delete this last section and now I need API version now see since we are talking about one specific resource which is DCR which is data collection rule it's my recommendation to always match this API version right so in this case it has to be 2022 hyphen 0 6. okay I assume about the right value yes so now I'll go ahead and copy this URL come back to my script and just replace this value and let me delete this line as well and delete perfect now I'm going to initiate my script again and let's see what we get the expected behavior is I should get DCR as an object in my value okay perfect you can see I'm getting one single value for DCR now since it was only one value that's why it is directly available in this variable itself I mean these are all Powershell tips and tricks I'm sure you guys know much more than me I'm not a very good at you know scripting but I'm just telling you different methods of accessing the same set of information okay so this was all about knowing how you can access Azure resources through Powershell by using client credential flow the concepts remain same you need an Azure ad application whichever application you have created you have to make sure that particular application has a right set of permissions so in our case the application was this one and we have already consented the application to access Azure Resources by selecting this particular option of user impersonation moreover this the application that we have created which is this one has the permissions assigned for both the subscriptions okay so let's talk about a quick summary of what all we have discussed in this video we have discussed about accessing Azure rest API from Powershell we have created a script from scratch now this script will be available on our LinkedIn page because YouTube does not allow to post documents now we have also seen how we can update the URL path to access multiple resources in the next video I'm going to create a use case specific script to access multiple resources as we move along with this playlist I'm going to give you multiple scripts for Automation and which you can use to perform a specific task which is required on a daily basis okay so if you think that this channel is helping you to learn anything new please feel free to subscribe and share this video with your Technical Community thank you so much thanks for your time

Info

Channel: Concepts Work

Views: 3,000

Rating: undefined out of 5

Keywords: Azure, microsoft, Azure ARC, Infrastructure, Defender, Microsoft, Security, CISO, Microsoft Security, Endpoint Security, Endpoint Detection and Response, Microsoft Endpoint Security, Microsoft azure, Threat and Vulnerability Management, Microsoft Threat Experts, MITRE, MDATP, Microsoft Defender Advanced Threat Protection, SOC, Security operations centers, Application Security, Vulnerability Management, Vulnerability, ciso, basics of security, security, identity, endpoint, network

Id: 1uv2qju8O34

Channel Id: undefined

Length: 17min 34sec (1054 seconds)

Published: Wed Sep 20 2023