Generate Access Token via Service Principal

Question

Generate Access Token via Service Principal

Nandan Hegde 27,241 MVP

Currently we are generating an Access Token within Azure automation via Managed Identity based on the below code:

$bearer_token = (Invoke-RestMethod -Method Get -Headers @{"X-IDENTITY-HEADER"="$env:IDENTITY_HEADER"} -Uri "$( $env:IDENTITY_ENDPOINT )?resource=499b84ac-1321-427f-aa17-267ca6975798&api-version=2019-08-01").access_token
$bearer_token

Now the devops/offering is moving to a different tenant because of which we cannot use Managed Identity and we need to switch to Service principal way.

So can anyone suggest how to generate the access token based on the above configuration and leveraging an app

Tushar Kumar 3,106


$TenantId = "72f988bf-86f1-41af-91ab-2d7cd011db47"  # aka Directory ID. This value is Microsoft tenant ID
$ClientId = ""  # aka Application ID
$ClientSecret = ""  # aka key

$Resource = "https://management.core.windows.net/"
$RequestAccessTokenUri = "https://login.microsoftonline.com/$TenantId/oauth2/token"

# https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-oauth2-client-creds-grant-flow#request-an-access-token
$Body = "grant_type=client_credentials&client_id=$ClientId&client_secret=$ClientSecret&resource=$Resource"
$Token = Invoke-RestMethod -Method Post -Uri $RequestAccessTokenUri -Body $Body -ContentType 'application/x-www-form-urlencoded'


Write-Host "Access Token JSON" -ForegroundColor Green
Write-Output $Token

AnuragSingh-MSFT 17,396 Reputation points

2023-11-13T10:19:23.36+00:00

Nandan Hegde, following up to see if the reply helped. Please let us know if you have any questions.
Nandan Hegde 27,241 Reputation points MVP

2023-11-13T11:16:39.0933333+00:00

Hey,

I have provided the same level of access to Managed Identity and Service principal but when I generate the OAuth token via App , I am unable to get details from the REST API but the managed identity driven token is working as expected.

So my guess is the header/auth across the managed identity code is not same in the code shared above. There might be something which we are missing out

Tushar Kumar 3,106 Reputation points

2023-11-09T14:44:50.1766667+00:00

$TenantId = "72f988bf-86f1-41af-91ab-2d7cd011db47" # aka Directory ID. This value is Microsoft tenant ID $ClientId = "" # aka Application ID $ClientSecret = "" # aka key $Resource = "https://management.core.windows.net/" $RequestAccessTokenUri = "https://login.microsoftonline.com/$TenantId/oauth2/token" # https://docs.microsoft.com/en-us/azure/active-directory/develop/v1-oauth2-client-creds-grant-flow#request-an-access-token $Body = "grant_type=client_credentials&client_id=$ClientId&client_secret=$ClientSecret&resource=$Resource" $Token = Invoke-RestMethod -Method Post -Uri $RequestAccessTokenUri -Body $Body -ContentType 'application/x-www-form-urlencoded' Write-Host "Access Token JSON" -ForegroundColor Green Write-Output $Token
AnuragSingh-MSFT 17,396 Reputation points

2023-11-13T10:19:23.36+00:00

Nandan Hegde, following up to see if the reply helped. Please let us know if you have any questions.
Nandan Hegde 27,241 Reputation points MVP

2023-11-13T11:16:39.0933333+00:00

Hey,

I have provided the same level of access to Managed Identity and Service principal but when I generate the OAuth token via App , I am unable to get details from the REST API but the managed identity driven token is working as expected.

So my guess is the header/auth across the managed identity code is not same in the code shared above. There might be something which we are missing out

Generate Access Token via Service Principal

Activity