az account get-access-token CLI command Specifics

Question

az account get-access-token CLI command Specifics

Karl Gardner 195

Hello,

Wondering what exactly does the az account get-access-token command in Azure CLI do: https://learn.microsoft.com/en-us/cli/azure/account?view=azure-cli-latest#az-account-get-access-token

Their is not much explanation in the documentation. It authenticates/athorizes with Entra Id to get an access token for a specific app registration. Does it use the Microsoft Identity Platform Outh2 to get an access token with the login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize and login.microsoftonline.com/{tenant}/oauth2/v2.0/token endpoints? Seems like it would use the /token endpoint to get an access token and use the auth code flow:

https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-auth-code-flow

Not 100% sure of that though.

Thanks!

Accepted answer

1 additional answer

Your answer

Answer 1

Navya 19,795 Microsoft External Staff Moderator

Hi @Karl Gardner

Thank you for posting this in Microsoft Q&A.

I understand you want to know exactly what the 'az account get-access-token' command does in the Azure CLI.

Authentication is the process of proving that you're who you say you are. Authorization is the act of granting an authenticated party permission to do something. Access tokens are a type of security token designed for authorization, granting access to specific resources on behalf on an authenticated user.

The az account get-access-token command in Azure CLI is used to obtain an access token for the current Azure account. When you run this command, it retrieves an access token that can be used to authenticate and authorize requests to Azure resources. By default, the returned access token is for Azure Resource Manager (ARM) and the default subscription/tenant.

It uses the authentication information that is already stored in the Azure CLI to obtain an access token. This means that you do not need to manually authenticate again when running this command. The Azure CLI stores the authentication information for the current Azure account, which includes the user's credentials and the Azure AD tenant information.

AAD stands for Azure Active Directory, which is a cloud-based identity and access management service. It offers a secure method for managing access to Azure resources, applications, and APIs.

A resource endpoint is a unique identifier for an Azure service or API that can be used to request an access token. These endpoints are used to specify the resource for which the access token is requested. Endpoints are typically in the format of https://{resource-name}.azure.com/ or https://{resource-name}. microsoft.com/.

For example:

Azure Resource Manager: https://management.azure.com/
Azure Storage: https://storage.azure.com/
Microsoft Graph: https://graph.microsoft.com/
Event Hubs: https://eventhubs.azure.com/

These resource endpoints are used to request an access token that can be used to authenticate and authorize requests to the corresponding Azure service or API.

In the video, the presenter used an Application ID URI in the --resource parameter, which is a different story. When you create an app registration in Azure AD, you can specify an Application ID URI, which is a unique identifier for your application. This URI is used to identify your application when requesting an access token. The format of the Application ID URI is api://{client-id}, where {client-id} is the client ID of your app registration.

When you use the Application ID URI as the --resource parameter, the Azure CLI requests an access token for your application, which can be used to authenticate and authorize requests to your application's APIs.

For more information: Authenticate to Azure using Azure CLI

Hope this helps. Do let us know if you any further queries.

Thanks,

Navya.

If this answers your query, do click Accept Answer and Yes for was this answer helpful. And, if you have any further query do let us know.

Karl Gardner 195 Reputation points

2024-08-15T11:26:21.6833333+00:00

Hello @Navya ,

I really appreciate the detailed explanation! Seems like it is essentially the same concept with the app registrations in Entra ID (previously AAD): https://learn.microsoft.com/en-us/entra/identity-platform/v2-oauth2-auth-code-flow as they are both getting the JWT tokens from Entra ID but the CLI is behaving as it's own "app registration".

For the resource endpoints I really only see the storage endpoint in the following format: myaccount.blob.core.windows.net (for the rest api). Just wondering, where do I find information about the different resource endpoints? For example if I want to use "az account get-access-token" command for cosmosdb access where would I find that information?

Thanks,

Karl Gardner
Navya 19,795 Reputation points Microsoft External Staff Moderator

2024-08-20T10:55:27.52+00:00

Hi @Karl Gardner

Apologies for the delayed response. The REST API you mentioned, myaccount.blob.core.windows.net refers to Blob storage.

The REST API for Cosmos DB is: mydbaccount.documents.azure.com.

For your reference: Azure Cosmos DB: REST API Reference

I'm unable to find a single document that lists all resource endpoints. Instead, I discover various resource endpoints using the link on the left side, which contains most of the service endpoints that you can explore individually.: https://learn.microsoft.com/en-us/rest/api/azure/

Hope this helps. Do let us know if you any further queries.
Karl Gardner 195 Reputation points

2024-08-21T04:04:16.29+00:00

Hello @Navya , sorry if I wasn't clear before. So you mentioned this previously: "A resource endpoint is a unique identifier for an Azure service or API that can be used to request an access token. These endpoints are used to specify the resource for which the access token is requested. Endpoints are typically in the format of https://{resource-name}.azure.com/ or https://{resource-name}. microsoft.com/." This resource endpoint is used in this --resource parameter
Karl Gardner 195 Reputation points

2024-08-21T04:13:08.93+00:00

Hello @Navia ,

Sorry if I wasn't clear before. So you mentioned this statement previously about resource endpoints:

"A resource endpoint is a unique identifier for an Azure service or API that can be used to request an access token. These endpoints are used to specify the resource for which the access token is requested. Endpoints are typically in the format of https://{resource-name}.azure.com/ or https://{resource-name}. microsoft.com/."

The resource endpoint is the --resource parameter for the "az account get-access-token". I am assuming that the resource endpoint is NOT the same as the rest api endpoint (unless you say otherwise). Thus, where would I find the RESOURCE endpoint for cosmos db. The endpoint you gave me (mydbaccount.documents.azure.com) is for the REST API. Thanks,

Karl Gardner
Navya 19,795 Reputation points Microsoft External Staff Moderator

2024-08-22T11:50:18.83+00:00
Hi Karl Gardner

Apologies. You are correct that the resource endpoint is not the same as the REST API endpoint.

However, according to the document https://learn.microsoft.com/en-us/cli/azure/account?view=azure-cli-latest#az-account-get-access-token the resource type values for the Azure CLI 'az account get-access-token' command are only supported in the following values. aad-graph, arm, batch, data-lake, media, ms-graph, oss-rdbms

az account get-access-token [--name] [--resource] [--resource-type {aad-graph, arm, batch, data-lake, media, ms-graph, oss-rdbms}] [--scope] [--tenant]
Karl Gardner 195 Reputation points

2024-08-23T01:15:11.9166667+00:00

Hello @Navya,

I appreciate the information. Back to the resource endpoint. You said that storage account resource endpoint is ( https://storage.azure.com/ ) I have not seeing this anywhere in Microsoft Learn anywhere and wondering where you found this? I'm also wondering where I would find one for cosmos db for example? You only gave me the REST endpoint for cosmos db.

Thanks!
Navya 19,795 Reputation points Microsoft External Staff Moderator

2024-08-23T10:04:33.2+00:00

Hi Karl Gardner,
Thank you for following up on this!

The document refers to blob and storage resources. https://learn.microsoft.com/en-us/azure/storage/blobs/authorize-access-azure-active-directory?tabs=dotnet#microsoft-authentication-library-msal
Karl Gardner 195 Reputation points

2024-08-24T16:43:00.76+00:00

Hello @Navya,

So going along with the storage account example. According to the document that you sent it seems like the resource id is in fact the same as the REST endpoint when accessing a specific storage account: (https://<account-name>.blob.core.windows.net). However, when accessing any storage account it would be consistent with what you were saying before: https://storage.azure.com/

Can you confirm that this is true for the az account get-access-token CLI command?

Thanks!
Navya 19,795 Reputation points Microsoft External Staff Moderator

2024-08-26T02:12:19.84+00:00

Hi Karl Gardner,

Yes, that's correct! When accessing a specific storage account, the resource ID is indeed the same as the REST endpoint, which is in the format of https://<account-name>.blob.core.windows.net.However, when accessing any storage account, the resource ID would be https://storage.azure.com/.
Karl Gardner 195 Reputation points

2024-08-26T23:36:56.88+00:00

@Navya,

Awesome. Thanks for clarifying this!

Karl

Answer 2

Abiola Akinbade 29,405 Volunteer Moderator

You're on the right track. The az account get-access-token is to obtain an access token for Azure Resource Manager (ARM) or Azure services. However it usually uses the credentials you've already given when logging into the Azure CLI and not authorization code flow.

You can mark it 'Accept Answer' and 'Upvote' if this helped you

Regards,

Abiola

Karl Gardner 195 Reputation points

2024-08-11T00:28:16.3133333+00:00

Hello @Abiola Akinbade ,

I appreciate the response. Right, so when logging into azure cli (with az login) we provide credentials and authentication for the cli application. However, when getting an access token (az account get-access-token) what access is it being given? The azure cli is is acting as it's own client application with it's own clientID. See the following video:

https://www.youtube.com/watch?v=hzfpHvA5Wg0&t=962s

However, not sure what it would be giving access to. Maybe a specific resource/service on azure?

Thanks,

Karl
Abiola Akinbade 29,405 Reputation points Volunteer Moderator

2024-08-11T02:13:18.54+00:00

"However, not sure what it would be giving access to. Maybe a specific resource/service on azure?"

Access to resource manager. The token obtained is scoped to allow operations on Azure resources.
Karl Gardner 195 Reputation points

2024-08-12T01:20:32.86+00:00

Hi @Abiola Akinbade ,

Seems like I need to read a bit more about ARM: https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/overview

I see that the default scope is indeed Azure Resource Manager:

Just one last question before I accept this answer. In the video I sent before, the presenter put an Application ID URI from an app registration in the --resource parameter (api://f966lddc-833a-4d07-b6e3-172fe52c2a84). However, the --resource parameter accepts azure resource endpoints in AAD v1.0. Does AAD stand for Azure Admin Center or Azure Active Directory and what are these resource endpoints. I would assume the endpoints are the names like Microsoft.EventHub if I wanna connect to event hubs?

Thanks!
Abiola Akinbade 29,405 Reputation points Volunteer Moderator

2024-08-12T06:28:35.75+00:00

AAD is Azure Active directory. the --resource parameter usually accepts the URI of the Azure resource you're trying to access. For connecting to Azure services like Event Hubs, you should use the full resource URI

Share via

az account get-access-token CLI command Specifics

1 additional answer

Your answer