use my user id to access azure APIs (non interactive)

Question

hi,

i know how to use Azure API in following way.

1) go to app registration and create new app

2) get "client id", "Directory (tenant) ID" and secret.

3) go to "API permission" section and add what API you want to access.
OR
use app-id as SP and add it to role like "billing reader" and it will work too.

4) then use /oauth2/token pass client_id and client_secret and get bearer token.

5) then use any API by passing "Bearer {{access_token}}" in header and everything works.

But

1) what if i want to use API like billing or Cost Management or "Microsoft.Storage/storageAccounts" but by my ID? what will be the flow? how to get bearer token from /oauth2/token by using my ID (my AD email)?

AND

2) is it possible to use my privilege but without me passing my password? can i authorize some app_id to emulate as me for like an hr ?

Answer 1

I will tell you, if you want your API to use your credentials, then the app registration would have to use delegate permissions. You can read more about it under Delegate app registration permissions in Azure Active Directory documentation. In other words, your app will use the permissions of the person logging in. This may be preferred because you can check the claims of the user principal and determine whether or not they have the necessary permissions for your app execute API calls against billing or billing accounts. This approach will work if you have a front-end app that's calling your backend non-interactive API, as this tutorial outlines.

With regards to your second question, it is not possible. However, along similar lines you can utilize a user managed identity instead of a system-assigned one. You can grant the same permissions to the user identity that your account currently has however I advise to a least permission access approach.