In an earlier post , I explained how Resource VMs can be accessed using ARM APIs. We used the classic Azure portal along with the native application approach to implement this.
We had to use the classic portal as the new portal was in preview mode and Azure Active Directory (AAD) was not fully integrated in the new portal.
Now that AAD is integrated in the new portal, I’ll explain how we can achieve the same use case of accessing ARM APIs using this new Azure portal.
For the sake of this demo I have created a new VM as part of my Azure subscription.
Next, we’ll create a native application in the Azure Active Directory.
Step 1: Create Native application in AAD
In the Azure portal, navigate to
Azure Active Directory and click on the
App Registrations section.
Next click on the
Add option at the top.
This will open up a new blade towards the right.
As shown in the screenshot below provide a
Name for the application, select the
Native application option in the
Application Type dropdown and provide a
Redirect URI in the third input option. This URL need not be an actual endpoint, it just needs to be a valid URI.
Click on the
Create button at the bottom and with this the new native application would be created.
Next, we’ll delegate permission to this application to access the
Windows Azure Service Management APIs. This will help us access the ARM APIs later on.
Step 2: Delegate permission to the Native application to access Azure Service Management APIs
Click on the newly created application, in this case
SKApp, and click on the
This will open up a blade on the right. Click on
Required permissions option and then the
Add option at the top.
Now for the
Select an API option select the option
Windows Azure Service Management API on the right.
Once selected, grant
delegation rights to the application to access this API as follows.
Once permission is granted, the assigned permission list would look like…
Step 3: Create a Secret Key for this Native application
We’ll now create a
secret key and associate it with this application.
Click on the
Keys section in
key description and select an
expiry as per your requirement.
Now click on the
Save option at the top and a key would be generated.
Store this key safely and securely with you, as this would be required later on when we try to access the ARM APIs.
Step 4: Save the Application ID and Directory ID
Now that we have generated a
secret key and saved it, we need to also save the
Application ID of our Native application and
Directory ID of the Active Directory instance.
You’ll find the
Application ID in the Native application details blade.
Directory ID also known as the
Tenant ID, is the unique id for the AAD instance.
You will find it at the following location.
In addition to these we’ll also require the following additional parameters.
Service resource id
The value of this id is
This url is used for authorization and its value is
As shown above, the authorization url requires the
With this, we now have all the details to go ahead and implement a REST client to consume ARM APIs.
However, before we do that we need to carry out an additional step of granting rights to our native application on the subscription. Note: These rights can be granted at the Subscription, Resource Group or at the Resource level (in this case virtual machine level).
Granting rights at Subscription or Resource Group level would get inherited by all resources under them.
Step 5: Grant permission to the Native application at the subscription level
To grant rights, drill down to the relevant subscription on which we wish to assign the rights to the application.
Click on the
Add option as shown above, and select the
Reader role option.
Once done, select the native application we created earlier by typing its name in the
Add Users input box.
Select the application once it shows up and click on the
Select button below.
Thats it!! We are done. Now we can proceed towards consuming the ARM Rest APIs using a REST Client.
Step 6: Consume the ARM API using the REST client and dependent parameters
Lets create a simple C#.Net Console application to implement this.
You’ll need to install the NuGet package for
Microsoft.IdentityModel.Clients.ActiveDirectory. At the time of this post I used
We’ll create a class
AzureAD.cs to authenticate our user and get an access token which can later be used to call the ARM based REST APIs.
We’ll also need a class to place REST API calls using this access token. We’ll create a class
AzureRestClient.cs for this.
With this we can now fetch details of our VM
SK-Lin-1 as follows…
For more details on the REST API used to fetch VM details refer to the Azure reference guide.
Once you get the response, you can parse the JSON result and extract the relevant data from it. You may also download the source code for this from my github repository.
Do explore the Azure Reference documentation which lists a number of other APIs that can be used. In all cases the code remains the same, only the REST API URL and its dependent parameters would change.
Hope this was useful!