Skip to content

Instantly share code, notes, and snippets.

@dsmith73

dsmith73/azureAD_api.md

Created April 11, 2022 10:52
Show Gist options
  • Save dsmith73/1c06bcf280c29ae550a29a5bac236ae4 to your computer and use it in GitHub Desktop.
Save dsmith73/1c06bcf280c29ae550a29a5bac236ae4 to your computer and use it in GitHub Desktop.
Download ZIP
Working with the Azure AD API
Raw
azureAD_api.md

Azure AD API - a novice's perspective

Trying to use the Azure AD API

Microsoft is great at documenting what it does, but everything reads like Encyclopedia Britanica. Simple guides, runbooks, and how-to articles are quite sparse, or at least hard to find.

My goal here is to walk you through interracting with the API.

OAUTH

Step 1: Register your application
The Microsoft guide on setting up and registering an application isn't horrible, so I'll skip over that part.

Step 2: Get your access token
This is where I started running into issues. You have to really DIG to find good information on some of this.

Sure, the Grand and Client parts are given to you, but I can't count the number of pages I skimmed to find the part about resource or scope. Maybe that's because I don't have a ton of experience with OAUTH, or perhaps they just didn't structure the documentation in a way that my feeble mind could grasp...

Regardless, you need resource to tell OAUTH where you intend to use the access_token, and apparently you need to pass scope so that OAUTH understands what actions you'll take (Don't forget .default). It seems dumb to me, since you defined these when you were creating your app in Azure AD.

- name: "oauth"
  uri: 
    # baseURL: login.microsoftonline.com/
    url: "https://{{ baseURL }}{{ tennantID }}/oauth2/token"
    method: POST
    body_format: form-urlencoded
    body:
      grant_type: 'client_credentials'
      client_id: '{{ applicationID }}'
      client_secret: '{{ secretValue }}'
      resource: 'https://graph.microsoft.com/'
      scope: 'https://graph.microsoft.com/.defult'
  register: oauth

Step 3: Use your token to look someone up I felt this part was pretty straight forward. Match the Host to the resource so you don't get a bunch of Access token validation failure. Invalid audience errors.

- name: "get user"
  uri: 
    url: "https://graph.microsoft.com/v1.0/users/{{ userPrincipalName }}"
    method: GET
    body_format: json
    headers:
      Authorization: 'Bearer {{ oauth.json.access_token }}'
      Host: 'graph.microsoft.com'
  register: output

Step 4: -vvv is your friend
Just because I tend to error my way to success, I almost always run my playbooks with -vv or -vvv (depending on the level of detail that I need) until I'm satisfied with the output, formatting, etc...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment