Authentication using Azure Management SDK

Published on Thursday, December 27, 2018

If you want to programmatically update Azure Resource configurations you have a number of options.

  1. Use the PowerShell or Python command line tools
  2. Use the .NET Fluent libraries
  3. Use the .NET Management SDK
  4. Call the REST API directly

Each of those options have pros and cons depending on how you are using them. Overall I would suggest using the PowerShell module if possible.

However, you may need to integrate the Azure SDK directly into you application or tool with the Management SDK.

Getting Started with the .NET Management SDK

Like other SDK libraries, the Azure Management SDK is meant to be at the "core" of the tool or system you are building. As such, the libraries are highly configurable and not very prescriptive. Also, there is very little documentation on how to use this library. Most articles I have seen assume you have created an application in Azure AD and generated an access token somehow.

Packages

Rather than one large library or package for all of the Azure services, the Management SDK has a package per resource type.

Here is a full list of the NuGet Packages

Along with the specific resource package, you should also install the following common packages.

Microsoft.Rest.ClientRuntime.Azure

Microsoft.RestClientRuntime.Azure.Authentication

Logging In

Each library will contain one or many "Client" classes. Instantiating the client class will require an implementation of the ServiceClientCredentials abstract class.

Rather than implement that class yourself, you can find a few implementations in the Microsoft.Rest.Azure.Authentication namespace. Let's go over a few of the Providers in that namespace.

Add Using:

using Microsoft.Rest.Azure.Authentication

Application Token

You can use the ApplicationTokenProvider class when your application interacts with the Azure API directly as an application, without user context.

Setup

For this token provider you need to go to Azure AD and create an application. After creating that application you can either generate a Secret Key or upload a certificate.

There are two different sets of Static methods on the ApplicationTokenProvider class. LoginSilentAsync and LoginSilentWithCertificateAsync

LoginSilentAsync

ServiceClientCredentials creds = ApplicationTokenProvider.LoginSilentAsync("mydomain.onmicrosoft.com", "<appId/clientId guid>", "<secret>");

LoginSilentWithCertificateAsync

X509Certificate2 localCert = ...

ClientAssertionCertificate certAssertion = new ClientAssertionCertificate("<appId/clientId guid>", localCert);

ServiceClientCredentials creds = ApplicationTokenProvider.LoginSilentWithCertificateAsync("mydomain.onmicrosoft.com", certAssertion);

Interactive Login

If you are building a .NET Full Framework application (using .NET 452 or above) you can use the UserTokenProvider.LoginWithPromptAsync static method.

Again this requires that you have registered an Azure AD Application

LoginWithPromptAsync

var settings = ActiveDirectoryClientSettings.UsePromptOnly("<clientId>", new Uri("http://myRedirectUri"));

var cred = UserTokenProvider.LoginWithPromptAsync(settings);

That is the simplest signature, which uses the common tenant. If know which Tenant the user is logging into and want to reduce the redirects you can use a method with the TenantId parameter.

Comments