Consuming your Azure API App with Azure AD Authentication using PowerShell

I was playing around with Azure API apps and the Azure Authentication / Authorization feature. I used this before when consuming API Apps in combination with Azure Web Apps that use SPN’s for the Web App to access the API App on behalf of the user. Let’s assume I have built a super cool API App and wanted to create a PowerShell module for that. I couldn’t get the PowerShell client to get a working token from the API App and after some searching and reaching out to the community I managed to get it working. Below I described the setup using the default Azure API app and consuming it using PowerShell.

First open Visual Studio and create a new project. (ASP.NET Web Application). Then choose Azure API App

Keep for the demo purpose the checkbox selected to deploy it to azure:

clip_image001

Create a new API app in Azure and click create:

clip_image002

If you are not a developer it might be a bit uncomfortable in this space, but what we created is actually an API App with 1 controller that when we run a Invoke-Restmethod -Method Get it wil do a HTTP Get against the ValuesController:

clip_image003

When we run that it should return a collection of strings in this case “value1” and “value2”. We will leave all defaults and publish this solution to our Web API App. Right click the project and choose publish:

clip_image004

Leave all default and click publish. Now we published our API App. Let’s play some simple PowerShell:

Run this command, change the URL for your API App and add /api/values. The /api is the routing policy for the API App and the values is the name of the controller you can refer to in your VS Solution. You see we get the 2 strings back from the API:

clip_image005

I mean, that was simple, now let’s add authentication using the Azure Authentication / Authorization. Open the Azure Portal and navigate to your API App, select the Authentication / Authorization and turn it on:

clip_image006

We need to select Azure Active Directory and create an Azure AD App:

clip_image007

Choose the proper name for you API App and click Ok and then Save. When you now go to the URL in your browser you get a login page or if you have SSO enabled for your tenant it will login automatically . When we run the PowerShell command again we get lots of html back in the console:

clip_image008

We need to create for PowerShell a native Azure AD Application and grant it permission on the API App. To enable this do the following. In the fancy old Azure Portal go to your Azure AD and click on applications. Then click on Add:

clip_image009

Choose Add application my organization is developing:

clip_image010

Choose native application and provide a name for your client:

clip_image011

For the return URL I used this:

urn:ietf:wg:oauth:2.0:oob

clip_image012

Click the check mark and take notice of the client Id:

clip_image013

The next step we need to do is allow the PowerShell Client APP to access the API app. Click on the configure tab and choose App Application:

clip_image014

clip_image015

Select your API App and click the checkmark. Select then the permission Access MySuperCoolAPI app and then click save.

Now let’s update our PowerShell to get an token and provide to the API to get our values again. I created a PowerShell function for the Token (Get-AADToken). Then I added some commands to get the token and invoke the rest method to the API App:

And that’s it. Now I can retrieve values from my API App using Azure AD authentication using PowerShell!