Created by
Ümit Demirtaş
There may be situations where we need to access the resources we create and manage in the Azure environment from a third-party application. Let’s look at what we should do in this case.
Managing our Azure resources only through the portal may be insufficient in some cases. This requirement may arise for different reasons. For example, in multi-cloud environments, you may need to view your resources from multiple cloud providers on the same screen. In another scenario, your customer wants to manage their own cloud resources and wants to access certain services. In this case, it will be necessary to provide the customer with an application that will display only the services they want to use.
Connecting to Azure Platform
In order to use the services and manage the resources under the platforms, we first need to establish a connection with the accounts where payment methods are defined on the platforms. Once the connection is established, we take a step towards accessing and managing the content on the platform.
We will need some credentials to connect to the Azure platform. We can access these values from the Azure platform. Let’s first talk about them by name and then let’s talk about what they do and where we can access them.
The credentials we need for connection are ‘Client ID, ‘Client Secret’, ‘Tenant ID’ and ‘Subscription ID’.
What is ‘Tenant ID’ and where do I access it?
Tenant ID is used to authenticate a user when using Azure services or resources. We will need the ‘Tenant ID’ of the Azure Active Directory account whose resources we want to access.
So where can we access the ‘Tenant ID’? We can access the ‘Tenant ID’ from the Azure Active Directory page in the Azure portal.
What is ‘Client ID’ and where can I access it?
Our next value is ‘Client ID’. To access and manage resources from a third-party application, we need to create a new application registration from the ‘App Registration’ page. When we search for ‘App Registrations’ in the search bar, the page that appears is as follows.
As you can see on the top left of the figure above, there is a ‘New registration’ button, let’s click on this button and proceed by making a new application.
Let’s get a little closer to the figure. As can be seen in the figure below, the ‘Application (client) ID’, that is, the ‘Client ID’ value we want to obtain, welcomes us.
What does this application we are making here mean and for what purpose do we use it?
You can use it for authentication and authorization.
- · You can use it for API access and management.
- · You can monitor and analyze the application you created.
- · You can provide multiple authentication processes for multiple applications running on different platforms.
- · You can integrate with external applications.
When we want to connect to Azure from an external application, we need credentials to access the account. Although the transactions made through the application are not made directly by the user, they fall into the user’s logs because we do not use the user’s ‘Tenant Id’. Here, the application we created in ‘App registration’ plays a saving role in terms of distinguishing who made the transaction. In other words, we can observe from the logs in ‘Azure Active Directory’ by which ‘Client ID’ the transactions are made. Thus, we can distinguish the transactions we make from applications in the logs.
On the other hand, we can make different authorization for each application we create on the user account, that is, the application does not directly inherit the user’s authorizations. Thus, the application is not given more authorization than necessary.
How do I authorize the application?
Speaking of authorization and access, the application we are creating now is not authorized to access our Azure resources. In order to access Azure resources, we need to authorize it through the Azure Subscription page.
Let’s first enter the Azure Subscription page.
Then we need to go to the Access control (IAM) page because this is where we make role assignments.
On this page, as shown in the figure below, we go to the ‘Role assignments’ window and click on the ‘Add’ button to add a role.
As seen below, we first select the role we want to assign.
Finally, select the person or object to assign a role to.
Now that we have assigned roles, we can continue.
What is ‘Client Secret’ and where do I access it?
Another value we need for the connection is ‘Client Secret’. To access the ‘Client Secret’ value, we need to go to the page of the new application record we just created.
After clicking on the new record we created, we go to the ‘Certificates and secrets’ page under the ‘manage’ section on the left side of the page and create a new secret here.
After entering the ‘Client and secrets’ page, we create a client secret object.
The ‘value’ in this secret we created is our “Secret ID” value.
What is ‘Subscription ID’, where do I access it?
After establishing the connection, we need to specify which Azure Subscription the resources we will use are or will be charged for. For this, we need the ‘Subscription ID’. In the same way, you can access the ‘Subscription ID’ by clicking on the Subscription page in the Azure portal.
Sample Code
Below is a sample code block I used in a project written in TypeScript.
The ‘CredsService’ class in the figure contains the basic credentials to be used for Azure authentication and two methods related to these credentials. These are ‘getCreds’ and ‘getSubscriptionId’ methods. In the first code block you can see the ‘CredsService’ class. Let’s place the values we just obtained in the relevant places in the constructor of the ‘CredsService’ class.
‘ClientService’ uses the object of the ‘CredService’ class we defined above. The ‘ClientService’ class also has two methods. These are ‘getComputeManagementClient()’ and ‘getSubscriptionClient()’ methods.
We use the ‘getComputeManagementClient()’ method to create the ‘SubscriptionClient’ object. We will be using the ‘SubscriptionClient’ object to perform operations related to Azure subscriptions. It takes credentials from the ‘CredsService’ and creates the ‘SubscriptionClient’ object.
Now we can access the Azure services we are authorized for. Here I want to show how to access virtual machines as an example.
We will use the ‘ComputeManagementClient’ method to perform operations on Azure Virtual Machines. We take the credentials and ‘subscriptionId’ we added to ‘CredsService’ and create the ‘ComputeManagementClient’ object.
