I always thought that Azure’s design was too complex and required too many permissions. I felt that Azure was a system made by a group of technical nerds. I prefer the functional design of AWS to THAT of AWS.

However, I had to use Azure for my work, so I kept a record of some problems encountered in the use process, hoping to help people in need.

This article describes how to use Postman to obtain user access tokens for Azure Active Directory. This step is the first step in using Azure for user authentication.

Determine the tenant

Azure allows you to have multiple tenant, you can switch tenant in The Azure console, this is the first step you need to do. Determine which Teant you want to use.

You need to create a Tenant if you don’t already have one.

When you find the Tenant you need, you get a Tenant ID, which is very important.

Since this represents the unique identifier of your AD, you need to record it.

The Tenant ID is in the Tenant Information in your interface

Register APP

No matter what type of APP you use, you need to register an APP first.

Click the register APP button on the left.

You can click on the upper side of the page to register a new application.

On the page that is displayed, enter the required registration information.

The name you register can be defined by yourself. Note that you need to select:

  • Accounts in any organizational directory (Any Azure AD directory – Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox)

This registration option.

Let’s say the application we’re registering here is the WEB.

Get the basic parameters

When you have successfully registered, you can click your registration name, and then you will see the application information interface.

In this interface, you’re going to get

  • Application (client) ID
  • Directory (tenant) ID
  • Object ID

These parameters, these parameters are very important to you, you need to save them.

Set the secrets

Click Certificates & Secrets on the left and you will see the key generation screen.

From here, you can click to generate a new Secret.

You don’t have to name the secret, you can just name it whatever you want. Make sure you save secret, because the next time you visit, it won’t be displayed again.

API empowerment

You need to make sure that Microsoft Graph has user access.

If you do not have this permission, you will need to click add Permission above to add it.

Select the options for the Microsoft Graph, and then add the user’s permissions.

Exposure of the API

You need to expose your API to allow access.

You need to add a new Scope, in this case we assume you added a Scope called user.read.

In the screen that pops up, you can enter the options you want.

You can select Admins and Users

[![](https://p9-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/e7acb06f6f7e46c188ffec6ba01c9484~tplv-k3u1fbpfcp-zoom-1.image)](h ttps://cdn.ossez.com/discourse-uploads/original/1X/c90e34e3ed80ba9cfd7677cc5bd09c8909029b7e.jpeg “Azure-active-directory-token-12”)

Modify the Manifest

You need to manually modify this configuration parameter.

The main parameters are: oauth2AllowImplicitFlow to true

[![](https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/d571521f742a418298ed6c7090164de2~tplv-k3u1fbpfcp-zoom-1.image)](h ttps://cdn.ossez.com/discourse-uploads/original/1X/e9b8a6cc843d12dd652a1423c89527f7dd7f352b.jpeg “Azure-active-directory-token-13”)

Now that Azure is configured, the next step is to configure your client for testing.

Postman test

You can get the token by testing it with Postman.

You have two ways to test. What we test is to obtain the token directly through secret without authorization.

Another way, let’s test it in other ways.

Add an API access to Postman.

Access methods

Use GET for access

To access the URL

To access the URL is: login.microsoftonline.com/tenant ID/oauth2 / v2.0 / token

One parameter to replace here is the Tenant ID, which was used to identify an AD at the beginning, and which we saved in the previous step.

Headers

Add parameter Content-type to Application/X-www-form-urlencoded

[![](https://p3-juejin.byteimg.com/tos-cn-i-k3u1fbpfcp/f78fc3d9d0974214a78f14d8af5d62f6~tplv-k3u1fbpfcp-zoom-1.image)](h ttps://cdn.ossez.com/discourse-uploads/original/1X/f8ba5af0d6fe680ba15dd792a8aa7c0b06534cbf.jpeg “Azure-active-directory-token-14”)

Body

grant_type : client_credentials

client_id: 4ab1a0b7-da1d-423d-9fc3-e3a6fabd9

client_secret:SYk.HZT_jK6ZE1~3tle2Ha0MeV.9

scope: api://4ab1a0b7-da1d-423d-9fc3-e3a6fabd9/.default

There is one caveat to the argument here.

Client_id is the client_id that we got when the APP was created successfully at the beginning.

Client_secret is the secret key that we create after we successfully register with the APP.

Scope: is the scop we created, but it should be noted that the scope we created ends in user.read. When we obtain the token, we cannot use the scope ending above, but we need to change user.read to.default

So the scope configuration is API ://client_id/.default.

Please note that you must configure it this way or you will not get the token

When everything is configured, you can send the request, and if everything is correct, you will see the token string returned to you by the server.

www.ossez.com/t/azure-act…