none
REST API/Postman Implementation on ADLS Gen2 using username and password of Azure Active Directory RRS feed

  • Question

  • Hi All,

    Can some one help me with the REST API/Postman Implementation on ADLS Gen2 using username and password of Azure Active Directory

    Thank You.

    Tuesday, August 6, 2019 8:04 AM

All replies

  • Hi Sagar,

    Please follow the below steps do the same using client-credential flow :

    Register with Azure Active Directory tenant

    1. Click on All services

    2. Filter on App Registration

    3. Click on New application registration

    4. Enter a name in the Name box

    5. Select Web app / API in the Application type select box

    6. Enter http://localhost in the Sign-on URL box

    7. Click the Create button to create the app registration

    Once the application is created, the portal displays the app overview. Copy the Application ID value and copy it to a text editor for later use. In an upcoming step, this value is used to define a `CLIENT_ID` environment variable.

    Generate a client secret

    The next step is to create a client secret. The client secret is used to request an access token. Once you created, you must copy the value to a text editor as the secret is hidden when you return to the list.

    1. Click on Settings

    2. Click on Keys

    3. Enter “rest demo” in the Description box

    4. Select In 1 year from the Expires box

    5. Click Save

    6. Copy the Value of the generated client secret into a text editor

    Add required permissions

    Now you need to grant permission for your application to access Azure Storage.

    1. Click on the application Settings

    2. Click on Required permissions

    3. Click on Add

    4. Click Select API

    5. Filter on Azure Storage

    6. Click on Azure Storage

    7. Click Select

    8. Click the checkbox next to Access Azure Storage

    9. Click Select

    10. Click Done

    This tutorial demonstrates how the REST API operates under different security contexts, therefore you need create a second registration by following the previous steps beginning at Register with Azure Active Directory tenant. Make sure to set aside the Application ID and client secret in a text editor and add the required permissions to Azure Storage. The Application ID and client secret are used to set up the environment variables in the next section.

    Add RBAC permissions

    Next, you set up RBAC permissions only for the first app registration*. During this section you use the Application ID that you set aside in your text editor for the first app registration. Return to your storage account in the portal.

    1. Click on Access control (IAM)

    2. Click Add

    3. Enter Storage Blob Data Contributor in the Role box

    4. Select Azure AD user, group, or application in the Assign access to box

    5. Enter the Application ID in the Select box and tab off the element

    6. Click on the name of your first app registration

    7. Click Save

    To use the REST APIs of ADLS Gen2, you need authorization header as well. Also the URL has SAS token directly(not as a parameter). 

    A simple way to use ADLS Gen2 APIs (Using OAuth2) to create a file would be :

    1. Acquire an Access token by making a POST request to https://login.microsoftonline.com/<tenant id>/oauth2/v2.0/token

    Headers :

    "Content-Type: application/x-www-form-urlencoded"

    Body : 

    {"client_id": <CLIENT_ID>,

    "client_secret": <CLIENT_SECRET>,

    "scope" : "https://storage.azure.com/.default",

    "grant_type" : "client_credentials"

    }

    2. Create a file system by making a PUT request to https://<storage account name>.dfs.core.windows.net/<file system name>?resource=filesystem

    Headers :

    Content-Length : 0

    "x-ms-version":"2018-11-09"

    Authorization : Bearer <access_token from step1>

    3. Set default permissions on the root directory by making a PATCH request to  https://<storage account name>.dfs.core.windows.net/<file system name>?action=setAccessControl

    Headers :

    Content-Length : 0

    "x-ms-version":"2018-11-09"

    Authorization : Bearer <access_token from step1>

    x-ms-acl : user::rwx,group::r-x,other::--x,default:user::rwx,default:group::r-x,default:other::--

    4. Create a directory by making a PUT request to https://<storage account name>.dfs.core.windows.net/<file system name>/<directory name>?resource=directory

    Headers :

    Content-Length : 0

    "x-ms-version":"2018-11-09"

    Authorization : Bearer <access_token from step1>

    5. Create a file by making a PUT request tohttps://<storage account name>.dfs.core.windows.net/<file system name>/<directory name>/<file name>?resource=file

    Headers :

    Content-Length : 0

    "x-ms-version":"2018-11-09"

    Authorization : Bearer <access_token from step1>

    Once you do the PATCH operation, the text sits in an uncommitted buffer on the server. To endure data to the file system, flush the file using the following API :

    https://<storage account name>.dfs.core.windows.net/<filesystem name>/<folder>/<file>?action=flush&position=<no. of characters>

    Note : No. of characters is the same as the Content-Length in the previous (PATCH) step - 9 in your case.

    Headers :

    Content-Length : 0

    "x-ms-version":"2018-11-09"

    Authorization : Bearer <access_token from step1>

    Hope this helps.



    Tuesday, August 6, 2019 8:26 AM
    Moderator
  • Hi Chirag,

    Thanks for the answer.But,It doesn't help.

    As my question is to connect to ADLS Gen2 using personal user id and password using Azure AD Authentication without using any service principal.

    Can you help me with the required steps?

    Thank You.

    Tuesday, August 6, 2019 10:54 AM
  • Hi Sagar,

    Unfortunately as of today, I don't think there is a way to directly use user id and password using AAD Authentication to use the REST APIs. 

    The recommended way is to go with client credential flow as I mentioned above.

    Wednesday, August 7, 2019 6:05 AM
    Moderator