The Cloud Relay can make use of your Azure subscription Active Directory to authenticate/authorize incoming requests. To achieve this, you need to register the Cloud Relay as an Active Directory application. To enable additional configuration features, you also need to register any other client applications that want to make requests to the Cloud Relay. For more information about app registrations, see the Microsoft identity platform documentation.
Create the Azure Active Directory application registrations
Example Request:
az ad app create --display-name CloudRelayAPI
Example Response:
PS C:\Users\dcts0859> az ad app create --display-name CloudRelayAPI
{
"acceptMappedClaims": null,
"addIns": [],
"allowGuestsSignIn": null,
"allowPassthroughUsers": null,
"appId": "752d154b-3ba6-1234-1234-eb7123456789",
"appLogoUrl": null,
"appPermissions": null,
"appRoles": [],
"applicationTemplateId": null,
"availableToOtherTenants": false,
"deletionTimestamp": null,
"displayName": "CloudRelayAPI",
"errorUrl": null,
"groupMembershipClaims": null,
"homepage": null,
"identifierUris": [],
"informationalUrls": {
"marketing": null,
"privacy": null,
"support": null,
"termsOfService": null
},
"isDeviceOnlyAuthSupported": null,
"keyCredentials": [],
"knownClientApplications": [],
"logo@odata.mediaContentType": "application/json;odata=minimalmetadata; charset=utf-8",
"logo@odata.mediaEditLink": "directoryObjects/3ed8f879-7fa7-1234-1234-08f123456789/Microsoft.DirectoryServices.Application/logo",
"logoUrl": null,
"logoutUrl": null,
"mainLogo@odata.mediaEditLink": "directoryObjects/3ed8f879-7fa7-1234-1234-08f123456789/Microsoft.DirectoryServices.Application/mainLogo",
"oauth2AllowIdTokenImplicitFlow": true,
"oauth2AllowImplicitFlow": false,
"oauth2AllowUrlPathMatching": false,
"oauth2Permissions": [
{
"adminConsentDescription": "Allow the application to access CloudRelayAPI on behalf of the signed-in user.",
"adminConsentDisplayName": "Access CloudRelayAPI",
"id": "fc45ddc4-e540-1234-1234-137123456789",
"isEnabled": true,
"type": "User",
"userConsentDescription": "Allow the application to access CloudRelayAPI on your behalf.",
"userConsentDisplayName": "Access CloudRelayAPI",
"value": "user_impersonation"
}
],
"oauth2RequirePostResponse": false,
"objectId": "3ed8f879-7fa7-1234-1234-08f123456789",
"objectType": "Application",
"odata.metadata": "https://graph.windows.net/094a4238-798c-1234-1234-154123456789/$metadata#directoryObjects/@Element",
"odata.type": "Microsoft.DirectoryServices.Application",
"optionalClaims": null,
"orgRestrictions": [],
"parentalControlSettings": {
"countriesBlockedForMinors": [],
"legalAgeGroupRule": "Allow"
},
"passwordCredentials": [],
"preAuthorizedApplications": null,
"publicClient": null,
"publisherDomain": "dcts0859distech.onmicrosoft.com",
"recordConsentConditions": null,
"replyUrls": [],
"requiredResourceAccess": [],
"samlMetadataUrl": null,
"signInAudience": "AzureADMyOrg",
"tokenEncryptionKeyId": null,
"wwwHomepage": null
}
NOTE: Please record the
appId
in the response you receive from running the command above.
You will need this later to generate a bearer token. We will refer to this as the ScopeID in documentation.
Example Request:
az ad app create --display-name CloudRelayClient
Example Response:
PS C:\Users\dcts0859> az ad app create --display-name CloudRelayClient
{
"acceptMappedClaims": null,
"addIns": [],
"allowGuestsSignIn": null,
"allowPassthroughUsers": null,
"appId": "3e8e0ac5-d05d-1234-1234-a71123456789",
"appLogoUrl": null,
"appPermissions": null,
"appRoles": [],
"applicationTemplateId": null,
"availableToOtherTenants": false,
"deletionTimestamp": null,
"displayName": "CloudRelayClient",
"errorUrl": null,
"groupMembershipClaims": null,
"homepage": null,
"identifierUris": [],
"informationalUrls": {
"marketing": null,
"privacy": null,
"support": null,
"termsOfService": null
},
"isDeviceOnlyAuthSupported": null,
"keyCredentials": [],
"knownClientApplications": [],
"logo@odata.mediaContentType": "application/json;odata=minimalmetadata; charset=utf-8",
"logo@odata.mediaEditLink": "directoryObjects/a974eed1-4ceb-1234-1234-ac0123456789/Microsoft.DirectoryServices.Application/logo",
"logoUrl": null,
"logoutUrl": null,
"mainLogo@odata.mediaEditLink": "directoryObjects/a974eed1-4ceb-1234-1234-ac0123456789/Microsoft.DirectoryServices.Application/mainLogo",
"oauth2AllowIdTokenImplicitFlow": true,
"oauth2AllowImplicitFlow": false,
"oauth2AllowUrlPathMatching": false,
"oauth2Permissions": [
{
"adminConsentDescription": "Allow the application to access CloudRelayClient on behalf of the signed-in user.",
"adminConsentDisplayName": "Access CloudRelayClient",
"id": "2555f514-7157-1234-1234-aa8123456789",
"isEnabled": true,
"type": "User",
"userConsentDescription": "Allow the application to access CloudRelayClient on your behalf.",
"userConsentDisplayName": "Access CloudRelayClient",
"value": "user_impersonation"
}
],
"oauth2RequirePostResponse": false,
"objectId": "a974eed1-4ceb-1234-1234-ac0123456789",
"objectType": "Application",
"odata.metadata": "https://graph.windows.net/094a4238-798c-1234-1234-154123456789/$metadata#directoryObjects/@Element",
"odata.type": "Microsoft.DirectoryServices.Application",
"optionalClaims": null,
"orgRestrictions": [],
"parentalControlSettings": {
"countriesBlockedForMinors": [],
"legalAgeGroupRule": "Allow"
},
"passwordCredentials": [
{
"additionalProperties": null,
"customKeyIdentifier": null,
"endDate": "2021-11-27T18:36:00.811707+00:00",
"keyId": "c82aebb0-9571-1234-1234-c39123456789",
"startDate": "2020-11-28T18:36:00.811707+00:00",
"value": null
}
],
"preAuthorizedApplications": null,
"publicClient": null,
"publisherDomain": "dcts0859distech.onmicrosoft.com",
"recordConsentConditions": null,
"replyUrls": [],
"requiredResourceAccess": [],
"samlMetadataUrl": null,
"signInAudience": "AzureADMyOrg",
"tokenEncryptionKeyId": null,
"wwwHomepage": null
az ad app credential reset `
--display-name AzureCliGeneratedPwd `
--id <appId from the CloudRelayClient output> `
--append
NOTE: Please record the
appId
in the response you receive from running the command above.
You will need this later to generate a bearer token. We will refer to this as the ClientID in this wiki.
NOTE: Please record the
--password
used in the command above.
You will need this later to generate a bearer token. We will refer to this as the ClientSecret in this wiki.
Once you have the TenantID, ScopeID, ClientID, and ClientSecret you are ready to move on to the next step "Resource Deployment"