The Cloud Relay can make use of your Azure subscription Active Directory to authenticate/authorize incoming requests. To achieve this, you need to register the Cloud Relay as an Active Directory application. To enable additional configuration features, you also need to register any other client applications that want to make requests to the Cloud Relay. For more information about app registrations, see the Microsoft identity platform documentation.
Create the Azure Active Directory application registrations
Example Request:
az ad app create --display-name CloudRelayAPI
Example Response:
PS C:\Users\dcts0859> az ad app create --display-name CloudRelayAPI
{
"acceptMappedClaims": null,
"addIns": [],
"allowGuestsSignIn": null,
"allowPassthroughUsers": null,
"appId": "752d154b-3ba6-1234-1234-eb7123456789",
"appLogoUrl": null,
"appPermissions": null,
"appRoles": [],
"applicationTemplateId": null,
"availableToOtherTenants": false,
"deletionTimestamp": null,
"displayName": "CloudRelayAPI",
"errorUrl": null,
"groupMembershipClaims": null,
"homepage": null,
"identifierUris": [],
"informationalUrls": {
"marketing": null,
"privacy": null,
"support": null,
"termsOfService": null
},
"isDeviceOnlyAuthSupported": null,
"keyCredentials": [],
"knownClientApplications": [],
"logo@odata.mediaContentType": "application/json;odata=minimalmetadata; charset=utf-8",
"logo@odata.mediaEditLink": "directoryObjects/3ed8f879-7fa7-1234-1234-08f123456789/Microsoft.DirectoryServices.Application/logo",
"logoUrl": null,
"logoutUrl": null,
"mainLogo@odata.mediaEditLink": "directoryObjects/3ed8f879-7fa7-1234-1234-08f123456789/Microsoft.DirectoryServices.Application/mainLogo",
"oauth2AllowIdTokenImplicitFlow": true,
"oauth2AllowImplicitFlow": false,
"oauth2AllowUrlPathMatching": false,
"oauth2Permissions": [
{
"adminConsentDescription": "Allow the application to access CloudRelayAPI on behalf of the signed-in user.",
"adminConsentDisplayName": "Access CloudRelayAPI",
"id": "fc45ddc4-e540-1234-1234-137123456789",
"isEnabled": true,
"type": "User",
"userConsentDescription": "Allow the application to access CloudRelayAPI on your behalf.",
"userConsentDisplayName": "Access CloudRelayAPI",
"value": "user_impersonation"
}
],
"oauth2RequirePostResponse": false,
"objectId": "3ed8f879-7fa7-1234-1234-08f123456789",
"objectType": "Application",
"odata.metadata": "https://graph.windows.net/094a4238-798c-1234-1234-154123456789/$metadata#directoryObjects/@Element",
"odata.type": "Microsoft.DirectoryServices.Application",
"optionalClaims": null,
"orgRestrictions": [],
"parentalControlSettings": {
"countriesBlockedForMinors": [],
"legalAgeGroupRule": "Allow"
},
"passwordCredentials": [],
"preAuthorizedApplications": null,
"publicClient": null,
"publisherDomain": "dcts0859distech.onmicrosoft.com",
"recordConsentConditions": null,
"replyUrls": [],
"requiredResourceAccess": [],
"samlMetadataUrl": null,
"signInAudience": "AzureADMyOrg",
"tokenEncryptionKeyId": null,
"wwwHomepage": null
}
NOTE: Please record the
appId
in the response you receive from running the command above.
You will need this later to generate a bearer token. We will refer to this as the ScopeID in documentation.
Example Request:
az ad app create --display-name CloudRelayClient --password S0meHardT0GuessPassw0r
Example Response:
PS C:\Users\dcts0859> az ad app create --display-name CloudRelayClient --password Distech@1234
{
"acceptMappedClaims": null,
"addIns": [],
"allowGuestsSignIn": null,
"allowPassthroughUsers": null,
"appId": "3e8e0ac5-d05d-1234-1234-a71123456789",
"appLogoUrl": null,
"appPermissions": null,
"appRoles": [],
"applicationTemplateId": null,
"availableToOtherTenants": false,
"deletionTimestamp": null,
"displayName": "CloudRelayClient",
"errorUrl": null,
"groupMembershipClaims": null,
"homepage": null,
"identifierUris": [],
"informationalUrls": {
"marketing": null,
"privacy": null,
"support": null,
"termsOfService": null
},
"isDeviceOnlyAuthSupported": null,
"keyCredentials": [],
"knownClientApplications": [],
"logo@odata.mediaContentType": "application/json;odata=minimalmetadata; charset=utf-8",
"logo@odata.mediaEditLink": "directoryObjects/a974eed1-4ceb-1234-1234-ac0123456789/Microsoft.DirectoryServices.Application/logo",
"logoUrl": null,
"logoutUrl": null,
"mainLogo@odata.mediaEditLink": "directoryObjects/a974eed1-4ceb-1234-1234-ac0123456789/Microsoft.DirectoryServices.Application/mainLogo",
"oauth2AllowIdTokenImplicitFlow": true,
"oauth2AllowImplicitFlow": false,
"oauth2AllowUrlPathMatching": false,
"oauth2Permissions": [
{
"adminConsentDescription": "Allow the application to access CloudRelayClient on behalf of the signed-in user.",
"adminConsentDisplayName": "Access CloudRelayClient",
"id": "2555f514-7157-1234-1234-aa8123456789",
"isEnabled": true,
"type": "User",
"userConsentDescription": "Allow the application to access CloudRelayClient on your behalf.",
"userConsentDisplayName": "Access CloudRelayClient",
"value": "user_impersonation"
}
],
"oauth2RequirePostResponse": false,
"objectId": "a974eed1-4ceb-1234-1234-ac0123456789",
"objectType": "Application",
"odata.metadata": "https://graph.windows.net/094a4238-798c-1234-1234-154123456789/$metadata#directoryObjects/@Element",
"odata.type": "Microsoft.DirectoryServices.Application",
"optionalClaims": null,
"orgRestrictions": [],
"parentalControlSettings": {
"countriesBlockedForMinors": [],
"legalAgeGroupRule": "Allow"
},
"passwordCredentials": [
{
"additionalProperties": null,
"customKeyIdentifier": null,
"endDate": "2021-11-27T18:36:00.811707+00:00",
"keyId": "c82aebb0-9571-1234-1234-c39123456789",
"startDate": "2020-11-28T18:36:00.811707+00:00",
"value": null
}
],
"preAuthorizedApplications": null,
"publicClient": null,
"publisherDomain": "dcts0859distech.onmicrosoft.com",
"recordConsentConditions": null,
"replyUrls": [],
"requiredResourceAccess": [],
"samlMetadataUrl": null,
"signInAudience": "AzureADMyOrg",
"tokenEncryptionKeyId": null,
"wwwHomepage": null
NOTE: Please record the
appId
in the response you receive from running the command above.
You will need this later to generate a bearer token. We will refer to this as the ClientID in this wiki.
NOTE: Please record the
--password
used in the command above.
You will need this later to generate a bearer token. We will refer to this as the ClientSecret in this wiki.
Once you have the TenantID, ScopeID, ClientID, and ClientSecret you are ready to move on to the next step "Resource Deployment"