# Azure Application API Access Notes.md
Created: 8/12/2021

Notes related to creating an application and service principle in Azure Gov for accessing Azure resources via the REST API
 
All instructions will be done via portal.azure.us

## Create an Application
1. Navigate to `Enterprise Applications`
2. Click on `New application`
3. Click on `Create your own application` 
4. Input the name of the application and select `Register an application to integrate with Azure AD (App you're developing)`

## Register a Client Secret
1. Navigate to `Azure Active Directory`
2. Click on `App registrations`
3. Click on your app
4. Record the `Application (client) ID` and `Directory (tenant) ID` while you're here on the `Overview` page
5. Click on `Certifcates & secrets`
6. Click on `New client secret`
7. Input a description and expiry time
8. Record the secret string for later (grab it now because you won't be able to view it later)

## Give the application proper permissions
1. Navigate to `Resource Groups`
2. Click the proper resource group
3. Click `Access control (IAM)`
4. Click `Add role assignment` under `Grant access to this resource`
5. Select the appropriate roles (least privilege)
6. Click `Next`
7. Click `+ Select members`
8. Search for your app name and click `Select`
9. Click `Next`
10. Click `Review + assign`

## Get a bearer token
1. Send a POST request to `https://login.microsoftonline.us/{Tenant ID we got earlier}/oauth2/token` with the following data
   1. grant_type: client_credentials
   2. client_id: {Client ID we got earlier}
   3. client_secret: {Client Secret we created earlier}
   4. resource: https://management.usgovcloudapi.net
2. Grab the value of the `access_token` field of the response.

## Access the API Endpoint
1. Find your API endpoints at https://docs.microsoft.com/en-us/rest/api/. I will use https://docs.microsoft.com/en-us/rest/api/securityinsights/incidents/list as an example
2. Fill in the neccessary values in the URL. It will look something like `https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.OperationalInsights/workspaces/{workspaceName}/providers/Microsoft.SecurityInsights/incidents?api-version=2021-04-01`
3. Replace `management.azure.com` with `management.usgovcloudapi.net`
4. Add your bearer token to the request (instructions are dependant on what client you're using)
5. Send the request
6. Get your data
7. Profit