Authenticating Service Management Requests

Updated: June 29, 2015

Requests to the management service must be authenticated using one of the following methods:

Secure requests to the management service can be authenticated by creating an Azure AD application and using the Active Directory Authentication Library to obtain an access token from the application. For more information about authentication using Azure AD, see Authentication Scenarios for Azure AD.

Do the following to add an application to Azure AD:

  1. Sign in to the Azure Management Portal.

  2. Towards the bottom of the left menu, click Active Directory, and then click Default Directory.

  3. On the Default Directory page, under Integrate applications, click Add an application you’re developing.

    Add an Azure AD application
  4. Enter the name of the application, select NATIVE CLIENT APPLICATION, and then click the right arrow.

    Provide a name for the application
  5. Enter a URI for the application and then click the checkmark. The URI includes the name of the application that is preceded by http://localhost/.

    Enter the redirect URL
  6. After the application is created, you must add permission for the application to access the Service Management APIs. Go to the page for your application, and then click Configure.

  7. In the Permissions to other applications section at the bottom of the configuration page, click Select application, and then select Windows Azure Service Management API.

    Assign permissions to the application
  8. Click Delegated Permissions: 0, and then select Access Azure Service Management.

    Continue setting permissions
  9. Click Save on the bottom menu.

You can easily install the Active Directory Authentication Library into your Visual Studio project by using the NuGet package. To install the package, do the following:

  1. Right-click the project name in the Solution Explorer, and then click Manage NuGet Packages.

    Manage NuGet packages
  2. Type Active Directory in the search box, click Install for the Active Directory Authentication Library package, and then follow the instructions to install the package.

    Install Active Directory library

The following code example shows how to retrieve the access token:

private static string GetAuthorizationHeader()
  AuthenticationResult result = null;
  var context = new AuthenticationContext("{tenantId}");

  var thread = new Thread(() =>
    result = context.AcquireToken(
      new Uri("{redirectUri}"));

  thread.Name = "AquireTokenThread";
  if (result == null)
    throw new InvalidOperationException("Failed to obtain the JWT token");

  string token = result.AccessToken;
  return token;

When you use the code listed above, you need to replace the following:

  • {tenantId} with the GUID of the application. To find the GUID, go to the Default Directory page in the Active Directory section of the Management Portal, select the application that you previously created, and then click View Endpoints.

    View endpoints

    Copy the GUID of the application and replace the placeholder with it.

    Copy the application endpoint
  • {clientId} with the client identifier. To find the client identifier, go to the Configuration page of the application in the Management Portal.

    Copy AD client ID
  • {redirectUri} with the redirect Uri. To find the redirect Uri, go to the Configuration page of the application in the Management Portal.

    Copy the application redirect URI

Use the following line of code to assign the token that is returned from the GetAuthorizationHeader method shown above to a variable that can be used by the request:

string token = GetAuthorizationHeader();

Use the following lines of code to add the token to a request:

HttpWebRequest request = (HttpWebRequest)HttpWebRequest.Create(uri);
request.Headers.Add(HttpRequestHeader.Authorization, "Bearer " + token);

Secure requests to the management service can be authenticated by using management certificates over SSL. To use a management certificate, it must be uploaded to Azure. After you add a management certificate to the subscription, you can sign the requests to the service by using the certificate. For information about creating management certificates and associating them with a subscription, see Create and Upload a Management Certificate for Azure.

When designing an application, keep the following points about management certificates in mind:

  • The Service Management API does not verify that a certificate is still valid. Authentication will succeed against an expired certificate.

  • All management certificates carry the same set of privileges. There is no notion of “role-based” authentication where one management certificate can be configured in one role and another on the same subscription is configured in a different role.

The following example shows how the retrieve the management certificate using the System.Net and System.Security.Cryptography.X509Certificates libraries:

private static X509Certificate2 GetStoreCertificate(string thumbprint)
  List<StoreLocation> locations = new List<StoreLocation>

  foreach (var location in locations)
    X509Store store = new X509Store("My", location);
      store.Open(OpenFlags.ReadOnly | OpenFlags.OpenExistingOnly);
      X509Certificate2Collection certificates = store.Certificates.Find(
        X509FindType.FindByThumbprint, thumbprint, false);
      if (certificates.Count == 1)
        return certificates[0];
  throw new ArgumentException(string.Format(
    "A Certificate with Thumbprint '{0}' could not be located.",

Use the following line of code to assign the certificate that is returned from the GetStoreCertificate method shown above to a variable that can be used by the request:

Thumbprint represents the thumbprint if the management certificate that you added to the subscription.

X509Certificate2 certificate = GetStoreCertificate(Thumbprint);

Use the following lines of code to add the certificate to a request:

HttpWebRequest request = (HttpWebRequest)HttpWebRequest.Create(uri);