Working directly with the Azure Stack Resource Manager API

I would like to follow up on a blog post I have read here. They talk about how you can interact directly with the Azure Resource Manager API with PowerShell or other programming / scripting languages. The advantage is I don’t need any Azure PowerShell modules in order to retrieve any data from Azure Stack. In the blog post they are talking about the TP1 configuration to use. But we might noticed that some things has been changed in the RTM bits. So lets see how we can kickstart to setup our environment and use PowerShell to talk to Azure Stack ARM API directly with the ASDK bits and the new Azure Portal experience.

First we need to login as service administrator in the Azure Portal to add a new Application in our Azure AD. Go to the App registrations in the new Azure Portal and choose Add, then specify a name and use for sign-on URL http://localhost

image

Click on create. In this newly created application go to settings, then select the Keys section and add a new key. Save the key for later use. I found a bug or a strange behavior. If you used 2 years or longer you might receive a “AADSTS50012: Invalid client secret is provided.” I solved it by selecting a key that is 1 year valid, lately I also found that with key selected for a year, just try generating another key again then:

image

Now head over to the properties and take the application ID:

 

The next thing we need to do is to give this new application permissions to interact with the Azure Stack ARM API. Go to required permission in the portal and assign permissions to ‘Azure Stack – Administration’ by typing in the search bar ‘Azure Stack – ‘. It will list the available API’s. If you have like me more than 1 Azure Stack installs done in your AAD select all of them by repeating this next 2 steps for sake of simplicity. (I do recommend Microsoft to add a column in this list to add the app id so we can target correct API when we have multiple of them):

image

Next select the permission Access Azure Stack Resource Manager. Then select ‘Select’ and then ‘Done’ :

image

Once that is done I had to click on the assign permissions button in the ‘required permissions’ overview pane.

We need the App ID URI for the Azure Resource Manager API. So now head over to your Azure Stack node and run this command to retrieve the App ID URI

 

The last thing we need is the tenant ID. A quick jumpstart, to get the tenant ID is go to the help button in the right top corner in the Azure Portal and click on Diagnostics:

image

You will find half way the new windows that is opened the tenant ID for your tenant:

image

If your collection of references we collected during the AAD App setup is correct we can construct the following code. Replace the first 6 line variables with your values:

To get started with more API REST calls please find here the reference to the API documentation. Do note, not all services are available in Azure Stack and you might encounter some errors that some specific API version is not available in Azure Stack. You will then get an error and it will tell you what API version are available in Azure Stack and you have to update these in your script. When I run some queries I get results from Azure Stack ARM API:
image

Spread the word. Share this post!

  • Michael Lamia

    Hi Mark,

    This is an excellent post. I don’t suppose you’ve had a chance to revisit this since the recent release of TP3 Refresh? I got to the point where I need to find the App ID URI for the Azure Stack ARM API, but I do not see my TP3 Refresh instance anywhere. I see all my past TP2 and TP3 instances but not Refresh. Has something changed in the way Refresh registers with AAD?

    I can provide more detail upon request.

    Thanks in advance for any guidance you might be able to provide.

    Mike

  • Shravani Chepuri

    Hi Mark
    I am working with azure stack TP3.
    I have created new application but I couldn’t find Azure Stack Resource Manager API in the list to give the permission to my application.

    I still continued to execute the above power shell script , It’s failing with the below error. Is the URL changed on TP3 ?

    Invoke-RestMethod : The remote name could not be resolved: ‘api.azurestack.local’

    • Mark Scholman

      I have updated the blog post to match ASDK, sorry it took so long…

  • Fulalas

    Nice post, Mark. I’m wondering if it’s possible to retrieve an app Id from some kind of opened URL, like a metadata xml. Do you know? I only managed to get this using this website: https://graphexplorer.azurewebsites.net/ and inserting this: https://graph.windows.net/%5BTENANT-ID%5D/servicePrincipals . However, it requires a login and it also doesn’t work from automate code. Thanks!