| title | titleSuffix | description | author | ms.author | ms.date | ms.topic | ms.service | services |
|---|---|---|---|---|---|---|---|---|
How to secure input constrained device with Azure AD and Azure Maps REST APIs |
Azure Maps |
How to configure a browser-less application which supports sign-in to Azure AD and calls Azure Maps REST APIs. |
stevemunk |
v-munksteve |
06/12/2020 |
how-to |
azure-maps |
azure-maps |
This guide discusses how to secure public applications or devices that cannot securely store secrets or accept browser input. These types of applications fall under the category of IoT or internet of things. Some examples of these applications may include: Smart TV devices or sensor data emitting applications.
[!INCLUDE authentication details]
Note
- Prerequisite Reading: Scenario: Desktop app that calls web APIs
- The following scenario uses the device code flow, which does not involve a web browser to acquire a token.
Create the device based application in Azure AD to enable Azure AD sign in. This application will be granted access to Azure Maps REST APIs.
-
In the Azure portal, in the list of Azure services, select Azure Active Directory > App registrations > New registration.
[!div class="mx-imgBorder"]
-
Enter a Name, choose Accounts in this organizational directory only as the Supported account type. In Redirect URIs, specify Public client / native (mobile & desktop) then add
https://login.microsoftonline.com/common/oauth2/nativeclientto the value. For more details please see Azure AD Desktop app that calls web APIs: App registration. Then Register the application.[!div class="mx-imgBorder"]
-
Navigate to Authentication and enable Treat application as a public client. This will enable device code authentication with Azure AD.
[!div class="mx-imgBorder"]
-
To assign delegated API permissions to Azure Maps, go to the application. Then select API permissions > Add a permission. Under APIs my organization uses, search for and select Azure Maps.
[!div class="mx-imgBorder"]
-
Select the check box next to Access Azure Maps, and then select Add permissions.
[!div class="mx-imgBorder"]
-
Configure Azure role-based access control (Azure RBAC) for users or groups. See Grant role-based access for users to Azure Maps.
-
Add code for acquiring token flow in the application, for implementation details see Device code flow. When acquiring tokens, reference the scope:
user_impersonationwhich was selected on earlier steps.[!Tip] Use Microsoft Authentication Library (MSAL) to acquire access tokens. See recommendations on Desktop app that calls web APIs: Code configuration
-
Compose the HTTP request with the acquired token from Azure AD, and sent request with a valid HTTP client.
Here's a sample request body for uploading a simple Geofence represented as a circle geometry using a center point and a radius.
POST /mapData?api-version=2.0&dataFormat=geojson
Host: us.atlas.microsoft.com
x-ms-client-id: 30d7cc….9f55
Authorization: Bearer eyJ0e….HNIVNThe sample request body below is in GeoJSON:
{
"type": "FeatureCollection",
"features": [{
"type": "Feature",
"geometry": {
"type": "Point",
"coordinates": [-122.126986, 47.639754]
},
"properties": {
"geometryId": "001",
"radius": 500
}
}]
}Operation-Location: https://us.atlas.microsoft.com/mapData/operations/{udid}?api-version=2.0
Access-Control-Expose-Headers: Operation-Location[!INCLUDE grant role-based access to users]
Find the API usage metrics for your Azure Maps account:
[!div class="nextstepaction"] View usage metrics