deepblue/windows-itpro-docs
1
0
Fork 0
mirror of https://github.com/MicrosoftDocs/windows-itpro-docs.git synced 2025-05-19 00:37:22 +00:00
Code Issues Actions 3 Packages Projects Releases Wiki Activity

Add token validation

Browse Source
This commit is contained in:
David Laufer 2018-07-26 18:10:25 +03:00
parent f69885646f
commit 07d0052b4f
3 changed files with 62 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

BIN
windows/security/threat-protection/windows-defender-atp/exe/AadTokenGetter.zip Normal file
View File

Binary file not shown.

62
windows/security/threat-protection/windows-defender-atp/exposed-apis-windows-defender-advanced-threat-protection-new.md
View File

@ -99,6 +99,68 @@ Before using the APIs, youll need to create an app that youll use to authe
![Image of multi tenant](images/webapp-edit-multitenant.png) ![Image of multi tenant](images/webapp-edit-multitenant.png)
## Get an access token
For more details on AAD token, refer to [AAD tutorial](https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds)
### Using dedicated executable
- Download [AadTokenGetter.zip](exe/AadTokenGetter.zip) application
- Unzip the application
- Open 'AadTokenGetter.exe.config' file and fill the 3 required settings:
- tenantId
- appId
- appSecret
- Run AadTokenGetter.exe
The token is displayed in the application window
### Using Curl
> [!NOTE]
> The below procedure supposed Curl is already installed on your computer
- Open a command window
- Set CLIENT_ID to your Azure application ID
- Set CLIENT_SECRET to your Azure application secret
- Set TENANT_ID to the Azure tenant ID of the customer that wants to use your application to access WDATP application
- Run the below command:
> [!NOTE]
> The below syntax is for curl in Windows. For Linux you should use $CLIENT_ID instead of %CLIENT_ID% (same for CLIENT_SECRET and TENANT_ID)
```
curl -i -X POST -H "Content-Type:application/x-www-form-urlencoded" -d "grant_type=client_credentials" -d "client_id=%CLIENT_ID%" -d "scope=https://securitycenter.onmicrosoft.com/windowsatpservice/.default" -d "client_secret=%CLIENT_SECRET%" "https://login.microsoftonline.com/%TENANT_ID%/oauth2/v2.0/token" -k
```
You will get an answer of the form:
```
{"token_type":"Bearer","expires_in":3599,"ext_expires_in":0,"access_token":"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIn <truncated> aWReH7P0s0tjTBX8wGWqJUdDA"}
```
## Validate the token
- Copy/paste into [JWT](https://jwt.io/) the token you get in the previous step
- Validate you get a 'roles' claim with the desired permission, as shown in the below screenshot
![Image of token validation](images/webapp-validate-token.png)
## Application consent
You need your application to be approved in each tenant where you intend to use it. This is because your application interacts with WDATP application on behalf of your customer.
You (or your customer if you are writing a 3rd party application) need to click the consent link and approve your application. The consent should be done with a user who has admin privileges in the active directory.
Consent link is of the form:
```
https://login.microsoftonline.com/common/oauth2/authorize?prompt=consent&client_id=00000000-0000-0000-0000-000000000000&response_type=code&sso_reload=true
```
where 00000000-0000-0000-0000-000000000000 should be replaced with your Azure application ID
## Related topics ## Related topics
- [Supported Windows Defender ATP APIs](supported-apis-windows-defender-advanced-threat-protection-new.md) - [Supported Windows Defender ATP APIs](supported-apis-windows-defender-advanced-threat-protection-new.md)

BIN
windows/security/threat-protection/windows-defender-atp/images/webapp-validate-token.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 55 KiB