[QUERY] Possibility to create VMs on behalf of users via Azure SDK?

[IbraAltaee]

Query/Question
I have a web application (backend: Java Spring Boot; frontend: React NextJS) that is supposed to create VMs on behalf of users (multi-tenant & personal accounts), on their Azure account, using Azure SDK.

So a usual scenario would be: user (could be anyone) opens the website, gets prompted to login to Microsoft, then after login, fills in basic VM configurations form. Finally, the user clicks on 'Create', and the VM is created on their Azure account.

After days of reading through documentations I came to the conclusion that I could use InteractiveBrowserCredential for authentication. But I'm not quite sure whether InteractiveBrowserCredential is appropriate, and when I tried to use it, no popup was shown, and i was just authenticated, so I couldn't test it out.

Finally, I was wondering if AccessToken that is returned by MSAL, usable in a way to obtain a valid Credential to authenticate to Azure SDK.

Why is this not a Bug or a feature Request?
It's not a bug. And I'm not sure whether it's already possible, hence its not a feature request.

Setup (please complete the following information if applicable):

• OS: Windows 11
• IDE: VSC
• Library/Libraries: [e.g. com.azure:azure-core:1.16.0 (groupId:artifactId:version)]

Information Checklist
Kindly make sure that you have added all the following information above and checkoff the required fields otherwise we will treat the issuer as an incomplete report

• Query Added
• Why not a Bug or a feature request Added
• Setup information Added

[joshfree]

Hi @IbraAltaee thanks for reaching out to us via Github. @billwert can assist with some of these EntraID and Azure Identity SDK questions, and @saragluna can assist with Azure Spring related questions.

[billwert]

Hello @IbraAltaee!

I think the confusion is coming from where you're trying to run the credential. If you're using the Java InteractiveBrowserCredential in your server, that isn't going to work. There's not a mechanism for routing the "start a browser pointed to the login page" flow from backend to frontend. If you're using it in the React app, you may have been authorized through an earlier cached login perhaps?

I think you have two options:

1. Shift to using DeviceCodeCredential. You'd set a consumer on the DeviceCodeCredentialBuilder via challengeConsumer(Consumer<DeviceCodeInfo>). When your service client needs a token, the consumer would need to send a message to the web application to prompt the user to complete the authentication flow, presenting the verification URL and device code from the DeviceCodeInfo.
2. Move the code doing the management tasks into your React app. Then you can use InteractiveBrowserCredential in the React app. If you go this route, I'd also migrate the management tasks you're doing into the React app and use the JS libraries for that also.

You want your management client and your credential to live on the same "side of the fence", so either frontend or backend. The client will get a token on your behalf automatically (invoking the flow of your chosen credential type.)

There may be other ways to accomplish this but I wouldn't recommend them if you can make one of these options work.

Regarding MSAL, the Azure Identity SDK is a wrapper around MSAL, so all their flows are exposed through our credential types. The benefit of the Identity SDK is that our management and service clients are built to take a credential which handles everything for you. I wouldn't recommend trying to break back down to MSAL directly - you'd just wind up wrapping whatever you got in something like our ClientAssertionCredential anyway, and would have bought yourself dealing with caching, refresh, expiry, etc.

Let me know if you have further questions.

[github-actions]

Hi @IbraAltaee. Thank you for opening this issue and giving us the opportunity to assist. To help our team better understand your issue and the details of your scenario please provide a response to the question asked above or the information requested above. This will help us more accurately address your issue.

[IbraAltaee]

Hi @billwert

Thanks a lot for your answer. I was actually looking into pgAdmin and how it can deploy a PostgreSQL server on the Azure Database. They too use a DeviceCodeCredential. So your reply confirmed to me it's a good approach.

Regarding InteractiveBrowserCredential, why is it a bad idea to obtain the credential in the frontend, and send it to the backend?

[IbraAltaee]

For future use by others: I was actually able to obtain a TokenCredential with the access token from MSAL

TokenCredential credential = new TokenCredential() {
        @Override
        public Mono<AccessToken> getToken(TokenRequestContext tokenRequestContext) {
                return Mono.just(new AccessToken(accessToken, OffsetDateTime.now().plusHours(1)));
        }
};

But I will stick to one of the 2 Azure Identity approaches.