Merge pull request #279751 from EdB-MSFT/get-tokens

get token include

Author: v-ccolin

articles/azure-monitor/essentials/metrics-store-custom-rest-api.md

@@ -44,30 +44,10 @@ To submit custom metrics to Azure Monitor, the entity that submits the metric ne
 
 ### Get an authorization token
 
-Once you have created your managed identity or service principal and assigned **Monitoring Metrics Publisher** permissions, you can get an authorization token by using the following request:
-
-```console
-curl -X POST 'https://login.microsoftonline.com/<tennant ID>/oauth2/token' \
--H 'Content-Type: application/x-www-form-urlencoded' \
---data-urlencode 'grant_type=client_credentials' \
---data-urlencode 'client_id=<your apps client ID>' \
---data-urlencode 'client_secret=<your apps client secret' \
---data-urlencode 'resource=https://monitoring.azure.com'
-```
-
-The response body appears in the following format:
+Once you have created your managed identity or service principal and assigned **Monitoring Metrics Publisher** permissions, you can get an authorization token.
+When requesting a token specify `resource: https://monitoring.azure.com`.
 
-```JSON
-{
-    "token_type": "Bearer",
-    "expires_in": "86399",
-    "ext_expires_in": "86399",
-    "expires_on": "1672826207",
-    "not_before": "1672739507",
-    "resource": "https://monitoring.azure.com",
-    "access_token": "eyJ0eXAiOiJKV1Qi....gpHWoRzeDdVQd2OE3dNsLIvUIxQ"
-}
-```
+[!INCLUDE [Get a token](../includes/get-authentication-token.md)]
 
 Save the access token from the response for use in the following HTTP requests.
 

articles/azure-monitor/essentials/rest-api-walkthrough.md

@@ -20,43 +20,9 @@ Retrieve metric definitions, dimension values, and metric values using the Azure
 Request submitted using the Azure Monitor API use the Azure Resource Manager authentication model. All requests are authenticated with Microsoft Entra ID. One approach to authenticating the client application is to create a Microsoft Entra service principal and retrieve an authentication token. You can create a Microsoft Entra service principal using the Azure portal, CLI, or PowerShell. For more information, see [Register an App to request authorization tokens and work with APIs](../logs/api/register-app-for-token.md).
 
 ### Retrieve a token
-Once you've created a service principal, retrieve an access token using a REST call. Submit the following request using the `appId` and `password` for your service principal or app:
-
-```HTTP
-
-    POST /<tenant-id>/oauth2/token
-    Host: https://login.microsoftonline.com
-    Content-Type: application/x-www-form-urlencoded
-    
-    grant_type=client_credentials
-    &client_id=<app-client-id>
-    &resource=https://management.azure.com
-    &client_secret=<password>
-
-```
-
-For example
-
-```bash
-curl --location --request POST 'https://login.microsoftonline.com/abcd1234-5849-4a5d-a2eb-5267eae1bbc7/oauth2/token' \
---header 'Content-Type: application/x-www-form-urlencoded' \
---data-urlencode 'grant_type=client_credentials' \
---data-urlencode 'client_id=0123b56a-c987-1234-abcd-1a2b3c4d5e6f' \
---data-urlencode 'client_secret=123456.ABCDE.~XYZ876123ABceDb0000' \
---data-urlencode 'resource=https://management.azure.com'
-
-```
-A successful request receives an access token in the response:
-
-```HTTP
-{
-   token_type": "Bearer",
-   "expires_in": "86399",
-   "ext_expires_in": "86399",
-   "access_token": "eyJ0eXAiOiJKV1QiLCJ.....Ax"
-}
-```
+Once you've created a service principal, retrieve an access token. Specify `resource=https://management.azure.com` in the token request.
 
+[!INCLUDE [Get a token](../includes/get-authentication-token.md)]
 
 
 After authenticating and retrieving a token, use the access token in your Azure Monitor API requests by including the header  `'Authorization: Bearer <access token>'`

articles/azure-monitor/includes/get-authentication-token.md

@@ -0,0 +1,164 @@
+---
+ms.service: azure-monitor
+ms.topic: include
+ms.date: 07/01/2024
+ms.author: edbaynash
+author: EdB-MSFT
+---
+
+Get an authentication token using any of the following methods:
+- CLI
+- REST API
+- SDK
+
+When requesting a token, you must provide a `resource` parameter. The `resource` parameter is the URL of the resource you want to access. 
+
+Resources include:
+- https://management.azure.com
+- https://api.loganalytics.io
+- https://monitoring.azure.com 
+
+
+## [REST](#tab/rest)
+### Get a token using a REST request
+Use the following REST API call to get a token.
+This request uses a client ID and client secret to authenticate the request. The client ID and client secret are obtained when you register your application with Microsoft Entra ID. For more information, see [Register an App to request authorization tokens and work with APIs](/azure/azure-monitor/logs/api/register-app-for-token?tabs=portal)
+
+
+```console
+curl -X POST 'https://login.microsoftonline.com/<tennant ID>/oauth2/token' \
+-H 'Content-Type: application/x-www-form-urlencoded' \
+--data-urlencode 'grant_type=client_credentials' \
+--data-urlencode 'client_id=<your apps client ID>' \
+--data-urlencode 'client_secret=<your apps client secret' \
+--data-urlencode 'resource=https://monitoring.azure.com'
+```
+
+The response body appears in the following format:
+
+```JSON
+{
+    "token_type": "Bearer",
+    "expires_in": "86399",
+    "ext_expires_in": "86399",
+    "expires_on": "1672826207",
+    "not_before": "1672739507",
+    "resource": "https://monitoring.azure.com",
+    "access_token": "eyJ0eXAiOiJKV1Qi....gpHWoRzeDdVQd2OE3dNsLIvUIxQ"
+}
+```
+
+## [CLI](#tab/cli)
+### Get a token using Azure CLI
+To get a token using CLI, you can use the following command
+
+```bash
+az account get-access-token 
+```
+
+For more information, see [az account get-access-token](/cli/azure/account?view=azure-cli-latest#az-account-get-access-token)
+
+## [SDK](#tab/SDK)
+### Get a token using the SDKs
+The following code samples show how to get a token using:
++ C# 
++ NodeJS
++ Python
+
+#### C#
+
+The following code shows how to get a token using the Azure. Identity library It requires a client ID and client secret to authenticate the request. 
+```csharp
+var context = new AuthenticationContext("https://login.microsoftonline.com/<tennant ID>");
+var clientCredential = new ClientCredential("<your apps client ID>", "<your apps client secret>");
+var result = context.AcquireTokenAsync("https://monitoring.azure.com", clientCredential).Result;
+```    
+
+Alternatively, you can use the DefaultAzureCredential class to get a token. This method uses the default Azure credentials to authenticate the request and doesn't require a client ID or client secret.
+
+```csharp
+var credential = new DefaultAzureCredential();
+var token = credential.GetToken(new TokenRequestContext(new[] { "https://management.azure.com/.default" }));
+```
+
+
+You can also specify your managed identity or service principal credentials as follows:
+
+```csharp
+string userAssignedClientId = "<your managed identity client ID>";
+var credential = new DefaultAzureCredential(
+    new DefaultAzureCredentialOptions
+    {
+        ManagedIdentityClientId = userAssignedClientId
+    });
+
+var token = credential.GetToken(new TokenRequestContext(new[] { "https://management.azure.com/.default" }));
+
+```
+For more information, see [DefaultAzureCredential Class](/dotnet/api/azure.identity.defaultazurecredential?view=azure-dotnet)
+
+
+#### Node.js
+
+For information on authentication use JavaScript and NodeJS,  see [How to authenticate JavaScript apps to Azure services using the Azure SDK for JavaScript](/azure/developer/javascript/sdk/authentication/overview)
+
+
+The following code shows how to get a token using the DefaultAzureCredential class. This method uses the default Azure credentials to authenticate the request and doesn't require a client ID or client secret.
+
+```javascript
+const { DefaultAzureCredential } = require("@azure/identity");
+
+const credential = new DefaultAzureCredential();
+const accessToken = await credential.getToken("https://management.azure.com/.default");
+```
+
+You can also use the `InteractiveBrowserCredential` class to get the credentials. This method provides a browser-based authentication experience for users to authenticate with Azure services. 
+
+For more information, see [DefaultAzureCredential Class](/javascript/api/@azure/identity/defaultazurecredential?view=azure-node-latest) and [InteractiveBrowserCredential Class](/javascript/api/@azure/identity/interactivebrowsercredential?view=azure-node-latest)
+
+Alternatively you can use the ClientSecretCredential class to get a token. This method requires a client ID and client secret to authenticate the request.
+
+```javascript
+const { ClientSecretCredential } = require("@azure/identity");
+credential = ClientSecretCredential(
+    client_id="<client_id>",
+    username="<username>",
+    password="<password>"
+   )
+const accessToken = await credential.getToken("https://management.azure.com/.default");
+```
+For more information, see [ClientSecretCredential Class](/javascript/api/@azure/identity/clientsecretcredential?view=azure-node-latest)
+
+#### Python
+
+The following code shows how to get a token using the DefaultAzureCredential class. This method uses the default Azure credentials to authenticate the request and doesn't require a client ID or client secret.
+
+```python
+from azure.identity import DefaultAzureCredential
+
+credential = DefaultAzureCredential()
+token = credential.get_token('https://management.azure.com/.default')
+print(token.token)
+```
+
+You can also use the `InteractiveBrowserCredential` class to get the credentials. This method provides a browser-based authentication experience for users to authenticate with Azure services. 
+
+For more information, see [DefaultAzureCredential Class](/python/api/azure-identity/azure.identity.defaultazurecredential?view=azure-python) and [InteractiveBrowserCredential Class](/python/api/azure-identity/azure.identity.interactivebrowsercredential?view=azure-python)
+
+Alternatively you can use the ClientSecretCredential class to get a token. This method requires a client ID and client secret to authenticate the request.
+
+```python
+from azure.identity import ClientSecretCredential
+
+credential = ClientSecretCredential (
+     tenant_id="<tenant id>",
+     client_id="<Client id>",
+     client_secret="client secret"
+    )
+token =  credential.get_token("https://management.azure.com/.default")
+print(token.token)
+```
+
+ For more information, see [ClientSecretCredential Class](/python/api/azure-identity/azure.identity.clientsecretcredential?view=azure-python)
+
+---

articles/azure-monitor/logs/api/access-api.md

@@ -120,31 +120,10 @@ The Log Analytics API supports Microsoft Entra authentication with three differe
 
 In the client credentials flow, the token is used with the Log Analytics endpoint. A single request is made to receive a token by using the credentials provided for your app in the previous step when you [register an app in Microsoft Entra ID](./register-app-for-token.md).
 
-Use the `https://api.loganalytics.azure.com` endpoint.
+Use `resource=https://api.loganalytics.azure.com`.
 
-#### Client credentials token URL (POST request)
+[!INCLUDE [Get a token](../../includes/get-authentication-token.md)]
 
-```http
-    POST /<your-tenant-id>/oauth2/token
-    Host: https://login.microsoftonline.com
-    Content-Type: application/x-www-form-urlencoded
-    
-    grant_type=client_credentials
-    &client_id=<app-client-id>
-    &resource=https://api.loganalytics.io
-    &client_secret=<app-client-secret>
-```
-
-A successful request receives an access token in the response:
-
-```http
-    {
-        token_type": "Bearer",
-        "expires_in": "86399",
-        "ext_expires_in": "86399",
-        "access_token": ""eyJ0eXAiOiJKV1QiLCJ.....Ax"
-    }
-```
 
 Use the token in requests to the Log Analytics endpoint: