Secure APIs are all the rage, but how can we easily test them. If you're using Postman, then this blog post will show you how to configure and use Postman to call an Azure AD-secured API.

The secure API expects an access token to be passed. Therefore, Postman needs to acquire and use an Access Token when calling the API. If there is no token attached to the request, then you'll most likely receive an HTTP 401 error (unauthenticated) - which is right. If you pass an Access Token with your request but don't have the right scope, if your API has been coded correctly, you should receive an HTTP 403 error (unauthorized) - which is also right. Let's see how we can test our APIs with Postman!

Configure the App Registration for Postman

In order for Postman to be able to acquire an Access Token, it needs to have a corresponding Azure AD App Registration. In this section, we'll configure the App Registration in Azure AD. If you don't have an Azure AD already (I doubt it since you're reading this), you can get a FREE, full-blown P1 Azure AD Tenant through the Microsoft 365 Developer Program.

Sign in to your Azure AD portal, navigate to App Registrations and click on the + New Registration button. Give the app a meaningful name and press Register.

Then, open the Authentication tab and Add a platform. Select Web for the platform. In the Redirect URI add the following https://oauth.pstmn.io/v1/callback and then press Configure.

We also need a client secret. Navigate to the Certificates and Secrets tab and create a new secret. Make sure to copy the secret value as it will be unavailable once you navigate off this tab (but you can always delete it and recreate it).

Information needed for Postman

• Client Id: Can be found in the Overview Tab
• Client Secret: Was created and copied in the previous step
• Auth URL: In the Overview Tab, click on Endpoints
• Access Token URL: In the Overview Tab, click on Endpoints
• Scope: e.g api://279cfdb1-18d5-4fd6-b563-291dcd4b561a/weather.read

You can find the right scope in your API App Registration in Azure AD -> open the Expose an API tab -> Copy the Scope

Copy the v2 URLs for the Authorization and Token endpoints as per the image below:

Configure Postman

We now have everything we need to configure our Auth settings in Postman. In your Postman, create a new Request and navigate to the Authorization tab. Next populate the fields as shown in the image below, using all the settings we gathered in the previous section.

Note: you'll need to check the Authorize using browser checkbox and ensure that your browser is not blocking any popups.

We are now ready to test our configuration. Press the Get New Access Token in Postman. If everything's configured correctly, you should see something similar as per the video below:

You can now use Postman to call various API endpoints. Note that if you need different scopes for different parts of the API, you'll need to add them to the scopes which will need to be space delimited.

Have fun securing and testing your APIs and make sure to join our Discord if you have any Identity or Azure related questions.