The document outlines the process for using the Microsoft Identity Platform and Device Authorization Flow to access Azure Service Bus from input-constrained devices without an interactive authentication experience. It details the steps for application registration, setting up permissions, creating a Service Bus and queue, and the code required for authentication and publishing messages to Azure Service Bus. Users must follow specific instructions to configure their Azure environment and acquire an access token to publish messages successfully.

1. Microsoft identity platform and device
authorization flow to use azure service bus
Microsoft Identity platform allows users to sign in to input-constrained devices. It
leverages MASL for Java (MSAL4J) from an app that does not have the capability of
offering an interactive authentication experience. The user visits a web page in their
browser to login in. Once login success, the device will able to get access token and
able to perform actions on the authorized Azure resources. This article demonstrates:
Authentication
Acquiring Access Token
Publish message to Azure Service BUS using the access token
Before going to the code. We need to take care of the following prerequisites.
Application Registration:
Login to Azure portal using your Microsoft account. Click on the Active Directory Icon.
Under manage section you can find "App registrations". Now click on the (+ New
registration)

2. In the register application screen provide the display name and select the supported
account type as “Accounts in any organizational directory and personal Microsoft
accounts”.
Now click on register. It will take few seconds to finish your app registration.

3. APP CLIENT ID:
Now go to Azure Home —> Azure Active Directory —> App Registrations. Then under
all applications you can find your application[ad-profile] created in the above step.
NOTE 01 -Copy the client ID from this screen and keep it for future use. This is unique
identifier is required to access your app. We will be configuring it in the code(GitHub
reference is present ).

4. APP MANIFEST:
From the app registration screen, click on the manifest section and in the editor set the
allowPublicClient true. Then click on save

5. AUTHENTICATION:
Now click on the authentication section of the App registration screen. Select “Mobile
and desktop application” under “Configure platforms”
Now select the checkbox [https://login.microsoftonline.com/common/oauth2/nativeclient]
and hit configure.

6. API PERMISSION:
From the App’s registration screen go to the API permission section and add access to
the Apis that our application needs.
In our case we need Microsoft ServiceBus to publish message to the queue.
Click on Microsoft.ServiceBus then select user_impersonation and then click on the
“Add permission” button.

7. TENANT ID:
From Azure home click on “Azure Active Directory” icon. Then click on the overview tab.
NOTE 02 - Record the Tenant Id, which will be used further in the code. Refer the below
screenshot.

8. Creating service bus and Queue:
To begin using service bus messaging entities in Azure, you must first create a
namespace with a name that is unique across Azure
To create a namespace:
1.Sign in to the Azure portal.
2.In the left navigation pane of the portal, select + Create a resource,
select Integration, and then select Service Bus.

9. Select Review + create. The system now creates your namespace and enables it.
You might have to wait several minutes as the system provisions resources for your
account.
Select Go to resource on the deployment page.

10. You see the home page for your service bus namespace.
NOTE 03 - Record the Host name to use in the code. [refer the below screen shot to
capture host name]

11. Creating queuein the portal:
1. On the Service Bus Namespace page, select Queues in the left navigation menu.
2. On the Queues page, select + Queue on the tool bar.
3. Enter a name for the queue, and leave the other values with their defaults.
4. NOTE 04 - Capture the queue name for future use 5. Now, select Create.

12. Code Snippet:
This application is developed using spring boot. In the application.properties configure
the client id, tenant id, service bus and queue uri. Refer the next slide for details.
Refer the below snippet to obtain the access token

13. Refer the below snippet to publish message to the queue after acquiring the access
token:
This project can be cloned from the below GitHub URL
GitHub link for code base

14. Running the code:
Clone this code base
Open the application.properties file. Put the value of CLIENT_ID from NOTE
01 and TENAT_ID from NOTE 02 that we have captured in the above steps.
The value of QUEUE_URI is the combination of Host name from NOTE 01 and the
queue name that you have given [refer NOTE 04]
if your namespace id "abc" and queue name is xyz, then
Host name will be : https://abc.servicebus.windows.net
QUEUE_URI will be : https://event-demo.servicebus.windows.net/transactions/messages
Now go to the root of the project and run the below command.
$mvn clean package spring-boot:repackage
A jar file named azure-identity-servicebus-1.0.jar will be generated in the target folder.
Now run the below command
$ java -jar target/azure-identity-servicebus-1.0.jar
The above command will give the response like below:
INFO com.ski.identity.servicebus.ServiceBusManager - To sign in, use a web browser
to open the page https://microsoft.com/devicelogin and enter the code YOURCODE to
authenticate.
Now use the url(https://microsoft.com/devicelogin) and the code from the above
response on a browser. It will ask for the user authentication. This user must present in
the active directory and have the permission to use ServiceBus. Once after successful
authentication, device will able to retrieve access token and publish message.

15. From the portal, verify the message count in the queue. Refer the following screen shot
References:
Find the below reference links for more information:
 Service Bus authentication and authorization
 Azure documentation
 Azure app registration
 MSAL4J documentation.
 Microsoft identity platform, Azure Active Directory
 Microsoft identity platform and the OAuth 2.0 device authorization grant flow
 Application registration with Microsoft identity platform