I wrote a few PowerShell functions a couple of years ago to build a bearer token out of an active session. I needed to make calls in scripts here and there and nothing native was available. This is now things of the past if you are open to use Azure CLI.

There is finally something!

Searching for a new way to perform native calls at the command line to Azure Management REST APIs, I stumble upon an issue on GitHub. To discover at the end of the issue that it is now implemented and in preview in Azure CLI!


You'll need to update to Azure CLI version 2.0.67+


From the Azure CLI help you'll get the following if you type az rest --help.

    az rest : Invoke a custom request.
        This command is in preview. It may be changed/removed in a future release.                                                                                                  Arguments
    --method -m      [Required] : HTTP request method.  Allowed values: delete, get, head, options,
                                  patch, post, put.  Default: get.
    --uri -u         [Required] : Request uri. For uri without host, CLI will assume
                                  "https://management.azure.com/". Common tokens will also be
                                  replaced with real values including "{subscriptionId}".
    --body -b                   : Request body.
    --headers                   : Space-separated headers in KEY=VALUE format or JSON string. Use
                                  @{file} to load from a file.
    --output-file               : Save response payload to a file.
    --resource                  : Resource url for which CLI should acquire a token in order to
                                  access the service. The token will be placed in the
                                  "Authorization" header. By default, CLI can figure this out based
                                  on "--url" argument, unless you use ones not in the list of "az
                                  cloud show --query endpoints".
    --skip-authorization-header : Do not auto append "Authorization" header.
    --uri-parameters            : Space-separated queries in KEY=VALUE format or JSON string. Use
                                  @{file} to load from a file.

Global Arguments
    --debug                     : Increase logging verbosity to show all debug logs.
    --help -h                   : Show this help message and exit.
    --output -o                 : Output format.  Allowed values: json, jsonc, none, table, tsv,
                                  yaml.  Default: json.
    --query                     : JMESPath query string. See http://jmespath.org/ for more
                                  information and examples.
    --subscription              : Name or ID of subscription. You can configure the default
                                  subscription using `az account set -s NAME_OR_ID`.
    --verbose                   : Increase logging verbosity. Use --debug for full debug logs.

    Get Audit log through Microsoft Graph
        az rest --method get --uri https://graph.microsoft.com/beta/auditLogs/directoryAudits

    Update a Azure Active Directory Graph User's display name
        az rest --method patch --uri
        "https://graph.microsoft.com/v1.0/users/johndoe@azuresdkteam.onmicrosoft.com" --body
        "{\"displayName\": \"jondoe2\"}"

Here is an invocation I made using az rest to call the Azure Policy REST API to extract non-compliant data:

az rest --method post --uri "https://management.azure.com/providers/Microsoft.Management/managementGroups/{managementGroupName}/providers/Microsoft.PolicyInsights/policyStates/latest/queryResults?api-version=2018-04-04&$filter=policyAssignmentId eq '/providers/Microsoft.Management/managementGroups/{managementGroupName}/providers/Microsoft.Authorization/policyAssignments/3132643538114acc900af638'"


The days of having to extract and manipulate bearer tokens are pretty much gone if you are willing to use a little bit of Azure CLI.