Azure Maps - where do I find my tokenServiceUrl

Question

Azure Maps - where do I find my tokenServiceUrl

JPSac-3841 0

I have created my azure map account, resource, etc. I am trying to use a webpage in HTML to access a SAS token for the map authentication:

// URL to your authentication service that retrieves an Microsoft Entra ID Token.

	// example:

    var tokenServiceUrl = 'https://samples.azuremaps.com/api/GetAzureMapsToken';

I have not been able to find what my URL is or where it is located in the Azure Map Portal. I reviewed many documents online to try to figure this out. I assume this is something simple I am just missing. I appreciate any assistance.

VSawhney 1,290 Reputation points Microsoft External Staff Moderator

2025-09-11T10:54:15.8233333+00:00
Hello JPSac-3841,

It sounds like you're trying to find your tokenServiceUrl for Azure Maps but haven't had any luck locating it in the Azure Maps Portal.

Here's what you can do: The tokenServiceUrl is typically a part of the authentication mechanism for Azure Maps, which usually points to an endpoint where you can retrieve a token. Here's a general approach to help you get it:

Create a Token Service: If you haven't already, you'll likely need to set up an Azure Function or an API that retrieves a token from your Microsoft Entra (former Azure AD) application. This is where you'd host your custom token service.

Set Up Authentication: Make sure your Azure application registration allows for Azure Maps API access. The permissions and other settings required can usually be reviewed in the Azure portal under "Azure Active Directory" → "App registrations".

Implement the Token Retrieval: Your URL should point to this custom token service you set up (e.g., https://yourfunctionapp.azurewebsites.net/api/GetAzureMapsToken). You can use this service in your code to retrieve the token dynamically.

Documentation Reference: Check out the Azure Maps authentication documentation for more details on how to set this up correctly.

Ref Doc: Authentication with Azure Maps

Hope this helps!
Thank you!
JPSac-3841 0 Reputation points

2025-09-12T01:14:17.7733333+00:00

Thank you for the quick response. I've been working on this today but am still working on step 1 to create a token service. Most examples I find use .NET which I don't have. I do see where to do step 2. I have looked at the ref doc you listed but would ask if you have reference or other advice on step 1.
JPSac-3841 0 Reputation points

2025-09-16T14:43:00.48+00:00

Thank you for the detailed reply. I was unable to work on it yesterday but will see what I can do today.
JPSac-3841 0 Reputation points

2025-09-16T23:11:31.1066667+00:00

I got an error:

ERROR: [Errno 2] No such file or directory: './prereq.azuredeploy.json'

When running the script at line: $outputs = $(az deployment group create --name ExampleDeployment --resource-group <group-name> --template-file "./prereq.azuredeploy.json" --parameters objectId=$id --query "[properties.outputs.keyVaultName.value, properties.outputs.userAssignedIdentityPrincipalId.value, properties.outputs.userIdentityResourceId.value]" --output tsv)

I did replace <group-name> with another name. I assume I have to run something before this step to create the json file.
Manas Mohanty 11,700 Reputation points Microsoft External Staff Moderator

2025-09-17T01:30:32.14+00:00

Hi JPSac-3841

azuredeploy.json file is here in this github repo

https://github.com/azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.maps/maps-use-sas

You can click on "Deploy to Azure" button to use those template

You can also use python client to generate the SAS key post which you can that sas token in Javascript code.
Manas Mohanty 11,700 Reputation points Microsoft External Staff Moderator

2025-09-18T04:40:11.7633333+00:00

Hi JPSac-3841

Could you accept the below answer if you appreciated the inputs.

Thank you.
JPSac-3841 0 Reputation points

2025-09-18T15:07:31.5266667+00:00

I appreciate your detailed explanations. I will mark kit as best answer. The one thing I am still searching for in my setup relates to how I hoped to get the token in my web page which is:

var tokenServiceUrl = 'https://samples.azuremaps.com/api/GetAzureMapsToken';

I have not been able to find what my tokenServiceURL is. I do see how I code embed an actual token value in your answer assuming that is what is meant by: jwt-sas <your SAS token> the your SAS token. If you could let me know where I might get the tokenServiceURL, that would be much appreciated also.
JPSac-3841 0 Reputation points

2025-09-22T01:11:48.06+00:00
I don't know if you saw my last comment. I was trying to do this without exposing the actual token in the website request for a map; or, exposing other elements (key, etc) that should not be if not a best practice. So, I looked at https://github.com/Azure-Samples/AzureMapsCodeSamples/blob/main/Samples/Tutorials/Interactive%20Search/Interactive%20Search%20Quickstart.html which has a sample for a Search (which I would not be doing - I am only doing a simple map). It has this sample code: // Add authentication details for connecting to Azure Maps.

authOptions: { // Use SAS token for authentication authType: 'sas', getToken: function (resolve, reject, map) { // URL to your authentication service that retrieves a SAS Token var tokenServiceUrl = 'https://samples.azuremaps.com/api/GetAzureMapsSasToken'; fetch(tokenServiceUrl).then(r => r.text()).then(token => resolve(token)); }

However, what I am getting stuck on is locating a value I would use for tokenServiceUrl in the above code. At any rate, I would like to get a map without exposing anything in the website request that would not be best. Thank you if you can look at it again

Manas Mohanty 11,700 Microsoft External Staff Moderator

JPSac-3841

My suggestion was based on standard practice that is Generate access token and use it in jwt-sas format.

But You are aiming to serve the Azure Map service without exposing subscription keys, sas token to user at any points.

I have to test and review below architecture.

Users → [Frontend App with MSAL] → [Microsoft Entra ID for OAuth 2.0] → [Backend API validates token] → [Azure Maps API] (Need to review before sharing the full approach)

For now, simpler idea is to generate the SAS token and save it in key vault then use Oauth to authenticate to retrieve it.

from azure.identity import ManagedIdentityCredential, ClientAssertionCredential
from azure.keyvault.secrets import SecretClient

# Audience value must be one of the below values depending on the target cloud:
# - Entra ID Global cloud: api://AzureADTokenExchange
# - Entra ID US Government: api://AzureADTokenExchangeUSGov
# - Entra ID China operated by 21Vianet: api://AzureADTokenExchangeChina
MI_AUDIENCE = "api://AzureADTokenExchange"

def get_managed_identity_token(credential, audience):
    return credential.get_token(audience).token

# Client ID is passed here. Alternatively, either object ID or resource ID can be passed.
managed_identity_credential = ManagedIdentityCredential(client_id="<YOUR_MI_CLIENT_ID>")

client_assertion_credential = ClientAssertionCredential(
    "<YOUR_RESOURCE_TENANT_ID>",
    "<YOUR_APP_CLIENT_ID>",
    lambda: get_managed_identity_token(managed_identity_credential, f"{MI_AUDIENCE}/.default"))

client = SecretClient(
    vault_url="https://testfickv.vault.azure.net",
    credential=client_assertion_credential)
retrieved_secret = client.get_secret("<SECRET_NAME>")

Thank you for understanding our limitation.

Reference - https://free.blessedness.top/en-us/entra/workload-id/workload-identity-federation-config-app-trust-managed-identity?tabs=microsoft-entra-admin-center%2Cpython

1 answer

Your answer

VSawhney 1,290 Reputation points Microsoft External Staff Moderator

2025-09-11T10:54:15.8233333+00:00

Hello JPSac-3841,

It sounds like you're trying to find your tokenServiceUrl for Azure Maps but haven't had any luck locating it in the Azure Maps Portal.

Here's what you can do: The tokenServiceUrl is typically a part of the authentication mechanism for Azure Maps, which usually points to an endpoint where you can retrieve a token. Here's a general approach to help you get it:

Create a Token Service: If you haven't already, you'll likely need to set up an Azure Function or an API that retrieves a token from your Microsoft Entra (former Azure AD) application. This is where you'd host your custom token service.

Set Up Authentication: Make sure your Azure application registration allows for Azure Maps API access. The permissions and other settings required can usually be reviewed in the Azure portal under "Azure Active Directory" → "App registrations".

Implement the Token Retrieval: Your URL should point to this custom token service you set up (e.g., https://yourfunctionapp.azurewebsites.net/api/GetAzureMapsToken). You can use this service in your code to retrieve the token dynamically.

Documentation Reference: Check out the Azure Maps authentication documentation for more details on how to set this up correctly.

Ref Doc: Authentication with Azure Maps

Hope this helps!
Thank you!
JPSac-3841 0 Reputation points

2025-09-12T01:14:17.7733333+00:00

Thank you for the quick response. I've been working on this today but am still working on step 1 to create a token service. Most examples I find use .NET which I don't have. I do see where to do step 2. I have looked at the ref doc you listed but would ask if you have reference or other advice on step 1.
JPSac-3841 0 Reputation points

2025-09-16T14:43:00.48+00:00

Thank you for the detailed reply. I was unable to work on it yesterday but will see what I can do today.
JPSac-3841 0 Reputation points

2025-09-16T23:11:31.1066667+00:00

I got an error:

ERROR: [Errno 2] No such file or directory: './prereq.azuredeploy.json'

When running the script at line: $outputs = $(az deployment group create --name ExampleDeployment --resource-group <group-name> --template-file "./prereq.azuredeploy.json" --parameters objectId=$id --query "[properties.outputs.keyVaultName.value, properties.outputs.userAssignedIdentityPrincipalId.value, properties.outputs.userIdentityResourceId.value]" --output tsv)

I did replace <group-name> with another name. I assume I have to run something before this step to create the json file.
Manas Mohanty 11,700 Reputation points Microsoft External Staff Moderator

2025-09-17T01:30:32.14+00:00

Hi JPSac-3841

azuredeploy.json file is here in this github repo

https://github.com/azure/azure-quickstart-templates/tree/master/quickstarts/microsoft.maps/maps-use-sas

You can click on "Deploy to Azure" button to use those template

You can also use python client to generate the SAS key post which you can that sas token in Javascript code.
Manas Mohanty 11,700 Reputation points Microsoft External Staff Moderator

2025-09-18T04:40:11.7633333+00:00

Hi JPSac-3841

Could you accept the below answer if you appreciated the inputs.

Thank you.
JPSac-3841 0 Reputation points

2025-09-18T15:07:31.5266667+00:00

I appreciate your detailed explanations. I will mark kit as best answer. The one thing I am still searching for in my setup relates to how I hoped to get the token in my web page which is:

var tokenServiceUrl = 'https://samples.azuremaps.com/api/GetAzureMapsToken';

I have not been able to find what my tokenServiceURL is. I do see how I code embed an actual token value in your answer assuming that is what is meant by: jwt-sas <your SAS token> the your SAS token. If you could let me know where I might get the tokenServiceURL, that would be much appreciated also.
JPSac-3841 0 Reputation points

2025-09-22T01:11:48.06+00:00

I don't know if you saw my last comment. I was trying to do this without exposing the actual token in the website request for a map; or, exposing other elements (key, etc) that should not be if not a best practice. So, I looked at https://github.com/Azure-Samples/AzureMapsCodeSamples/blob/main/Samples/Tutorials/Interactive%20Search/Interactive%20Search%20Quickstart.html which has a sample for a Search (which I would not be doing - I am only doing a simple map). It has this sample code: // Add authentication details for connecting to Azure Maps.

authOptions: { // Use SAS token for authentication authType: 'sas', getToken: function (resolve, reject, map) { // URL to your authentication service that retrieves a SAS Token var tokenServiceUrl = 'https://samples.azuremaps.com/api/GetAzureMapsSasToken'; fetch(tokenServiceUrl).then(r => r.text()).then(token => resolve(token)); }

However, what I am getting stuck on is locating a value I would use for tokenServiceUrl in the above code. At any rate, I would like to get a map without exposing anything in the website request that would not be best. Thank you if you can look at it again
Manas Mohanty 11,700 Reputation points Microsoft External Staff Moderator

2025-09-23T05:35:41.69+00:00

JPSac-3841

My suggestion was based on standard practice that is Generate access token and use it in jwt-sas format.

But You are aiming to serve the Azure Map service without exposing subscription keys, sas token to user at any points.

I have to test and review below architecture.

Users → [Frontend App with MSAL] → [Microsoft Entra ID for OAuth 2.0] → [Backend API validates token] → [Azure Maps API] (Need to review before sharing the full approach)

For now, simpler idea is to generate the SAS token and save it in key vault then use Oauth to authenticate to retrieve it.

from azure.identity import ManagedIdentityCredential, ClientAssertionCredential from azure.keyvault.secrets import SecretClient # Audience value must be one of the below values depending on the target cloud: # - Entra ID Global cloud: api://AzureADTokenExchange # - Entra ID US Government: api://AzureADTokenExchangeUSGov # - Entra ID China operated by 21Vianet: api://AzureADTokenExchangeChina MI_AUDIENCE = "api://AzureADTokenExchange" def get_managed_identity_token(credential, audience): return credential.get_token(audience).token # Client ID is passed here. Alternatively, either object ID or resource ID can be passed. managed_identity_credential = ManagedIdentityCredential(client_id="<YOUR_MI_CLIENT_ID>") client_assertion_credential = ClientAssertionCredential( "<YOUR_RESOURCE_TENANT_ID>", "<YOUR_APP_CLIENT_ID>", lambda: get_managed_identity_token(managed_identity_credential, f"{MI_AUDIENCE}/.default")) client = SecretClient( vault_url="https://testfickv.vault.azure.net", credential=client_assertion_credential) retrieved_secret = client.get_secret("<SECRET_NAME>")

Thank you for understanding our limitation.

Reference - https://free.blessedness.top/en-us/entra/workload-id/workload-identity-federation-config-app-trust-managed-identity?tabs=microsoft-entra-admin-center%2Cpython

Answer 1

Hi JPSac-3841,

Sorry for the late response.

Steps to use SAS token with keyvault and User assigned identity are below

Create a key vault.
Create a user-assigned managed identity.
Assign Azure role-based access control (RBAC) Azure Maps Data Reader role to the user-assigned managed identity.
Create an Azure Maps account with a Cross Origin Resource Sharing (CORS) configuration, and attach the user-assigned managed identity.
Create and save a SAS token in the Azure Key Vault.
Retrieve the SAS token secret from the key vault.
Create an Azure Maps REST API request that uses the SAS token.

Reference -

az login
az provider register --namespace Microsoft.KeyVault
az provider register --namespace Microsoft.ManagedIdentity
az provider register --namespace Microsoft.Maps

$id = $(az rest --method GET --url 'https://graph.microsoft.com/v1.0/me?$select=id' --headers 'Content-Type=application/json' --query "id")

az group create --name <group-name> --location "East US"
$outputs = $(az deployment group create --name ExampleDeployment --resource-group <group-name> --template-file "./prereq.azuredeploy.json" --parameters objectId=$id --query "[properties.outputs.keyVaultName.value, properties.outputs.userAssignedIdentityPrincipalId.value, properties.outputs.userIdentityResourceId.value]" --output tsv)
az deployment group create --name ExampleDeployment --resource-group <group-name> --template-file "./azuredeploy.json" --parameters keyVaultName="$($outputs[0])" userAssignedIdentityPrincipalId="$($outputs[1])" userAssignedIdentityResourceId="$($outputs[2])" allowedOrigins="['http://localhost']" allowedRegions="['eastus', 'westus2', 'westcentralus']" maxRatePerSecond="10"
$secretId = $(az keyvault secret list --vault-name $outputs[0] --query "[? contains(name,'map')].id" --output tsv)
$sasToken = $(az keyvault secret show --id "$secretId" --query "value" --output tsv)

az rest --method GET --url 'https://us.atlas.microsoft.com/search/address/json?api-version=1.0&query=1 Microsoft Way, Redmond, WA 98052' --headers "Authorization=jwt-sas $($sasToken)" --query "results[].address"

Using Python Client

from azure.identity import DefaultAzureCredential
from azure.mgmt.maps import AzureMapsManagementClient

"""
# PREREQUISITES
    pip install azure-identity
    pip install azure-mgmt-maps
# USAGE
    python account_list_sas.py

    Before run the sample, please set the values of the client ID, tenant ID and client secret
    of the AAD application as environment variables: AZURE_CLIENT_ID, AZURE_TENANT_ID,
    AZURE_CLIENT_SECRET. For more info about how to get the value, please see:
    https://docs.microsoft.com/azure/active-directory/develop/howto-create-service-principal-portal
"""


def main():
    client = AzureMapsManagementClient(
        credential=DefaultAzureCredential(),
        subscription_id="21a9967a-e8a9-4656-a70b-96ff1c4d05a0",
    )

    response = client.accounts.list_sas(
        resource_group_name="myResourceGroup",
        account_name="myMapsAccount",
        maps_account_sas_parameters={
            "expiry": "2017-05-24T11:42:03.1567373Z",
            "maxRatePerSecond": 500,
            "principalId": "e917f87b-324d-4728-98ed-e31d311a7d65",
            "regions": ["eastus"],
            "signingKey": "primaryKey",
            "start": "2017-05-24T10:42:03.1567373Z",
        },
    )
    print(response)


# x-ms-original-file: specification/maps/resource-manager/Microsoft.Maps/stable/2023-06-01/examples/AccountListSAS.json
if __name__ == "__main__":
    main()

Reference - https://free.blessedness.top/en-us/rest/api/maps-management/accounts/list-sas?view=rest-maps-management-2023-06-01&tabs=Python#examples

Sample SAS token usage

async function getData(url = 'https://us.atlas.microsoft.com/search/address/json?api-version=1.0&query=1 Microsoft Way, Redmond, WA 98052') {
  const response = await fetch(url, {
    method: 'GET',
    mode: 'cors',
    headers: {
      'Content-Type': 'application/json',
      'Authorization': 'jwt-sas <your SAS token>',
    }
  });
  return response.json(); // parses JSON response into native JavaScript objects
}

postData('https://us.atlas.microsoft.com/search/address/json?api-version=1.0&query=1 Microsoft Way, Redmond, WA 98052')
  .then(data => {
    console.log(data); // JSON data parsed by `data.json()` call
  });

Hope it helps.

Thank you

Share via

Azure Maps - where do I find my tokenServiceUrl

1 answer

Your answer