This article is contributed. See the original author and article here.

Authentication is a key step in the user journey of any application. Going about designing the authentication flow can be confusing and not straightforward. When load testing an application, this generally is the first step in the user journey.  Supplying client credentials through a UI is not possible when load testing an application, so is evaluating how to implement specific authentication flows available on Azure, as they can be tedious and time consuming as well.

Within this series, we will cover the authentication flows and scenarios that are possible with Azure Active Directory (Azure AD) as the identity provider.

At the end of the blog, you will be able to

  • Use Azure AD to Authenticate a web application hosted on Azure App Service using the client credential grant flow.

  • Parametrize the client credentials in JMeter to retrieve them at run-time in Azure Load Testing.


  • A webapp with authentication enabled with Azure AD.

  • An Azure Load Testing resource.

  • Azure key vault for storing secrets.

  • Azure Load Testing resource configured to fetch the secrets during runtime. Visit here to learn how to do it.

  • JMeter


Authenticating to your web app with a shared secret

When you are using a shared secret to authenticate to an application on, you essentially pose yourself as a trusted principal with a valid token that can be used to authenticate you to the application which is registered with azure active directory. The token helps establish a trust, that you can access and make modifications to the resource (application).

  1. To get the access token from Azure AD, we need to pass 4 parameters to get the access token:

    1. client_id

    2. client_secret

    3. grant_type

    4. and the tenant_id 

      For more information you can see authentication using shared secret

  1. Retrieve client_id, tenant_id for the app registered with Azure AD by going to Azure Active Directory >>App Registrations >>Overview  on the azure portal.

  2. Retrieve the client_secret for the app by clicking on Certificate & secrets >> Client Secrets

The best practice is to store the above parameters into Azure Key Vault and then fetch them directly at runtime instead of hard coding them into the script.


Fetching the client secretFetching the client secret 

Configuring the JMeter test plan

The JMeter test plan needs to be configured to make a request to the app’s authentication endpoint to acquire the token. The endpoint can be found by visiting Azure Portal and navigating to Azure Active Directory > App registrations > > Endpoints



Getting the Authentication endpointGetting the Authentication endpoint





It would look something as below:

For the allowed values of you may refer to issuer values. In our case, it would be the tenant id.

Once we have the token, we can pass it to the subsequent requests in the authorization header to authenticate to the application.

Now that we know what needs to be done, let’s start implementing it.

Creating the test plan in the JMeter GUI

  1. Start by adding two thread groups, (Authentication) one for fetching the bearer token and the other (Application) to access the landing page of the application.

  2. Add an environment variable element to the Authentication thread group. This environment variable will be used to fetch the values of fields like client_id, client_secret and tenant_id which we stored earlier in the key vault at runtime to help acquire the access token.Defining used defined variableDefining used defined variable


  3. Add a child HTTP request sampler (Token Request) to the Authentication thread group. Within this HTTP request we will setup a post method that will help retrieve the access token.Defining the POST method to get access tokenDefining the POST method to get access token


  4. Add two child post processor elements to the Token Request sampler, one JSON Extractor (Extract Auth Token) for extracting the token. The response from the Token Request HTTP sampler comes back as a JSON response and we extract the token using the expression $.access_token .Extracting Authentication tokenExtracting Authentication token


  5. The next post processor element would be JSR223(Set AuthToken), which will be used to set the token extracted as a property named access_token. Setting it as a property will allow the variable to be accessible globally across samplers and hence can be accessed by the next thread group.Setting property as an access token propertySetting property as an access token property



  6. Next, let’s configure the application landing page (Homepage) to access the application homepage. Add a child element a header manager, to configure and maintain the header to be passed with the request. In this case we only pass the authorization header that would contain the bearer token obtained from the previous thread group (Authentication).Configuring the header managerConfiguring the header manager







Creating and Running the Load Test

Once we have setup our JMeter test plan, now we can move ahead and run the same using the azure load testing service by creating a test, supplying the above created JMeter script as the test plan and configuring the environment variables.


  1. Supply the JMeter test plan (JMX file) we created in the previous section.Configuring the Test PlanConfiguring the Test Plan


  2. Configure the Secrets section within the Parameters tab. We have stored all the sensitive information in the key vault. We would need to configure our tests to fetch those at runtime. Visit how to parameterize load tests to know more.

    Configuring the secretsConfiguring the secrets



Try this out and let us know if it works for you. Please use the comments section to help us with any feedback around this scenario and anything you would like to see next time.

If you have any feedback on Azure Load Testing, let us know using our feedback forum.

Happy Load Testing!!!





















Brought to you by Dr. Ware, Microsoft Office 365 Silver Partner, Charleston SC.

%d bloggers like this: