is there a way to receive an e-mail notification when a certain date is reached?
Because in my infrastructure I'm using an oAuth 2.0 API logic and I want to be notified when the client secret for the token generation is going to expire.
I have seen that in Azure Monitor Alert Rule, it is necessary to select a target resource and a scope, but the notification that I want to create is only based on the selected date.
There is a way to create email notification when a certain date is reached.
Thanks to rickvdbosch for suggesting Logic Apps feature.
You can use Logic apps to trigger the email notification.
Create an app registration and create one secret.
Azure Portal >Azure Active Directory > App registrations > New Registration
Assign permission in app and grant the permission.
To secure HTTP action you can use Azure Key vault to store the secrets.
Create azure Key vault
Azure Portal > Key vault > Create
Create Secrets in Azure Key Vault.
Create a Logic App.
Azure Portal > Logic Apps > Create.
Follow the document created by Peter to follow the Logic Apps flow to trigger the email when a certain date is reached.
Related
We have an APIM in front of some backend APIs, used by our frontend application.
User connect to our app using azure B2C. Once connected, a valid JWT is issued in their favor, carrying some information used by our backend services to return some client-specific data.
Now we plan of exposing those APIs, using APIM developer portal, products and subscription keys.
Here's the flow we would like to implement :
A client A, having an account in our B2C tenant, connect to the APIM
developer portal (1).
It can find and subscribe to our product and then provides his developers the fetched subscription keys
Developers can query our backend through the APIM using the provided keys
APIM/backend services identify the used key belongs to client A (2)
Client A data is being returned
It seems like the developer portal is having its own user-store. Even when using the sign up with b2c option, it only extracts the user mail address from the tenant and still prompts the user with a sign up flow.
Can we not ask for a user existing in our b2c tenant to recreate an account on developer portal but allow him to log in using its credentials ?
How to identify a generated key set belongs to a specific user to only return its client-specific data ?
We have an on-premises (self-hosted) app which supports sending email notifications to users by providing SMTP mail server settings. Our users are all in Azure AD and are the only users of this on-premises app. Our users want to be able to receive email notifications from this app.
What is the recommended/best practice method for achieving this? Ideally the solution wouldn't require any additional subscriptions or added cost. It would be nice if the sending email address could be branded to match the app service it is coming from.
Here are some options that I've come up with:
Create a new user in Azure AD solely for sending email
Seems wasteful, and we are billed monthly per user
Use an existing user (i.e. my own) to provide authorization to the SMTP server
Rather not tie my own user credentials to this, and will break if I ever change my password
Use an entirely different email account (e.g. gmail?) for sending email
No relation to Azure AD tenant at all, harder for others to manage
Some existing method/service in Azure that is meant for this purpose, if it exists
Here's my idea on your case.
I watched this document, and I found that we can use API Key to initialize 'new SendGridClient', and it mentioned that we can stored this key into azure key vault.
So if you just wanna use azure ad to achieve the goal of protect your local app from unauthorized user, you may try my idea. First, create azure key vault in azure portal, and you could create a new secret to store your SendGrid Api key. Next to create an azure ad application used to achieve authentication, such as 'ROPC' flow(use user account and password to get access token). Now we can set access policy in azure key vault, added the azure ad app and all your user accounts so that every one could access API key via that azure ad app. After that, your app could send email.
Here is a scenario. I have a SaaS product that needs to make api calls to customer's Azure cloud account. I understand a service principal can be created on the customer's AZ account, and if I have the credentials(app id, password, etc), I can make calls using that user/principal based on the permissions to that principal. One way is that customer creates it for my product, then comes to my product portal(web ui) and punches in this information which my SaaS product can then store securely in vault and use it.
Is there a better way to achieve the creation of the principal? For example via application manifest or something and then also be able to get a Event grid notification or something with the app/principal's creds to a webhook url endpoint?
Basically, I want this to be as automated as possible but cannot think of a way if it is even possible.
Normally if you are writing a multi-tenant application, you will set up your app registration as multi-tenant, and you will call the "common" endpoint for all users to log in.
when the admin from a different tenant logs into your application, if set up properly, a consent window will appear and when they consent, the Service principal will automatically be created in their tenant.
please see here: https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-convert-app-to-be-multi-tenant#understand-user-and-admin-consent
I am developing an application that integrates with other business' Azure accounts. My application needs read access to the Azure Monitor service in our customers' Azure accounts. What is the best way to authenticate?
After reading, here's the current solution I came up with:
Have a customer create an App registration in their account. After creating the app registration, they assign the Monitoring Reader role to the application they created. The customer then will navigate back to the App registration and create a Client Secret. The customer then provides my service the client ID, tenant ID, and a Client Secret. My service will use those to authenticate with Azure and call Azure Monitor.
Is this the recommended way to authenticate with Azure as a 3rd party?
I am not sure if it the best way, but indeed it is a feasible way. This way named client credentials flow, you need to use this way to request the access token, then use the token to call azure rest api, e.g. Alert Rules - Get.
When you request the token, you need to specify the resource with https://management.azure.com/, also, you should note v1.0 endpoint is different with v2.0, v2.0 uses scope not resource, for difference details see this link. So you should choose the correct one depends on which version app your customer created.
Besides, correct some of your understanding of azure ad tenant and azure subscription. They are not called Azure account, the Azure monitor is a service in the subscription, the subscription locates in the tenant. The AD app(app registration) also locates in the tenant. You can understand the AD app is higher than the subscription, it is not in the subscription.
We have created our first Azure App Service for a simple single page web application (.Net). Now the app has to send email using our O365 account. We don't want to hardcode a user name and password inside the app. My first thought (thinking like it's on-prem) is to figure out the service account under which the Web Worker is executing then grant access for that account to send email. Is that account published somewhere on the Azure Portal? is that the best approach? is it doable? if not, I'll need to do more research on how to store Web application settings in an Azure database and proceed to create a service account / password in there to retrieve and use at runtime.
Thanks.
Take a look at the Microsoft Graph API: https://developer.microsoft.com/en-us/graph/docs/concepts/auth_overview
You can create an app in Azure AD and give it permissions to send email. Here is a sample that can send email via the Graph API: https://github.com/microsoftgraph/console-csharp-connect-sample