I have an Azure Data Explorer/Kusto function that I would like to give access to, but I don't necessarily want to give access to the full tables or databases the function utilizes. I've seen this Role-Based Auth article and see Function Admin, but it looks like that would also require Database Viewer to achieve what I want.
Is there a Function Viewer role that I can use? If not, is there some way to achieve this through other permission settings?
Have tried finding a Function Viewer role, but have not found one.
Related
I need to enable Chat.Read (Allows an app to read 1 on 1 or group chats threads, on behalf of the signed-in user) in the Graph Explorer modify permissions section but I don't see it. I can see other permissions such as User.Read.
image of my modify permission
I'm really new to this so I don't know how it works. I've tried to make API permission from Microsoft Azure but I still doesn't see Chat.Read in the Graph Explorer. I don't know if Azure and Graph explorer is related or I did it the wrong way.
My goal is just to enable Chat.Read in my Graph Explorer.
Like this,When you request the corresponding api endpoint, you can find it.
Or you can find it directly here.
We are trying to implement Row Level Security in Azure Data Explorer (ADX). Out of the box, ADX doesn't provide RLS. Is there any way/ workaround we can implement RLS?
We are trying out below option but no success :
Creating 2 separate databases (DbNonSecure, DbSecure)
DbNonSecure is non-secured, all the rows can be accessible by an authenticated user
DbSecure is secured database and can not be accessible by anyone except AAD APP or some other service account
From DbNonSecure, we are thinking to call functions that access data in DbSecure (using AAD APP or Service Account) and check Row Level Security.
We couldn't find a way to call functions that access data in DbSecure using ADD APP or Service Account.
Also, we know we can add a middle tier (Separate UI) to achieve this but we don't have that much time freedom to develop middle tier.
you're correct - Kusto/ADX doesn't support row level security at the moment (you can upvote the feature request # https://aka.ms/adx.uservoice)
We couldn't find a way to call functions that access data in DbSecure using ADD APP or Service Account.
AAD application authentication is a valid means of authentication to a Kusto/ADX database. There's a full guide on how to set that up here: https://learn.microsoft.com/en-us/azure/kusto/management/access-control/how-to-provision-aad-app
-> Once you've granted the required access to your AAD Application, it can be used for querying the database. Referencing stored functions is simply part of a query, and doesn't require any special setup (asides from, obviously, creating the stored function)
Side note: you may also find interest in the Restricted view access policy (it may or may not fit your requirements).
Just a heads up, ADX Row Level Security is in preview now: https://learn.microsoft.com/en-us/azure/data-explorer/kusto/management/rowlevelsecuritypolicy
I'm a dev. I have
WEBSITE CONTRIBUTOR
Role on my azure function that our infrastructure team created. I can't see any functions listed in my function app in the portal and this ajax request fails when I try to expand the functions list in the side nav in the azure portal:
Request URL:
https://management.azure.com/subscriptions/{{my-enterprise-subscription-id-here}}/resourceGroups/mclintdevnc-ase-rg/providers/Microsoft.Web/hostingEnvironments/mclintdevnc-aseweb?api-version=2016-09-01
Request Method:
GET
Status Code:
403
The response body on this request contains this:
{"error":{"code":"AuthorizationFailed","message":"The client '{{my-organizational-username-here}}' with object id '{{my-organizationao-user-id-here}}' does not have authorization to perform action 'Microsoft.Web/hostingEnvironments/read' over scope '/subscriptions/{{my-enterprise-subscription-id-here}}/resourceGroups/mclintdevnc-ase-rg/providers/Microsoft.Web/hostingEnvironments/mclintdevnc-aseweb'."}}
So what privledges do i need on my function app to be able to do things like see the functions, enable disable individual functions, and generate api keys for a function?
Here is the screen show of what I'm getting:
When I deploy the same code to an azure function on my personal account (which I'm an administrator for) I see this:
I'm sure I wont get administrator role in my organizations subscription, so what is the minimal set of privileges I can have so i can see my functions and perform basic configuration on them?
As a reader level permission, you are restricted to check inside a related function implementation in function app. However, you can go to Platform Features tab and navigate to All Settings to check out all setting related to Function App (similar to web app), though as expected reader permission limits you to modify any setting.
For example, if a user is assigned the Reader role, they will not be able to view the functions within a function app. The portal will display (No access).
You can make a custom role for your use case.
https://learn.microsoft.com/en-us/azure/active-directory/role-based-access-control-custom-roles
Website Contributor means you can "manage websites(not web plans), but not access them". Reader role gives you the right to read everything, but you cannot contribute. These roles are Built-in roles for Azure resources. You can find all of the Azure built-in RBAC in Microsoft docs https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles
Your organization administrator can create a custom role for you if it's needed to be a Website Contributor and reader at the same time.
Basically, I just want to use Microsoft Graph to get a list of active directory users and their email addresses.
Ideally, I could get all the admin users for a certain subscription.
How do I do that? I couldn't find any good examples online.
Assuming you have the correct access to a tenant, and an authenticated token granting you access to the Microsoft Graph, you can use the following REST API calls to get the data you are looking for:
List Users - Documentation
GET https://graph.microsoft.com/v1.0/users
List Admins (via directory roles) - Documentation
This is a multi-step process. First you must find the directory role for the Company Administrator, which will always have the roleTemplateId of 62e90394-69f5-4237-9190-012177145e10. This should not be confused by the actual directory role id, which will be different per directory.
GET https://graph.microsoft.com/v1.0/directoryRoles
Then you want to list the users who are a part of that directory role:
GET https://graph.microsoft.com/v1.0/directoryRoles/<id>/members
If you really need to get started from scratch, I recommend you look at this PowerShell sample I made which simplifies authentication, and allows you to make queries to resource endpoints like the Microsoft Graph.
https://github.com/shawntabrizi/Microsoft-Authentication-with-PowerShell-and-MSAL
I am trying to find out if the currently logged on user has a certain security role. I've looked on Google (couldn't find an answer) and the SDk examples (they seemed way too complicated). So, if you know the name of the security role and the user ID, how do you check to see if the user has that role?
If you browse the folder structure of the CRM 2011 SDK (link: https://www.microsoft.com/en-us/download/details.aspx?id=24004) to this location you will find what you are looking for:
.\SDK\SampleCode\CS\BusinessDataModel\UsersAndRoles\DoesUserBelongToRole.cs
It provides a sample built as a C# Console application. The code will work in ASP.NET as long as the app pool user is authorized to access the CRM Organization that you are trying to connect to.
Hope this helps
You should be able to find lots of examples out there. However to get the current users roles in JavaScript you can use:-
Xrm.Page.context.getUserRoles()
That however will return a list of GUID's which you then need to compare with roles in the system. This part is a bit trickier however here is an article that shows pretty clearly how to do it
http://www.infinite-x.net/2010/11/16/retreiving-user-roles-in-crm-2011/
At a high level you need to do an OData query (against RoleSet) to return the role (or roles) that you are wanting to compare. Then you compare the GUID's of those roles against the GUID's returned by the getUserRoles() function and you're good to go!