I have a setup which uses Azure AD B2C and I want to enable monitoring using Azure Monitor.
I followed the steps described on this page: https://learn.microsoft.com/en-us/azure/active-directory-b2c/azure-monitor
It works, but before I enroll it to other environments I would like to verify what changes the ARM template being referred to in the documentation exactly made. If I interpret the ARM template correctly it creates a Managed Services Registration Definition and assigns this to provided resource group.
Is it possible to see in the Azure Portal what Managed Services Registration Definitions are assigned to a resource group?
ARM Template:
{
"$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"mspOfferName": {
"type": "string",
"metadata": {
"description": "Specify a unique name for your offer"
},
"defaultValue": "<to be filled out by MSP> Specify a title for your offer"
},
"mspOfferDescription": {
"type": "string",
"metadata": {
"description": "Name of the Managed Service Provider offering"
},
"defaultValue": "<to be filled out by MSP> Provide a brief description of your offer"
},
"managedByTenantId": {
"type": "string",
"metadata": {
"description": "Specify the tenant id of the Managed Service Provider"
},
"defaultValue": "<to be filled out by MSP> Provide your tenant id"
},
"authorizations": {
"type": "array",
"metadata": {
"description": "Specify an array of objects, containing tuples of Azure Active Directory principalId, a Azure roleDefinitionId, and an optional principalIdDisplayName. The roleDefinition specified is granted to the principalId in the provider's Active Directory and the principalIdDisplayName is visible to customers."
},
"defaultValue": [
{
"principalId": "<Replace with group's OBJECT ID>",
"principalIdDisplayName": "Azure AD B2C tenant administrators",
"roleDefinitionId": "b24988ac-6180-42a0-ab88-20f7382dd24c"
}
]
},
"rgName": {
"type": "string",
"defaultValue": "<Replace with Resource Group's Name e.g. az-monitor-rg>"
}
},
"variables": {
"mspRegistrationName": "[guid(parameters('mspOfferName'))]",
"mspAssignmentName": "[guid(parameters('mspOfferName'))]"
},
"resources": [
{
"type": "Microsoft.ManagedServices/registrationDefinitions",
"apiVersion": "2019-06-01",
"name": "[variables('mspRegistrationName')]",
"properties": {
"registrationDefinitionName": "[parameters('mspOfferName')]",
"description": "[parameters('mspOfferDescription')]",
"managedByTenantId": "[parameters('managedByTenantId')]",
"authorizations": "[parameters('authorizations')]"
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2018-05-01",
"name": "rgAssignment",
"resourceGroup": "[parameters('rgName')]",
"dependsOn": [
"[resourceId('Microsoft.ManagedServices/registrationDefinitions/', variables('mspRegistrationName'))]"
],
"properties":{
"mode":"Incremental",
"template":{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {},
"resources": [
{
"type": "Microsoft.ManagedServices/registrationAssignments",
"apiVersion": "2019-06-01",
"name": "[variables('mspAssignmentName')]",
"properties": {
"registrationDefinitionId": "[resourceId('Microsoft.ManagedServices/registrationDefinitions/', variables('mspRegistrationName'))]"
}
}
]
}
}
}
],
"outputs": {
"mspOfferName": {
"type": "string",
"value": "[concat('Managed by', ' ', parameters('mspOfferName'))]"
},
"authorizations": {
"type": "array",
"value": "[parameters('authorizations')]"
}
}
}
Here, Msp offer and Msp description refers to the ARM template publication. Whenever you want to create your own managed service in the ARM template you assign one Msp offer for your service and description and send it to customers for use or even upload the template in Azure marketplace.
MSP is managed service offering, Where Microsoft cloud partners create their own managed service and make it available to their customer’s tenant privately for specific users or publish it publicly in Azure Marketplace to get more customers using their Service.
Imagine a scenario, where you are a MS partner managing multiple customers and their tenants, You require to create a managed service for your customer and provide them delegated access to your service, Here you first create an ARM template to onboard your customers, you can do it via Azure Lighthouse too. For onboarding you keep, Msp offer ID which is unique for individual customers also if you want to keep the offer ID default for all customers, Even that can be set, After Msp offer ID, you can delegate your service to the customer by either allowing them to assign their tenant Id or service principal, group, user object ID in your template, Once that is assigned your managed service will be available for the customers to use. You can keep the offer public or private, you can also keep one managed identity for all the customers or allow customers to provide their own Object ID of their tenant’s group, users or service principals.
In the above document, ARM template is created with MSP offer in your Azure AD tenant to provide delegated access to your Azure AD B2C tenant, Thus you are managing your Azure AD B2C tenant via your Azure AD by providing resource group as a delegated resource between both the tenant and also your Group object ID which acts as a authorization between your Azure AD and Azure AD B2C tenant. If you go by above scenario- Imagine your Azure AD tenant as a partner tenant trying to provide managed service to your Azure AD B2C tenant.
I have followed the document and deployed an Azure monitoring service for Azure AD B2C
This ARM template is asking to connect the resource group from our or Azure subscription to our Azure AD B2C tenant.
It is authorizing our Azure AD B2C tenant with the group’s Object ID projecting it with Resource group of our Azure subscription.
mspOfferName- is the name of the offer or service that is being provided by our Azure subscription. Here we can give any name according to our need. For now we are integrating Azure monitor log analytics workspace with our Azure AD B2C tenant, Thus we use name – Azure AD B2C Monitoring.
mspofferDescription- Description of your service
managedByTenantID- this is going to be the Tenant ID or managed ID of your Azure AD B2C to onboard it to our subscription resource.
roleDefinitionID- is populated automatically, Which is your azure role, In my case I am using Azure subscription with Owner role, Thus the role definition Id of owner role is populated.
rgName- Is the name of our Resource group where our log analytics workspace is deployed.
After I created the Managed service- I went to go to resource and the deployment was successful.
After the deployment, I got the audit logs from azure ad b2c to my Azure log analytics successfully.
Customer statement:- “Is it possible to see in the Azure Portal what Managed Services Registration Definitions are assigned to a resource group?”
To view what managed service is deployed, you can visit > Azure Portal > Search> Service Provider >
You will find your service provider msp like below:-
As, this managed service is not part of Azure marketplace the Marketplace offer is not visible.
You can view your resource group delegated to the azure ad b2c tenant here:-
You can also visit your Resource group and check the deployment history:-
Here, Are the deployments that were succeeded as part of managed service: -
You can also view the complete logs of these 3 deployments that were created for your managed service creation and monitoring by visiting Activity Log :-
Related
Is there any in built role to deny permission to create resources in az subscription except some users. I.
I have used 'not allowed resources types' policy but it applies to whole subscription.
I Tried to reproduce the same in my environment to deny the resource creation in Azure:
Thanks to Tiny Wang for suggesting the same.
Assign Reader role to Users or Group for restricting resource creation in Azure, like below.
Azure Portal > Subscription > Select your subscription > Access control (IAM) > Add > Add role assignment.
Reader role assigned.
When I tried to create Azure VM within Subscription, I got an authorization error with the same user.
Note: if you create an Azure policy to deny the resource creation, the policy will apply to the scope level, not to users.
Ex: Subscription, Resource Groups
I have created a policy and assigned it to the resource group scope to deny resource creation within a resource group.
When I tried to create any resource, I got a policy restriction error.
Azure Policy rule:
{
"mode": "All",
"policyRule": {
"if": {
"field": "type",
"in": "[parameters('listOfResourcesTypesNotAllowed')]"
},
"then": {
"effect": "Deny"
}
},
"parameters": {
"listOfResourcesTypesNotAllowed": {
"type": "Array",
"metadata": {
"displayName": "Not Allowed Resources creation",
"description": "The list of resources type that cannot be deployed.",
"strongType": "resourceTypes"
}
}
}
}
I'm trying to write an ARM template to deploy a connection to the storage account for my Logic App. The problem is that my Logic App belongs to one resource group & the storage account in another.
When I run the deployment pipeline I get the following deployment error:
The Resource 'Microsoft.Storage/storageAccounts/StorageAccountName'
under resource group 'Logic App Resource Group' was not found.
I understand that the storage account does not belong to this resource group but how do I write the ARM template to look for the storage account from another group?
Here is my template for the connection:
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[parameters('storageConName')]",
"location": "[parameters('logicAppLocation')]",
"properties": {
"displayName": "[parameters('storageConName')]",
"parameterValues": {
"accountName": "[parameters('storageAccountName')]",
"accessKey": "[listKeys(variables('storageAccountId'),'2019-06-01').keys[0].value]"
},
"api": {
"id": "[concat('/subscriptions/',parameters('resourceGroupId'),'/providers/Microsoft.Web/locations/northeurope/managedApis/azureblob')]"
}
}
}
I've worked out what was wrong, the properties:api:id was using the logic App resource group id where it should be using the storage accounts resource group id.
I misunderstood that this was the resource group where I wanted the connection to be created.
is there a way to add Add role to existing App registration in Azure Active Directory using REST API/CLI/Powershell?
https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps
Yes, using the Azure CLI you can specify application roles within the manifest.json. Here an example:
[
{
"allowedMemberTypes": ["User"],
"description": "Approvers can mark documents as approved",
"displayName": "Approver",
"isEnabled": "true",
"value": "approver"
}
]
The corresponding CLI command:
az ad app create --display-name mytestapp --identifier-uris https://mytestapp.websites.net --app-roles #manifest.json
Source.
Hi I am trying to deploy the resource using ARM template of type "Microsoft.Sql/servers/administrators"
below is the template
{
"type": "Microsoft.Sql/servers/administrators",
"apiVersion": "2019-06-01-preview",
"name": "[concat(parameters('sqlServerName'), '/ActiveDirectory')]",
"dependsOn": [
"[resourceId('Microsoft.Sql/servers', parameters('sqlServerName'))]"
],
"properties": {
"administratorType": "ActiveDirectory",
"login": "[parameters('activeDirectoryUserGroupName')]",
"sid": "",
"tenantId": "[subscription().tenantId]"
}
}
I am passing the active directory user group name as parameter, "sid" is the objectId of that active directory group. So is there any way to fetch the objectId in ARM template
We have no way to get the Azure AD group object id in Azure ARM template. Because the Azure AD group is Azure AD resource. It is not Azure resource. But the ARM template is only used to manage Azure resources. For more details, please refer to the document and the document
If the want to get the AD group object id, you can use Azure Powershell command $groubId=(Get-AzADGroup -DisplayName <groupName>).Id.
I'm using an on-premises gateway connection in Azure and I'm trying to deploy this using an ARM-template from a VSTS deployment. The VSTS deployment has an Resource Manager end-point. It seems that the service principal cannot create the On-premises Data Gateway service in Azure because it has no permission to the registered Gateway that is located in:
/subscriptions/{subscriptionid}/providers/Microsoft.Web/locations/{location}/connectionGatewayInstallations/{OnPremGatewayId}
The code in the ARM template is quite straigtforward and looks like this:
{
"type": "Microsoft.Web/connectionGateways",
"name": "[variables('OnPremGatewayName')]",
"apiVersion": "2016-06-01",
"location": "[resourceGroup().location]",
"scale": null,
"properties": {
"connectionGatewayInstallation": {
"id": "[concat('/subscriptions/', subscription().subscriptionid, '/providers/Microsoft.Web/locations/', toLower(replace(resourceGroup().location,' ','')),'/connectionGatewayInstallations/', parameters('OnPremGatewayId'))]"
}
},
"dependsOn": []
},
The deployment throws this error:
"error": {
"code": "AuthorizationFailed",
"message": "The connection gateway 'xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx' does not exist or the client with object id 'xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxx' under tenant id '********' does not have administrative rights on it."
}
}'
I've found that there is a new action added that you can assign to a role:
/Microsoft.Web/Locations/connectiongatewayinstallations/Read
I've created a role with this action and added it to the service principal, but dat didn't seem to help. I used the following script to create the role:
$role = Get-AzureRmRoleDefinition "Virtual Machine Contributor"
$role.Id = $null
$role.Name = "On premises data gateway reader"
$role.Description = "Read registered On premises data gateways"
$role.Actions.Clear()
$role.Actions.Add("/Microsoft.Web/Locations/connectiongatewayinstallations/Read")
$role.AssignableScopes.Clear()
$role.AssignableScopes.Add("/subscriptions/{subscriptionid}")
New-AzureRmRoleDefinition -Role $role
Get-AzureRmRoleDefinition -Name "On premises data gateway reader"
How can I give the VSTS service principal administrative rights on the registered gateway?