Using the Azure Golang ARM SDK, I am able to fetch all resources under a subscription, except for the Azure Organization.
Is there a REST API, or Golang library that allows to programmatically fetch the Azure Organization with which the subscription is associated?
Note that the only parameter I can provide is the Subscription Id.
I tried to reproduce the same in my environment and got the results successfully like below:
I created an Application by granting API permission like below:
I generated the access token using below parameters:
GET https://login.microsoftonline.com/cdf429fe-37a2-4a79-8e40-7adbac3f8552/oauth2/v2.0/token
client_secret: client_secret
grant_type:client_credentials
scope:https://management.azure.com/.default
client_id:18e97655-fba5-4644-8abc-XXXXXXX
To fetch the all the Azure AD B2C tenant resources in a subscription, try the below command:
GET https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.AzureActiveDirectory/b2cDirectories?api-version=2021-04-01
To fetch Azure Organization by Subscription Id, try the below command:
GET https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Confluent/organizations?api-version=2021-12-01
Related
We had a user's creds exposed and a threat actor used them to successfully log in to Azure CLI with the user's creds.
We've since resolved the access issue using conditional access and our MFA (which admittedly was a hole).
I'm trying to recreate the method of attack though and I can't seem to get it right.
Here is the activity details for the malicious sign-in:
Application
Microsoft Azure CLI
Application ID
04b07795-8ddb-461a-bbee-02f9e1bf7b46
Resource
Windows Azure Service Management API
Resource ID
797f4846-ba00-4fd7-ba43-dac1f8f63013
Resource tenant ID
LEft out
Home tenant ID
Left out
Home tenant name
Client app
Mobile Apps and Desktop clients
Client credential type
None
Service principal ID
Service principal name
Resource service principal ID
d2b4c9e3-9a2a-4360-8ba4-6ece086335c5
Unique token identifier
Left Out
Token issuer type
Azure AD
Token issuer name
Incoming token type
None
Authentication Protocol
ROPC
Latency
90ms
Flagged for review
No
User agent
Looks like they used ROPC detailed here https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc
I've tried emulating it through Azure CLI directly but it doesn't report back "ROPC" as authentication. So they are definitely calling through ROPC.
Then I tried emulating it with my creds in Postman and I get almost the same result as above in the sign-in log:
Application
Microsoft Azure CLI
Application ID
04b07795-8ddb-461a-bbee-02f9e1bf7b46
Resource
Microsoft Graph
Resource ID
00000003-0000-0000-c000-000000000000
Resource tenant ID
Left out
Home tenant ID
Left out
Home tenant name
Client app
Mobile Apps and Desktop clients
Client credential type
None
Service principal ID
Service principal name
Resource service principal ID
e10569b0-24e4-4495-9d9b-698b01290eae
Unique token identifier
Left out
Token issuer type
Azure AD
Token issuer name
Incoming token type
None
Authentication Protocol
ROPC
Latency
108ms
Flagged for review
No
User agent
PostmanRuntime/7.30.0
As you can see it's very similar, but mine is reporting "Microsoft Graph" while the malicious entry reports Windows Azure Service Management API.
Can someone point me in the right direction?
Windows Azure Service Management API refers to the Azure Resource management API.
I tried checking Sign in Logs and the Service Principal Sign In’ Logs has Windows Azure Service Management API refer here :-
Note- The above sign in log is of the Service principal sign in with
Client credentials flow. You can find that Service principal by
copying its Application ID and pasting it in app registrations page or
enterprise application page of Azure AD.
I tried to log in to Azure with service principal named Powershell with ROPC Flow via Postman
Received Access token like below :-
Called Graph API
Got resource as Microsoft Graph in Sign in Logs similar to you:-
Now, I tried calling Azure Resource management API to get list of Azure resources from my account with the same Flow and got the Resource set to Windows Azure Service Management API like below :-
Added Azure Service Management API permissions:
Now, I changed the scope to https://management.azure.com/default like below:
Fetch the access token from above call and ran below query to get list of resources:
When I checked sign in logs now, it’s showing ROPC with Windows Azure Service Management API resource like below:
I want to fetch list of all members from ad security group through adf pipeline
I came across this Api method : https://graph.microsoft.com/v1.0/groups/{group id}/members
can you guys help me how I can run this Api through web activity by adf pipeline.
Also any permissions or access I need to have before running this Api.
Thanks for your help and suggestions
I tried to reproduce the same in my environment and got the results like below:
I created an Azure AD Application and granted API permissions like below:
Generate the access token like below by creating the web activity:
URL: https://login.microsoftonline.com/TenantID/oauth2/v2.0/token
Method : POST
Body: grant_type=client_credentials&client_id=<client_id>&client_secret=<client_secret>&scope=https://graph.microsoft.com/.default
Header: Content-Type:application/x-www-form-urlencoded
I generated access token successfully like below:
I created Azure AD security Group and added members:
To fetch list of all members from Azure AD security group, use the query in web activity 2 like below:
https://graph.microsoft.com/v1.0/groups/GroupID/members
In Authentication, use this Dynamic content Bearer #{activity('Web1').output.access_token}
I am able to fetch list of all members from Azure AD security group successfully like below:
Reference:
List group members - Microsoft Graph v1.0 | Microsoft Learn
I want to be able to call Databricks API from DevOps pipeline. I can do this usint personal access token for my account, however I want to make API calls user independent so I wanted to use Service principal (App registration). I followed this tutorial https://learn.microsoft.com/en-us/azure/databricks/dev-tools/api/latest/aad/service-prin-aad-token to create access token for the service principal, however I have 2 issues:
such generated token expires in 1 hour - is there any elegant was to automatically refresh it?
even when calling the ADB API using this token I get 403 unauthorized - is there anything else I should do? The app registration has Contributor role for the ADB service.
EDIT: Added API Permission for the AzureDatabricks in App registration and Granted admin consent, however still no luck.
So I found 3 possible solutions at the end.
Generate access token for service principal, generate management service token for service principal and use both of these to access Databricks API - reference
Use access token and management token to generate Databricks Personal access token for the service principal using Databricks Token API, then you can use it for Databricks CLI - reference
Authenticate to Databricks via CLI using AAD token (reference and Databricks CLI help):
az login --service-principal -u <app-id> -p <app-password> --tenant <tenant-id>
token_response=$(az account get-access-token --resource 2ff814a6-3304-4ab8-85cb-cd0e6f879c1d)
export DATABRICKS_AAD_TOKEN=$(jq .accessToken -r <<< "$token_response")
databricks configure --host https://<adb-url> --aad-token
such generated token expires in 1 hour - is there any elegant was to
automatically refresh it?
No, client credentials flow doesn't support refresh token. You can try to get a new token, please refer to this issue.
even when calling the ADB API using this token I get 403 unauthorized - is there anything else I should do? The app
registration has User role for the ADB service.
Make sure your service principal have a Contributor role assigned.
There are two kinds of resource in different situations.
API access for service principals that are Azure Databricks workspace users and admins
resource=2ff814a6-3304-4ab8-85cb-cd0e6f879c1d
API access for service principals that are not workspace users
resource=https://management.core.windows.net/
I am writing an web app where the user passes a bearer token acquired from login.microsoftonline.com. The app uses the token to connect to the Azure AD REST API at management.azure.com. The app successfully executes a GET https://management.azure.com/subscriptions?api-version=2016-09-01 request. The response is {"value":[]}, indicating no subscriptions. This looks correct to me, because of our specific corporate environment. When I login from the azure CLI, I must use az login --allow-no-subscriptions to avoid "no subscriptions found" error messages.
My challenge is that I want to get a list of AD groups from the REST API. The documentation indicates that the URL format is:
GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ApiManagement/service/{serviceName}/groups?api-version=2019-12-01
I do not see how to form a URL with no subscription ID. Is there a way to do so?
You could not list the Azure AD groups via Azure REST API(https://management.azure.com), Azure REST API is for Azure resources, the api Group - List By Service you provided is used to list the groups in API Management service, not AAD groups.
To list AAD groups, your option is to use Microsoft Graph - List groups(https://graph.microsoft.com, it is Recommended)
GET https://graph.microsoft.com/v1.0/groups
or Azure AD Graph - Get groups(https://graph.windows.net).
GET https://graph.windows.net/myorganization/groups?api-version=1.6
I'm building an Android app that will access Azure REST API and read some data from azure monitoring.
I'm having problem on the authentication process because not sure is it possible to use MSAL library to authenticate to access Azure REST API?
In your mentioned demo code that the resource is microsoft graph.
If you want to use Azure service management API, we need to change the resource to https://management.azure.com. And we need to assign role to the registried Application.
I am not familiar with preview SDK, but we also could do that with following way to get the access token for Azure management API.
By default the V2 application is not displayed in the Azure portal. So we need to consent the permission. Then we could found it in the Azure portal.
https://login.microsoftonline.com/{tenantId}/adminconsent?
client_id={clientId}
&state=12345
&redirect_uri={redirectUrl}
Then use the admin account to approve the consent. After that we could find the V2 application in the Azure portal and assign the role to application.
From this document, we could know that the v2.0 endpoint does not support OAuth 2.0 Resource Owner Password Credentials Grant.
So we could use the authorization code follow to get the access token.
get the authorization_code
https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/authorize?
client_id={clientId}&response_type=code
&redirect_uri={redirect_uri}
&response_mode=query
&scope=https://management.azure.com/user_impersonation
&state=12345
get access token
https://login.microsoftonline.com/{tenantId}/oauth2/v2.0/token?
scope=https://management.azure.com/.default
&client_id={clientId}
&grant_type=authorization_code
&redirect_uri={redirectUri}
&code =AQABAAIAAAC5una0EUFgTIF8ElaxtWjT6o1ePh...
Test Accesstoken