How do I add a custom domain name in Azure AD via an automation tool or CLI? I would like to mimic the manual steps in the Azure Portal (Azure AD -> Custom Domain Names -> Add custom domain -> enter domain name -> enter settings for custom domain name -> verify).
I have been scouring Azure Powershell and Azure CLI documentation, but have been unable to find a solution to this problem. Struggling to find a solution in Terraform too. Is it possible to automate this task?
The reason for this is because I am trying to workaround not being able to create an enterprise application programmatically - any help there would also be appreciated.
You only can do it via API REST:
PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.DomainRegistration/domains/{domainName}?api-version=2022-03-01
More Info: https://learn.microsoft.com/en-us/rest/api/appservice/domains/create-or-update?tabs=HTTP
Via terraform you only can use the Data Source azuread_domains (https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/domains)
Related
Is it possible to terraform an azure active directory custom domain?
Searching through the docs the only thing I see is this data resource that allows me to read the currently existing ones:
https://registry.terraform.io/providers/hashicorp/azuread/latest/docs/data-sources/domains
If this is possible,links to the appropriate docs will do
Is it possible to terraform an azure active directory custom domain?
No.
Unfortunately, there is no support yet for custom domain creation using the azuread provider within Terraform.
Is it possible to reproduce the steps to "Configure Azure AD Connect cloud sync" from the Azure portal, in another way using an API?
The steps are described at this link:
https://learn.microsoft.com/en-us/azure/active-directory/cloud-sync/tutorial-single-forest#configure-azure-ad-connect-cloud-sync
I would like to automate this process to have no user interaction. Is it possible with the Graph API? Any example?
Thank you Marilee Turscak - MSFT for providing the reference Link.
I don't understand this sentence: "You need to use this application
ID 1a4721b3-e57f-4451-ae87-ef078703ec94. The displayName is the AD
domain url, if used in the portal (for example, contoso.com), but it
may be named something else." What is the application id I should use?
And what is the display name? I get 401 or 403 errors. Is there an
additional step before this?
You have to use the same application ID as its the Application templateID by default which is used to provision entries from active directory to Azure active directory.
But You can use any Display name that you want and Please make sure to have the required permissions as shown below. You can perform the post operation with Graph explorer.
After you have done the above post operation you will get the service principal ID which can be used for further steps mentioned in the document provided by Marilee Turscak - MSFT.
Reference:
How to programmatically configure cloud sync using MS Graph API | Microsoft Docs
I have an Azure CDN. It has a custom domain, and I attempting to register my own certificate for HTTPS support.
I am attempting to follow the instructions here: https://learn.microsoft.com/en-us/azure/cdn/cdn-custom-ssl?tabs=option-2-enable-https-with-your-own-certificate
I have uploaded my Certificate to a Key Vault. That should be good. I am now trying grant my Azure CDN Profile access to my Key Vault in order for it to get the certificate. That is this step in the tutorial (Register Azure CDN, step #2)
That step shows a GUID (205478c0-bd83-4e1b-a9d6-db63a3e1e1c8). Where is that coming from? Is that the identifier for my Azure CDN Profile? If so, where would I get that?
I also just noticed there are two commands there: The text shows New-AzADServicePrincipal, but the screenshot shows New-AzureRmADServicePrincipal. Presumably, the latter is the (older?) command based on Resource Manager. But, which one should I be using?
Also, I don't think I have Azure Powershell installed. Can I do this using Cloud Shell via the Azure Portal?
What I see when I attempt to run the command from Cloud Shell
That step shows a GUID (205478c0-bd83-4e1b-a9d6-db63a3e1e1c8). Where is that coming from? Is that the identifier for my Azure CDN Profile? If so, where would I get that?
The GUID is the Application ID of the multi-tenant AD App in the Microsoft tenant(microsoft.onmicrosoft.com), when you use the New-AzADServicePrincipal with the GUID, it will create a service principal related to this AD App in your AAD tenant, which represents your CDN.
When you run the New-AzADServicePrincipal successfully, you could find it in the portal -> Azure Active Directory -> Enterprise applications in your tenant.
I also just noticed there are two commands there: The text shows New-AzADServicePrincipal, but the screenshot shows New-AzureRmADServicePrincipal. Presumably, the latter is the (older?) command based on Resource Manager. But, which one should I be using?
The New-AzureRmADServicePrincipal belongs to the old AzureRM module, New-AzADServicePrincipal belongs to the new Az module. You could use both of them, but I recommend you to use New-AzADServicePrincipal, because the AzureRM module was deprecated and will not be updated any more.
Also, I don't think I have Azure Powershell installed. Can I do this using Cloud Shell via the Azure Portal?
Of course, you can. Just run that in the cloud shell, no need to install any module manually.
I need to assign publish permission to one of my developers so that he should be able to publish to only one cloud service & do not affect others.
Azure websites have these concepts called download publishing profile.
I could not find anything similar for cloud service. Can it be
achieved?
As you know Azure Management Portal does not have any role defined where we could map a user account login to manage a set of resources (say cloud service 1 & 2)
It is not possible as of today. It seems that it should be possible with Resource Groups and Role Based Access Control (RBAC) however currently cloud services can't be added in resource groups and assigned RBAC.
One way you could achieve this is have a custom application consuming Service Management API and implement your own RBAC in that application. However it is still a "hack" and not proper solution.
Why don't you try using "publish from source control"? When the developer checks in it will auto publish the code.
I believe the new portal will allow the creation of roles for publishing profiles; it already allows adding additional users to your organization; but to get what you want for now; publishing from source code should do the trick.
I know how to add a co-administrator via the portal, but need a way to add it via PowerShell.
I need this method as I have lost access to the login id, but have the publish setting file so can administrator my virtual machines.
Unfortunately you can't. Azure PowerShell Cmdlets are essentially wrapper over Azure Service Management API and currently the API does not expose any method to add co-admins programmatically.
Azure have rolled out Roll Based Access Control which will allow you to automate the adding of new admins to your Azure Subscription. Intro here: https://azure.microsoft.com/en-us/documentation/articles/role-based-access-control-configure/
You would add a new user as an Owner at the Subscription scope. These operations are available using both PowerShell and REST