I have gathered the tenantid, but I want to convert this to the tenant name. I am using Logic Apps by the way. The tenant name (FDQN) I want to save into a variable.
Is there any way to do this?
Situation:
From Sentinel I get the Subscription ID from the tenant. I will save this subscription ID into a variable.
From another playbook that gets the tenant ID by providing the subscription ID from Sentinel.
The final step would be having that tenant ID and translate/convert it into the FDQN of the tenant. But I do not have the code for that. Also I want to know if it can be found without authenticating. Else I have to find an alternative.
You can't tenant name from the tenant id without authentication.
But you can use Microsoft Graph REST API - Get tenant to get tenant details. Similarly, should be possible with PowerShell, and Azure CLI but you won't use it in Logic App.
"defaultDomainName": "fourthcoffe001.onmicrosoft.com",
Related
I'm trying to add an Azure AD security group (without mail/upn) to a Devops Permission with the rest api.
Is this possible?
In this page https://learn.microsoft.com/en-us/rest/api/azure/devops/graph/users/create?view=azure-devops-rest-6.0#add-an-aad-user-by-oid I see the following
The body of the request must be a derived type of GraphUserCreationContext:
GraphUserMailAddressCreationContext - Create a new user using the mail address as a reference to an existing user from an external AD or AAD backed provider.
GraphUserOriginIdCreationContext - Create a new user using the OriginID as a reference to an existing user from an externalAD or AAD backed provider.
GraphUserPrincipalNameCreationContext - Create a new user using the principal name as a reference to an existing user from an external AD or AAD backed provider.
The groups are created as universal security groups on our onprem AD, and synced to Azure AD.
I don't have a mailadress nor a UPN; but I can't find more info on what exactly OriginID is.
Edit; OriginID seems to work for a user, but not for a group.
To add an Azure AD group to Azure DevOps, you need to use the REST API Groups - Create.
POST https://vssps.dev.azure.com/{organization}/_apis/graph/groups?api-version=6.0-preview.1
Click this link for an example. The originId in the request body is the Object id of your Azure AD group.
The REST API link your provide in the question is to create a user, not a group.
I ended up connecting with the Azure commandlets to get my ObjectID, as #jane-ma-msft suggested.
I have created an AZURE CSP subscription for a customer. When I log in to the particular customer directory as a partner admin user (Customers -> Click the dropdown for a customer -> Microsoft Azure Management Portal link), I am able to see the subscription. But when I try to login as the admin of the customer domain/directory, I am not able to see it.
When I searched about it, I came across the link
https://learn.microsoft.com/en-us/partner-center/assign-azure-subscriptions
Is there any way to do the step Assign Azure subscriptions to your customers through API.
You could use Azure Rest API Role Assignments - Create or Role Assignments - Create By Id.
You can see that there is a Try It feature in the page but we cannot make it work with an CSP admin, because if we sign in with an CSP admin, the access token will be issued for the CSP admin's tenant rather than customer's tenant by default.
To call Azure rest API, you need an access token for Azure. Please refer to this document.
Here is my sample for your reference:
Get the access token for Azure service in Postman. Sign in with your CSP admin to generate the access token. Remember that you should put the customer's tenant id in Auth URL: https://login.microsoftonline.com/{custopmer's tenant id}/oauth2/v2.0/authorize and Access Token URL: https://login.microsoftonline.com/{custopmer's tenant id}/oauth2/v2.0/token
Use this access token to assign Azure subscription using Role Assignments - Create.
I am attempting to use Microsoft Graph API to manage Azure AD B2C users from an application, but I have been unable to authenticate using my client id / secret.
First, I followed the steps here to register an application:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/microsoft-graph-get-started?tabs=app-reg-ga
At the end of that article, I was directed here to learn how to get an access token: https://learn.microsoft.com/en-us/graph/auth-v2-service#4-get-an-access-token
They suggest using the endpoint https://login.microsoftonline.com/mytenant/oauth2/v2.0/token, but when I use my tenant in that URL, I get the error "Tenant 'mytenant' not found. This may happen if there are no active subscriptions for the tenant. Check to make sure you have the correct tenant ID. Check with your subscription administrator."
Makes sense, that's not the kind of url I've been using anyway. But what the heck endpoint should I use? So I tried a few.
There are some endpoint suggestions in my application overview, in the format of
https://mytenant.b2clogin.com/mytenant.onmicrosoft.com/policy-name/oauth2/v2.0/token
But what is the policy name? There was nothing in the instructions about setting up a policy.
I have some user flows that might be what they're talking about, so I tried a few, like
if I use https://mytenant.b2clogin.com/mytenant.onmicrosoft.com/b2c_1_sign_in/oauth2/v2.0/token,
I get "The supplied grant_type [client_credentials] is not supported."
There are also endpoints suggested in my workflows, in the format
https://mytenant.b2clogin.com/mytenant.onmicrosoft.com/oauth2/v2.0/token?p=b2c_1_sign_in
This gives the same client_credentials error.
I also tried with a b2c_1_ropc user flow instead of b2c_1_sign_in, with similar results.
What am I doing wrong? Are the instructions incomplete? Have I not guessed the appropriate endpoint?
All of your assumed suggestions are incorrect.
The doc says to use the endpoint https://login.microsoftonline.com/mytenant/oauth2/v2.0/token, this is wholly correct.
If your B2C tenant has tenant name contoso.onmicrosoft.com, or contoso.b2clogin.com, then endpoint is https://login.microsoftonline.com/contoso.onmicrosoft.com/oauth2/v2.0/token
In my case, my B2C tenant name (see under Tenant Properties in Azure) was Company Customers, so all my user flow endpoints were showing as:
https://Company Customers.b2clogin.com/mytenantdev.onmicrosoft.com/...
I had to update the tenant name, removing the space and then re-create my application registration and things started working. I didn't have to redo the user flows however.
So the final endpoints looked something like this: https://mytenant.b2clogin.com/mytenantdev.onmicrosoft.com/<policy-name>...
Should also note, I had to logout of Azure and back in to get the tenant name to start appearing correctly in the console.
Actually I am trying to create an infrastructure in azure using terraform so I wanted these keys for programmatic access.
SubscriptionId and TenantId belongs to your azure subscription which you can either get from azure portal directly or from powershell.
ClientId and Client Secret are related to the application registered where you will be providing access[role] to your application to perform certain functionality for you. You can convert the secure string password to plain string as below:
When you will register any application in your Azure Active Directory you can have all the details, after creating it- ClientId, Secret, Subscription Id and Tenant Id.
See more details on doing it from Azure Portal.
Azure Active Directory whose authentication tokens can be used as the client_id, client_secret, and tenant_id fields needed by Terraform (subscription_id can be independently recovered from your Azure account details).
It's possible to complete this task in either the Azure CLI or in the Azure Portal - in both we'll create a Service Principal which has Contributor rights to the subscription. It's also possible to assign other rights depending on your configuration.
Go Portal -->click on Active Directory-->App registration--> There you will be able to find Application client Id and Directory tenant. For Secrets and click on that option.
I've utilized the Partner Center REST API to provision tenants with orders/subscriptions. Now I want to start configuring the domains and users for the tenant I just created. My first step was to get a list of users using the Graph API https://msdn.microsoft.com/en-us/library/azure/ad/graph/api/users-operations as a test expecting to see the admin account. If I pass in the domain of the reseller account in the request URL, it shows me the reseller users. But when I put in the domain of the account I just provisioned, I get Invalid domain name in the request url. I'm using the resellers AD token to do this. I'm confused as it gives me the option to specify a domain, but I can only access my own.
What credentials am I supposed to be using here? I tried to use the user/pass that was generated for the admin account from the provision, but I get unauthorized_client when trying to get an AD token from the Graph API.
It is hard to directly address your issues here since they are a little broad, and I would need more specific details about the various tenants you are working with, how your app is provisioned, permissions your app has etc...
However I think there a few principals you can follow which may help you debug your issues.
All AAD Authentication happens within the context of a specific tenant. This means whenever you get an access token for a resource, the scope of that token is limited to the boundaries of the tenant.
To authenticate with a client application in the context of a tenant, you must have the app registered in the tenant you are trying to access (line of business application / single tenant) or you have to make the app multi-tenant, in which case your app should be able to function in the context of any tenant... if the right provisioning has occurred.
Every tenant where your app is trying to function must have a service principal for the application provisioned in the tenant. This service principal represents your application's identity in the context of that tenant, and acts as a place to store the permission your application has in the context of that tenant. Most normally, this service principal gets provisioned into a tenant after a user from that tenant has consented to use the app as a part of the login experience.
If you are trying to use user context (authorization code grant flow) to retrieve details about a tenant, you must ensure that that user is present in the directory you are trying to query. For example a user U can exist in their home tenant T1. If you try to query another tenant T2 using that user account, you will get any number of errors describing that the user account does not exist etc. You can remedy this by creating a guest account for U in T2, in which case there will be a brand new user object created in T2 which links to the original user object in T1. None the less, the user object should always be present in the tenant you are trying to query.
If you are trying to sign into an application with a user account that is in T1 and T2, you need to be sure to specify the tenant you want to actually get the token for. By default, if you use the common endpoint, you will get a token for the users home tenant. However, it is perfectly valid to get a token for the secondary tenant, as long as you specify that to our Token Service when making the request.
Finally the client application you use to make these requests needs to have the right permissions to the Graph API if you want to make specific calls to the Graph API. Every tenant needs to individually consent to the application in their tenant context in order to provision the correct permissions to their application.
With those principals in mind:
The error you are getting with "unauthorized_client" seems to be an issue with application provisioning in the secondary tenant. Please make sure to first login to the application with a user from the secondary tenant, and make sure that user has the correct permissions to consent to your app (a tenant admin is best here).
For the second issue with "Invalid domain name in the request url" please try using some hints here.
Specifically this:
By using the myOrganization alias. This alias is only available when using OAuth Authorization Code Grant type (3-legged) authentication; that is, when using a delegated permission scope. The alias is not case sensitive. It replaces the object ID or tenant domain in the URL. When the alias is used, Graph API derives the tenant from the claims presented in the token attached to the request. The following URL shows how to address the users resource collection of a tenant using this alias:
https://graph.windows.net/myorganization/users?api-version=1.6.
I hope this puts you on the correct path to resolve most of your issues.
There are issues with sandbox accounts and Azure. Access to the Azure Management Portal for the sandbox isn't straightforward and at this time does not work properly. I had to create a free Azure account with my hotmail account, then link AD from the new account to my sandbox AD to bypass the bug. When adding a new directory to the new Azure account, select "Use existing directory", sign out, then sign into the sandbox account you want to link it to. Then create your app from the new account.
After getting my app setup properly and new credentials, I had to enable pre-consent with the instructions listed at the end of: https://github.com/Microsoft/Partner-Center-Explorer
Lastly, I had to login to the Graph API with the customers ID, but with the resellers credentials.
The scenarios on the Partner Center SDK website include a section "Manage user accounts and assign licenses" under the "Manage customer accounts" section.
These samples include creating users and assigning licenses and a link to a console test app.
As an aside, a new version of the Partner Center SDK has just become available here. It was released on July 5th. While there is no official change history that I can find, I can see that it includes some new classes such as CustomerUser. You may find it easier to use that library rather than hitting the REST API (depending on how much work you've already done).