Microsoft Enterprise Application - Temporary permissions - azure

This is probably a silly question, but I am not seeing the answer on stackoverflow or the microsoft community.
We are creating an enterprise app which will be used between multiple domains. I understand you can add the application permissions manually and we know how to do this.
The question is:
Is there a way to allow your app temporary permissions? Basically, the user consents to the permission to the app, but once the app is done with it's task, then the consent is immediately removed or there is a time frame for it?
As you can see below, we want to only allow
Domain.ReadWrite.All
for the purpose of creating a new domain, but then it is not needed after that.
Without going into Azure and deleting the Enterprise app or revoking individual permissions.
Image of Azure Enterprise Application API Permissions

Related

How can you monitor activity from an App in Azure?

I have built a web application that uses Microsoft Graph to connect to OneDrive to upload files to a user's drive.
The web application is registered in Azure under the App Registrations and is also in the Enterprise Applications, having been granted permissions by an administrator to access OneDrive.
There is a section in the Office365 Admin Console to run searches and raise email alerts, however, the user that appears to be performing the action just comes through as 'app#sharepoint', so we cannot monitor what the actual web application is doing because this is too general.
The question I have is, is there any way to specifically monitor what this app is doing, in terms of uploading files or reading files? I don't know if there is any way set the user that the Enterprise App runs under, or if there is anything that the application can pass to identify itself?
To view a report on user specific activity details on OneDrive connected to via Graph to an app registered on Azure, use GET /reports/getOneDriveActivityUserDetail(period='{period_value}') or GET /reports/getOneDriveActivityUserDetail(date={date_value}).
You will however need Reports.Read.All application permission.
Please see the following documentation for a better understanding of the usage of this query: https://learn.microsoft.com/en-us/graph/api/reportroot-getonedriveactivityuserdetail?view=graph-rest-1.0#code-try-1

How to Access Microsoft PowerApp

I am using Microsoft Power App for the first time. I created a rudimentary app for others to use. However, whenever I try sharing my app with other people, they are unable to open it.
I am using OneDrive. I can see which data connections each user has, and it appears that they all have access to the OneDrive folder.
I have tried sharing the app and changing the users' permissions, but it did no good.
Check out https://learn.microsoft.com/en-us/powerapps/maker/canvas-apps/share-app
After you build a canvas app that addresses a business need, specify which users in your organization can run the app and which can modify and even reshare it. Specify each user by name, or specify a security group in Azure Active Directory. If everyone would benefit from your app, specify that your entire organization can run it.
You can only share your app in your organization.

how to write a cloud-based Active directory .NET application

I work for a network management company and I want to write a .Net application (MVC 4) that will allow us to service Active Directory users from a cloud-based application.
As I have never written a cloud-based app, I don't know if I'm using that term correctly or not. I am in the requirements gathering stage. Basically, I'd like to provide our customers with the ability, for example, to change their own password using our cloud-based application.
is this an application that should be written specifically using Azure? If not, what tools and platform(s) should I take into consideration?
What tutorials or other resources are available ?
Actually, I don't even know enough about Active Directory and Cloud computing to ask the right questions. But, I hope someone will point me in the right direction
Read How to Authenticate Web Users with Windows Azure Active Directory Access Control. There are great walk-throughs there. There is more reading and code samples here - Access Control Service 2.0.
That's using ACS.
You could go direct to Azure Active Directory if you wished?
Refer: Adding Sign-On to Your Web Application Using Windows Azure AD.
If you use Office 365, you already have an AAD tenant.

Which IIS Account should I grant directory access privileges to?

I've moved my codebase to a new directory and need to grant the IIS account read/write privileges on a few folders to allow access by the ASP.Net runtime. I believe NETWORKSERVICE is no longer used for this purpose (as mentioned in this earlier question:
ASP.Net which user account running Web Service on IIS 7?) but, try as I might I can't seem to be able to add the IISAppPool/IIS Worker Process the article links to.
I've found a MyDomain/IIS_WPG account but this isn't the one that is listed in Task Manager for the w3wp process. Can someone help?
UPDATE:
Even odder - the Application Pool for the website in question uses the LocalSystem identity which I thought would be able to access pretty much the entire machine. Is there something incorrect about my basic machine/Windows setup?

Security for a web app through Active Directory

Here is a situation I am currently addressing. I am working on a Web project with its security being tied up with the Active Directory. Which means technically when you add a user through the application we are adding a new user to the Active Directory on the Server. Now my question is, is this a good practise?
At this point I think of a vulnerabilty which is you could do a remote desktop on to the deployment server with the account you created through the Application (Please correct me if I am wrong). But I just want to confirm this before I could inform this to my Architect.
Any suggestions will be deeply appreciated.
Awaiting your response.
If the web application has permission to create accounts in Active Directory, then this means that the web application presumably has an account with (possibly limited) administrative rights to the Active Directory domain. That could potentially be used for all sorts of bad things if you're not careful.
If you're going to proceed, then the first step, if you haven't already done so, is to delegate administrative rights to your web application's account so that it can only create accounts within a particular OU. See this article for details, or search Google for other descriptions.
You'll probably also want to set up Group Policy and group memberships to further restrict the newly created accounts (for example, disabling Remote Desktop), and you'll want to do so in a way that doesn't rely on the web application doing the right thing (as an extra layer of security in case the web application is compromised).
ServerFault would be a better place to find out about Active Directory's security model and how to best set up these various restrictions.
Finally, if you don't need to have users automatically created within your Active Directory domain, then you should consider other approaches. If you're only looking to use Active Directory as a stable, robust source of user authentication, for example, then you can use Active Directory Lightweight Directory Services (formerly known as Active Directory Application Mode) to get Active Directory's functionality without any affect on your domain's security.

Resources