How to terminate users in bulk inSailPoint IIQ? - user-management

I have identified nearly 1K Service identities, Shared Identities, Privileged Identities. I need to clear all these identities immediately, kindly say if there is a way to do this in bulk.
Terminate/remove users in Bulk

If you have identified the identities, then you can use the IIQ console to delete those, but take these steps carefully on higher environments; Refer to the IIQ admin guide -> IIQ console section for this command.
Also, take a backup of database before doing such activities.
<delete Identity "name"> is the IIQ console command. If you want to delete identities in bulk, then prepare a file for e.g., identityData.txt and that file must contain records in the below format:
delete Identity identity1
delete Identity identity2
delete Identity identity3
And then go to the IIQ console and execute this command
> source identityData.txt
Verify your identities from the console.

Related

Find Azure Service Principal permissions using Azure Powershell cmdlets

I'm trying to create a custom role for a service principal in Azure for an automation script that runs on Azure Powershell.
I have the cmdlets, but is there a fastest way to find what permission every cmdlet needs rather than search for every permission in the full list of Azure Built-in Roles and "guess" what is the right permission or not?
If you take a look at the mgGraph cmdlets (install-module microsoft.graph) you get the cmdlet find-mggraphCommand which tells you what permissions are needed to run a specific cmdlet, e.g.:
(Find-MgGraphCommand -command new-MgUser).permissions
Name IsAdmin Description FullDescription
---- ------- ----------- ---------------
DeviceManagementApps.ReadWrite.All True Read and write Microsoft Intune apps Allows the app to read and write the properties, group assignments and status of apps, app configurations and app protection policies managed by Microsoft Intune.
DeviceManagementManagedDevices.ReadWrite.All True Read and write Microsoft Intune devices Allows the app to read and write the properties of devices managed by Microsoft Intune. Does not allow high impact operations such as remote wipe and password reset on the device’s owner.
DeviceManagementServiceConfig.ReadWrite.All True Read and write Microsoft Intune configuration Allows the app to read and write Microsoft Intune service properties including device enrollment and third party service connection configuration.
Directory.ReadWrite.All True Read and write directory data Allows the app to read and write data in your organization's directory, such as other users, groups. It does not allow the app to delete users or groups, or reset user passwords.
User.ReadWrite.All True Read and write all users' full profiles Allows the app to read and write the full set of profile properties, reports, and managers of other users in your organization, on your behalf.
DeviceManagementApps.ReadWrite.All True Read and write Microsoft Intune apps Allows the app to read and write the properties, group assignments and status of apps, app configurations and app protection policies managed by Microsoft Intune.
DeviceManagementManagedDevices.ReadWrite.All True Read and write Microsoft Intune devices Allows the app to read and write the properties of devices managed by Microsoft Intune. Does not allow high impact operations such as remote wipe and password reset on the device’s owner.
DeviceManagementServiceConfig.ReadWrite.All True Read and write Microsoft Intune configuration Allows the app to read and write Microsoft Intune service properties including device enrollment and third party service connection configuration.
Directory.ReadWrite.All True Read and write directory data Allows the app to read and write data in your organization's directory, such as other users, groups. It does not allow the app to delete users or groups, or reset user passwords.
User.ReadWrite.All True Read and write all users' full profiles Allows the app to read and write the full set of profile properties, reports, and managers of other users in your organization, on your behalf.

What rights or permissiones does a user need to be able to run certain powershell commands in azure?

Iam trying to determine the minimum user rights , roles I can assign a user just so they can pull information from Azure AD, etc.
Currently the commands I am looking into are : Get-AzureADDevice , Get-AzureADUser, Get-MsolDevice.
All documentation I find just lists uses, examples etc. but not rights and I am currently unable to test out a case by case from normal user up to admin to find which rights are required.
Assigned the Global Reader role to the user and tested one of the given commands (Get-AzureADUser) in the Question.
Tried to update the user but not possible due to the role permission restrictions.
Note: Global Reader - Can read everything that a Global Administrator can, but not update anything.
Updated Answer:
Assigned the Directory Reader Role to the user and checked the workflow, able to get the information but not successful to update or do management work like updating/modifying the information using Azure Active Directory PowerShell Commands:
Workaround Result:
Note: Directory Reader Role - Can read basic directory information. Commonly used to grant directory read access to applications and guests.
Depending on your requirement, you can choose any of the above RBAC for the user.

What are the required permissions for the Azure Backup Service?

I am met with the following error details when investigating why an Azure encrypted VM backup failed, but the link provided with the error (https://learn.microsoft.com/en-in/azure/backup/backup-azure-vms-encryption) doesn't resolve my question: exactly which permissions should I grant? All it says is that "The required permissions are prefilled for Key permissions and Secret permissions." Well, that's not a lot of help! I had those permissions already set as default I thought, because I do have lots of backups/snapshots; obviously backups have been working in the past. If I am missing some permission now, is it a Key permission, or a Secret permission? It's not clear! I do see I have the following set up right now:
Key permissions:
Key Management Operations
Get (checked)
List (checked)
Update
Create
Import
Delete
Recover
Backup (checked)
Restore
Cryptographic Operations:
Decrypt
Encrypt
Unwrap Key
Wrap Key
Verify
Sign
Privileged Key Operations
Purge
Secret permissions:
Secret Management Operations
Get (checked)
List (checked)
Set
Delete
Recover
Backup
Restore
Privileged Secret Operations
Purge
Certificate permissions:
Certificate Management Operations
Get
List
Update
Create
Import
Delete
Recover
Backup
Restore
Manage Contacts
Manage Certificate Authorities
Get Certificate Authorities
List Certificate Authorities
Set Certificate Authorities
Delete Certificate Authorities
Privileged Certificate Operations
Purge
Below is the error I see for my backup:
Error Code
UserErrorKeyVaultPermissionsNotConfigured
Error Message
Azure Backup Service does not have sufficient permissions to Key Vault for Backup of Encrypted Virtual Machines.
Recommended Action
Please grant the required permissions to the Azure Backup Service. Refer https://azure.microsoft.com/en-in/documentation/articles/backup-azure-vms-encryption/
Related Links
https://azure.microsoft.com/en-in/documentation/articles/backup-azure-vms-encryption
It looks you missed the Backup permission of the Secret permissions.
In step 6 of the link,
I suppose you give the permissions manually instead of selecting Azure Backup of the Configure from template (optional), if you select it, the permissions will be chosen automatically, that is the The required permissions are prefilled for Key permissions and Secret permissions means.
Here are the steps I took to correct this via http://portal.azure.com (I realize step 6 might be overkill as the Restore permission might be unnecessary here--but hey, this worked):
Search for "Key vaults".
Click on my key vault.
Click "Access policies".
Click "Backup Management Service".
Click on the Key permissions dropdown and uncheck all checkboxes.
Click on the Secret permissions dropdown and choose the Get, List, Backup, and Restore checkboxes.
Click OK.
Click Save back on the "Access policies" screen.
The last step above is important as missing it will cause your changes NOT to be saved. I wrote these steps up and followed them as influenced by a statement I found at https://learn.microsoft.com/en-us/azure/backup/backup-azure-vms-encryption that says, "If your VM is encrypted using BEK only, remove the selection for Key permissions since you only need permissions for secrets." It seems I have BEK--at least that's what my Secret Types are. And indeed, the above worked. The backups began to work again as of July 11th!

Can Application Insights merge Azure.Mobile.Server.Files activity with Azure Storage blob diagnostic logs?

When a client calls GetStorageTokenAsync on the server, it gets a token that can read, write, or delete objects on the target container.
The activity done on this container is more or less hidden from my application unless I scan the logs.
Therefore I'm left to guess, or do some cumbersome programming to determine what the files where, the content of the files, determine what changed, etc...
I want to gather empirical evidence of what a given userID did with a certain known token Shared Access Signature, and aggregate the into either an administrative console like Application Insights, or some other tool that will allow programmatic response to the user's actions.
Question
What is the best way to align the actions a user takes, with a given Shared Access Signature (specifically in the context of the Nuget package Microsoft.Azure.Mobile.Server.Files?
and aggregate the into either an administrative console like Application Insights, or some other tool that will allow programmatic response to the user's actions.
There is not a tool or service which support it until now. I am afraid that you need to develop this tool by yourself. Storage Analytics Log stored in the $logs container of your storage account. All the logs are written to a text file line by line.
What is the best way to align the actions a user takes, with a given Shared Access Signature
Based on the Storage Analytics Log Format, we can only get whether a storage operation is authenticated by Shared Access Signature or account key by 'authentication-type' (If the operation is authenticated by Shared Access Signature, the value of authentication-type will be ‘sas’). We can’t get the operations which related to a given Shared Access Signature.
Azure Storage Analytics log also contains the requester-ip-address which could identity the client which send the storage operate request. If the IP address of client is static, it will help you get all the actions which the specific user taked.

Azure Active Directory Object Permissions

I have an Azure Active Directory Application (and associated Service Principal). That Service Principal needs to be able to add and remove members from an Azure Active Directory Group...so I have added Read and write directory data under Application Permissions:
And I have code that uses the Client ID and Client Secret to get an Authentication Token an perform these operations using the Azure Graph API.
However, this permission is far too broad. I need the Application/Service Principal to only have the ability to add and remove members from specific groups (not all)...and not the ability to perform other types of operations.
Is there a way to do this?
Thank you.
There is a preview feature that partly fits your requirement: "Group.ReadWrite.All". It lets your principal create and update groups and their navigation properties (incl. members). It does not however reduce the permissions to modify only certain groups.
AAD permission scopes are described here: https://msdn.microsoft.com/Library/Azure/Ad/Graph/howto/azure-ad-graph-api-permission-scopes
Preview features may be subject to change and you'll have to agree to reduced service terms etc.: https://azure.microsoft.com/en-us/services/preview/

Resources