Azure SQL Azure AD Only Authentication enforcement - azure

I'm trying to enforce Azure AD Only Autentication on Azure SQL Server.
There is already an Built-In Policy which enforces it only for newly
created Resources but there is still the possibility after creation
to change it back to Local SQL Admin Authentication, this gap I want to close with Azure Policy.
I tried already to create a Policy with "azureADOnlyAuthentication" property.
but this did not work and I don't get it. Does someone have any idea?
"policyRule": {
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Sql/servers"
},
{
"field": "Microsoft.Sql/servers/administrators.azureADOnlyAuthentication",
"notequals": true
}
]
},
"then": {
"effect": "[parameters('effect')]"
}
}
},

While creating a policy for Azure AD only authentication in SQL server, make sure to include below attributes:
The Policy Effect: DeployIfNotExist : If condition is not met it will generate a deployment.
The ExistenceCondition : If Azure SQL Server does not accept Azure AD Authentication only, then it executes a deployment.
Deployment : Deployment property contains the ARM template, which is incremental. The parameter is filled with the expression [field(‘name’)]
Please check the below sample if helpful:
"policyRule":{
"if":{
"allOf":[
{
"field":"type",
"equals":"Microsoft.Sql/servers"
}
]
},
"then":{
"effect":"deployIfNotExists",
"details":{
"type":"Microsoft.Sql/servers/azureADOnlyAuthentications",
"existenceCondition":{
"allOf":[
{
"field":"Microsoft.Sql/servers/azureADOnlyAuthentications/azureADOnlyAuthentication",
"equals":true
}
]
},
"deployment":{
"properties":{
"mode":"incremental",
"name":"Default",}}
For more in detail please refer below link:
Azure SQL: Enforcing Azure AD Only Authentication - Simple Talk (red-gate.com)

Related

Create conditional access policy from Graph API

I have few users with 'Application Administrator' role. I don't want those users to manage all applications.
So, I tried to implement conditional access policy to block access. I came to know I can select users with directory roles while creating policy.
In Portal, I'm able to create policy and configure it with no loss. But I want to know if the same is possible using Graph Api or not.
Anyone achieved this from Graph? Please help me with whole steps to follow.
TIA
I tried to reproduce the same in my environment via Graph Explorer and got the below results:
You can make use of below graph query to create conditional access policy:
POST https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies
Content-type: application/json
{
"displayName": "Block access to Application Admins.",
"state": "enabled",
"conditions": {
"clientAppTypes": [
"all"
],
"applications": {
"includeApplications": [
"appID1",
"appID2"
]
},
"users": {
"includeRoles": [
"9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3"//ID of Application Admin role
]
}
},
"grantControls": {
"operator": "OR",
"builtInControls": [
"block"
]
}
}
Response:
To confirm that, I checked in Azure Portal where policy is created successfully like below:
When I opened that policy, the users with Application Administrator role are selected as below:

Azure AD provisioning sends SCIM replace operation when adding user to group

I have user and group provisioning set up for an enterprise application in Azure AD. I have a SCIM endpoint setup in my application to consume the SCIM requests from Azure AD. I added this feature flag to my tenant URL to ensure SCIM compliance: https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/application-provisioning-config-problem-scim-compatibility#flags-to-alter-the-scim-behavior
I have a group assigned to the enterprise application for provisioning to my application. When I add users to that group in Azure AD, I'm seeing two PATCH requests to the Groups/:id SCIM endpoint. The first is an add operation, which I expect because I'm adding this user as a member of the group:
{
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:PatchOp"
],
"Operations": [
{
"op": "add",
"path": "members",
"value": [
{
"value": "directory_user_01F7SGPZHKVGHZMCRNHGJXW1E9"
}
]
}
]
}
The second PATCH request is a replace operation, which is unexpected as I'm not replacing all users in a group with the one member being added:
{
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:PatchOp"
],
"Operations": [
{
"op": "replace",
"path": "members",
"value": [
{
"value": "directory_user_01F7SGPZHKVGHZMCRNHGJXW1E9"
}
]
}
]
}
The SCIM protocol RFC outlines the difference between the add and replace operations in PATCH requests. If users are added as members of a group, there should only be an add operation, not a replace operation. Is there any way to configure Azure so it only sends add operations in this situation? Thanks!

Azure Policy not denying Custom Role creation

I am currently helping investigate adopting Azure for my organization's public cloud. One of the tasks I have been assigned is locking down accounts to prevent users from being able to elevate their permissions within a subscription.
One of the things in particular I am interested in is denying the creation of Custom Roles, as we don't want people to go and start creating their own roles until the need for the role has been vetted by security.
I have been trying to do this via an Azure policy with the following definition
{
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Authorization/roleDefinitions"
},
{
"field": "Microsoft.Authorization/roleDefinitions/type",
"equals": "CustomRole"
}
]
},
"then": {
"effect": "Deny"
}
}
It was actually just the built in "Audit Custom Roles" policy copied over and changing the effect from "Audit" to "Deny"
However I have applied this policy to the Management Group that contains the subscription I am testing with, and yet when I login to the CLI and try and create a new custom role it goes ahead and creates the role.
I have ensured that the policy is present on the subscription, and I have confirmed that I am in the correct subscription in the CLI (using az account show) yet I am still allowed to create custom roles.
Is this just not something Azure supports, or is there something else I am missing? Any help or guidance would be greatly appreciated as the Microsoft docs and the numerous examples available online don't seem to have any information on controlling roles with policies.
P.S.
I know that you can control roles to some extent through policies as we have another policy that prevents the assignment of a certain set of roles from happening and that does work.
It looks like Azure CLI creates the role definition without populating the "type" field. The following policy will handle this:
{
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.Authorization/roleDefinitions"
},
{
"anyOf": [
{
"field": "Microsoft.Authorization/roleDefinitions/type",
"equals": "CustomRole"
},
{
"field": "Microsoft.Authorization/roleDefinitions/type",
"exists": "false"
}
]
}
]
},
"then": {
"effect": "Deny"
}
}

Azure permissions over microsoft.aadiam/diagnosticSettings/write

I'm trying to call above API provider via REST with the following URL:
https://management.azure.com/providers/microsoft.aadiam/diagnosticSettings with api-version=2017-04-01-preview
However, even though the Service Principal I am using is a member of the "Global Administrator" role in my AAD tenant I am getting a does not have authorization to perform action error.
This endpoint doesn't seem to be documented though.
Anybody know what is required to call this API endpoint with a service principal?
Thanks,
David
Try to add a custom role with the action of microsoft.aadiam/diagnosticsettings/write in your AD App.
According to doc, you can use the custom role to do the operation.
This article lists the operations available for each Azure Resource Manager resource provider. These operations can be used in custom roles to provide granular role-based access control (RBAC) to resources in Azure.
For more details to create the custom role, refer to this link.
Sample:
{
"Name": "Test Operator",
"Id": "88888888-8888-8888-8888-888888888888",
"IsCustom": true,
"Description": "xxxxxx",
"Actions": [
microsoft.aadiam/diagnosticsettings/write,
microsoft.aadiam/diagnosticsettings/read
],
"NotActions": [
],
"DataActions": [
],
"NotDataActions": [
],
"AssignableScopes": [
"/subscriptions/{subscriptionId1}",
"/subscriptions/{subscriptionId2}",
"/subscriptions/{subscriptionId3}"
]
}
Update:
You can use a user account with global admin role, refer to the steps below.
1.Navigate to Azure Active Directory -> Diagnostic settings -> Add diagnostic setting -> set the properties and open the Developer Tools(F12) ->Save.
2.In the request we caught, copy the Bearer token.
3.Then we can test the api in the postman.
Request URL:
Put https://management.azure.com/providers/microsoft.aadiam/diagnosticSettings/{name}?api-version=2017-04-01-preview
Request Header:
Request Body:
{
"properties": {
"logs": [
{
"category": "AuditLogs",
"enabled": true,
"retentionPolicy": {
"days": 0,
"enabled": false
}
},
{
"category": "SignInLogs",
"enabled": true,
"retentionPolicy": {
"days": 0,
"enabled": false
}
}
],
"metrics": [],
"storageAccountId": "/subscriptions/xxxx/resourceGroups/xxx/providers/Microsoft.Storage/storageAccounts/xxx"
}
}
It works on my side.
I test it with global administrator user, it works correctly for me.
The following is the detail steps:
Create an native azure AD application and grant permission for it.
2.create an global administrator user, please also change the default password.
Note: the user format should be xxxx#xxx.onmicrosoft.com, or you can't use the password way to get the token based on my test
3.Assign the owner role to the subscription
4.Then we could use the following way to get the access token
Post https://login.windows.net/<tenant-id>/oauth2/token
Content-Type: application/x-www-form-urlencoded
grant_type=password
&resource={resource}
&username={username}
&password={password}
&client_id={client-id}
4.Try to operate the diagnosticSettings
put https://management.azure.com/providers/microsoft.aadiam/diagnosticSettings/{name}?api-version=2017-04-01-preview
{"properties":{"logs":[{"category":"AuditLogs","enabled":true,"retentionPolicy":{"days":0,"enabled":false}},{"category":"SignInLogs","enabled":false,"retentionPolicy":{"days":0,"enabled":false}}],"metrics":[],"storageAccountId":"/subscriptions/{subscriptionId}/resourceGroups/{groupname}/providers/Microsoft.Storage/storageAccounts/{accountName}"}}

Azure SQL PaaS and Azure Policy interactions

Does anyone have any idea as to how I can restrict the IP addresses added to the SQL firewall rule via policy?
I have been attempting it for a while now, my policy looks like the below... i have tried everything - is there something im overlooking? :
{
"if": {
"allOf": [
{
"field": "type",
"equals": "Microsoft.SQL/servers/firewallRules"
},
{
"Not": {
"anyOf": [
{
"field": "Microsoft.Sql/servers/firewallRules/startIpAddress",
"in": "[parameters('StartIP')]"
},
{
"field": "Microsoft.Sql/servers/firewallRules/endIpAddress",
"in": "[parameters('EndIP')]"
}
]
}
}
]
},
"then": {
"effect": "Deny"
}
}
But it always throws a policy error when I update the firewall rules despite whats provided in the policy assignment.
For example, if my parameters are both " 0.0.0.0;8.8.8.8 "I would think i could have the access to Azure services enabled and 8.8.8.8 but that's not the case - I just get the same old denied due to policy error.
If I use just 0.0.0.0 as the parameter on the assignment I can provision new SQL servers, with it removed I cannot which leads me to believe that to some extent, the policy is working.
I know I can do the whole vnet route and use NSGS to accomplish just about the same thing; however, my organization does not want to go this route and would rather it be done in policy.
I don't have enough reputation to comment on your question. However, make sure you are being careful with your assignment parameters when entering them in the Portal. It takes the strings as-is so if you entered " 0.0.0.0;8.8.8.8 " as you specified the leading and trailing space would mess up the comparisons.
You can check to see what the exact parameter values are in the assignment by using the Get-AzureRmPolicyAssignment powershell cmdlet (or similar Azure CLI commands). To make using the cmdlet easier the full ID of the assignment is exposed on the assignment's compliance view in the Portal.

Resources