is there a way to add Add role to existing App registration in Azure Active Directory using REST API/CLI/Powershell?
https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps
Yes, using the Azure CLI you can specify application roles within the manifest.json. Here an example:
[
{
"allowedMemberTypes": ["User"],
"description": "Approvers can mark documents as approved",
"displayName": "Approver",
"isEnabled": "true",
"value": "approver"
}
]
The corresponding CLI command:
az ad app create --display-name mytestapp --identifier-uris https://mytestapp.websites.net --app-roles #manifest.json
Source.
Related
I have a setup which uses Azure AD B2C and I want to enable monitoring using Azure Monitor.
I followed the steps described on this page: https://learn.microsoft.com/en-us/azure/active-directory-b2c/azure-monitor
It works, but before I enroll it to other environments I would like to verify what changes the ARM template being referred to in the documentation exactly made. If I interpret the ARM template correctly it creates a Managed Services Registration Definition and assigns this to provided resource group.
Is it possible to see in the Azure Portal what Managed Services Registration Definitions are assigned to a resource group?
ARM Template:
{
"$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"mspOfferName": {
"type": "string",
"metadata": {
"description": "Specify a unique name for your offer"
},
"defaultValue": "<to be filled out by MSP> Specify a title for your offer"
},
"mspOfferDescription": {
"type": "string",
"metadata": {
"description": "Name of the Managed Service Provider offering"
},
"defaultValue": "<to be filled out by MSP> Provide a brief description of your offer"
},
"managedByTenantId": {
"type": "string",
"metadata": {
"description": "Specify the tenant id of the Managed Service Provider"
},
"defaultValue": "<to be filled out by MSP> Provide your tenant id"
},
"authorizations": {
"type": "array",
"metadata": {
"description": "Specify an array of objects, containing tuples of Azure Active Directory principalId, a Azure roleDefinitionId, and an optional principalIdDisplayName. The roleDefinition specified is granted to the principalId in the provider's Active Directory and the principalIdDisplayName is visible to customers."
},
"defaultValue": [
{
"principalId": "<Replace with group's OBJECT ID>",
"principalIdDisplayName": "Azure AD B2C tenant administrators",
"roleDefinitionId": "b24988ac-6180-42a0-ab88-20f7382dd24c"
}
]
},
"rgName": {
"type": "string",
"defaultValue": "<Replace with Resource Group's Name e.g. az-monitor-rg>"
}
},
"variables": {
"mspRegistrationName": "[guid(parameters('mspOfferName'))]",
"mspAssignmentName": "[guid(parameters('mspOfferName'))]"
},
"resources": [
{
"type": "Microsoft.ManagedServices/registrationDefinitions",
"apiVersion": "2019-06-01",
"name": "[variables('mspRegistrationName')]",
"properties": {
"registrationDefinitionName": "[parameters('mspOfferName')]",
"description": "[parameters('mspOfferDescription')]",
"managedByTenantId": "[parameters('managedByTenantId')]",
"authorizations": "[parameters('authorizations')]"
}
},
{
"type": "Microsoft.Resources/deployments",
"apiVersion": "2018-05-01",
"name": "rgAssignment",
"resourceGroup": "[parameters('rgName')]",
"dependsOn": [
"[resourceId('Microsoft.ManagedServices/registrationDefinitions/', variables('mspRegistrationName'))]"
],
"properties":{
"mode":"Incremental",
"template":{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {},
"resources": [
{
"type": "Microsoft.ManagedServices/registrationAssignments",
"apiVersion": "2019-06-01",
"name": "[variables('mspAssignmentName')]",
"properties": {
"registrationDefinitionId": "[resourceId('Microsoft.ManagedServices/registrationDefinitions/', variables('mspRegistrationName'))]"
}
}
]
}
}
}
],
"outputs": {
"mspOfferName": {
"type": "string",
"value": "[concat('Managed by', ' ', parameters('mspOfferName'))]"
},
"authorizations": {
"type": "array",
"value": "[parameters('authorizations')]"
}
}
}
Here, Msp offer and Msp description refers to the ARM template publication. Whenever you want to create your own managed service in the ARM template you assign one Msp offer for your service and description and send it to customers for use or even upload the template in Azure marketplace.
MSP is managed service offering, Where Microsoft cloud partners create their own managed service and make it available to their customer’s tenant privately for specific users or publish it publicly in Azure Marketplace to get more customers using their Service.
Imagine a scenario, where you are a MS partner managing multiple customers and their tenants, You require to create a managed service for your customer and provide them delegated access to your service, Here you first create an ARM template to onboard your customers, you can do it via Azure Lighthouse too. For onboarding you keep, Msp offer ID which is unique for individual customers also if you want to keep the offer ID default for all customers, Even that can be set, After Msp offer ID, you can delegate your service to the customer by either allowing them to assign their tenant Id or service principal, group, user object ID in your template, Once that is assigned your managed service will be available for the customers to use. You can keep the offer public or private, you can also keep one managed identity for all the customers or allow customers to provide their own Object ID of their tenant’s group, users or service principals.
In the above document, ARM template is created with MSP offer in your Azure AD tenant to provide delegated access to your Azure AD B2C tenant, Thus you are managing your Azure AD B2C tenant via your Azure AD by providing resource group as a delegated resource between both the tenant and also your Group object ID which acts as a authorization between your Azure AD and Azure AD B2C tenant. If you go by above scenario- Imagine your Azure AD tenant as a partner tenant trying to provide managed service to your Azure AD B2C tenant.
I have followed the document and deployed an Azure monitoring service for Azure AD B2C
This ARM template is asking to connect the resource group from our or Azure subscription to our Azure AD B2C tenant.
It is authorizing our Azure AD B2C tenant with the group’s Object ID projecting it with Resource group of our Azure subscription.
mspOfferName- is the name of the offer or service that is being provided by our Azure subscription. Here we can give any name according to our need. For now we are integrating Azure monitor log analytics workspace with our Azure AD B2C tenant, Thus we use name – Azure AD B2C Monitoring.
mspofferDescription- Description of your service
managedByTenantID- this is going to be the Tenant ID or managed ID of your Azure AD B2C to onboard it to our subscription resource.
roleDefinitionID- is populated automatically, Which is your azure role, In my case I am using Azure subscription with Owner role, Thus the role definition Id of owner role is populated.
rgName- Is the name of our Resource group where our log analytics workspace is deployed.
After I created the Managed service- I went to go to resource and the deployment was successful.
After the deployment, I got the audit logs from azure ad b2c to my Azure log analytics successfully.
Customer statement:- “Is it possible to see in the Azure Portal what Managed Services Registration Definitions are assigned to a resource group?”
To view what managed service is deployed, you can visit > Azure Portal > Search> Service Provider >
You will find your service provider msp like below:-
As, this managed service is not part of Azure marketplace the Marketplace offer is not visible.
You can view your resource group delegated to the azure ad b2c tenant here:-
You can also visit your Resource group and check the deployment history:-
Here, Are the deployments that were succeeded as part of managed service: -
You can also view the complete logs of these 3 deployments that were created for your managed service creation and monitoring by visiting Activity Log :-
How to add authroized client applications (in portal : app registration -> Expose API -> add Authorized client applications) during app registration using powershell Azure CLI.
There is no az command to directly add preauthorized clients to a app registration instead you will have to use Graph API (beta) to update the same from Graph Explorer or az rest command.
Get OauthPermissionId with az command :
az ad app show --id $appId --query "oauth2Permissions[].id"
I tested the same from Graph Explorer :
Ran Patch : https://graph.microsoft.com/beta/applications/<appObjectId>
With Request body as :
{
"api": {
"preAuthorizedApplications": [
{
"appId": "authorizedappClientID",
"permissionIds": [
"oauth2PermissionId"
]
}
]
}
}
Output:
Reference for az rest can be fount in this SO thread answered by Joy Wang .
How to link an existing B2C tenant programatically via Azure CLI? Running this line:
az resource create --resource-group <rg> --resource-type Microsoft.AzureActiveDirectory/b2cDirectories --name <tenant>.onmicrosoft.com --location Europe --properties "{\"tenantId\": \"<tenantId>\", \"sku\": { \"name\": \"Standard\", \"tier\": \"A0\" } }"
Returns BadRequestError: The 'sku' property is required for creating a b2c directory resource but it is there
The ARM "B2C Link Resource" looks like this:
{
"type": "Microsoft.AzureActiveDirectory/b2cDirectories",
"apiVersion": "2017-01-30",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"tags": {},
"sku": {
"name": "Standard",
"tier": "A0"
},
"properties": {
"tenantId": "[parameters('tenantId')]"
}
}
Further Information:
I have tried different variations regarding the sku portion such as leaving it out completely or moving it as a dedicated parameter --sku Standard etc but none of them seem to work
Removing an existing link via az resource delete --ids /subscriptions/<subscriptionId>/resourceGroups/<rg>/providers/Microsoft.AzureActiveDirectory/b2cDirectories/<tenant>.onmicrosoft.com works perfectly fine
Why do we need this? We automate our infra deployment with Terraform. We're aware of the limitations automating B2C tenants (see here, here or here) so we aim for removing/adding the b2c link via pipeline to at least keep the subscription clean on destroying/applying infra.
Linking an existing B2C tenant via Azure Portal looks like this
Any advice appreciated. Thanks for your help!
I don't think Azure CLI currently can have the ability to manage B2C tenants.
As you are aware already, there is a detailed discussion done https://github.com/Azure/azure-cli/issues/12058
Other Programmatic Approach:
I had captured Fiddler Traces to understand the flow / or the endpoint that is responsible. I was able point to the below endpoint. I was checking for the create a new Azure B2C Tenant.
PUT https://management.azure.com/subscriptions/SUBSCRIBTION/resourceGroups/RESOURCEGROUP/providers/Microsoft.AzureActiveDirectory/b2cDirectories/contosoorganiztion.onmicrosoft.com?api-version=2019-01-01-preview
{"location":"United States","sku":{"name":"Standard","tier":"A0"},"properties":{"createTenantProperties":{"displayName":"Contoso Organization","countryCode":"US"}}}
However, I was not able to check the "Link to existing the Tenant" (for your requirement) option at my end due to permissions at my end. But I am assuming there should be a similar endpoint responsible for the same. You could capture Fiddler traces with Https decrypted (or any tool that will help capturing the decrypted HTTPS Traffic), trying to link an existing tenant to understand the endpoint and the request body.
Note :
Keep mind this API/endpoint is not supported and subject to change thus not recommended for production environments:
You will need access token in order to hit the endpoint.
To obtain token, resource id of the Azure portal would be :74658136-14ec-4630-ad9b-26e160ff0fc6
az account get-access-token --resource 74658136-14ec-4630-ad9b-26e160ff0fc6
Hi I am trying to deploy the resource using ARM template of type "Microsoft.Sql/servers/administrators"
below is the template
{
"type": "Microsoft.Sql/servers/administrators",
"apiVersion": "2019-06-01-preview",
"name": "[concat(parameters('sqlServerName'), '/ActiveDirectory')]",
"dependsOn": [
"[resourceId('Microsoft.Sql/servers', parameters('sqlServerName'))]"
],
"properties": {
"administratorType": "ActiveDirectory",
"login": "[parameters('activeDirectoryUserGroupName')]",
"sid": "",
"tenantId": "[subscription().tenantId]"
}
}
I am passing the active directory user group name as parameter, "sid" is the objectId of that active directory group. So is there any way to fetch the objectId in ARM template
We have no way to get the Azure AD group object id in Azure ARM template. Because the Azure AD group is Azure AD resource. It is not Azure resource. But the ARM template is only used to manage Azure resources. For more details, please refer to the document and the document
If the want to get the AD group object id, you can use Azure Powershell command $groubId=(Get-AzADGroup -DisplayName <groupName>).Id.
We currently have a Packer enterprise application that is running with the Contributor Role at the subscription level.
However, we feel that the application has too much scope. Instead we would like to give it Contributor level access for just one resource group.
Therefore, Packer would be able to create its temporary resources for creating images in just one resource group and would not need permissions for anything else in the subscription.
I created a custom role via JSON as follows: (I've changed to example subscription ID and resource names)
{
"assignableScopes": [
"/subscriptions/123456789/resourceGroups/packer"
],
"description": "Custom role for packer app, with granular permssions for packer resource group",
"id": "/subscriptions/123456789/providers/Microsoft.Authorization/roleDefinitions/123456-1234-1234-1234-12345678",
"name": "123456-1234-1234-1234-12345678",
"permissions": [
{
"actions": [
"Microsoft.Authorization/*/Delete",
"Microsoft.Authorization/*/Write",
"Microsoft.Authorization/elevateAccess/Action",
"Microsoft.Blueprint/blueprintAssignments/write",
"Microsoft.Blueprint/blueprintAssignments/delete"
],
"dataActions": [],
"notActions": [],
"notDataActions": []
}
],
"roleName": "PackerRole",
"roleType": "CustomRole",
"type": "Microsoft.Authorization/roleDefinitions"
}
I then created the role using Azure CLI:
az role definition create --role-definition PackerRole.json --subscription 123456789
However, I do not know how to assign it to the Packer application. It can't be assigned and doesn't appear at the subscription scope -- presumably because the custom role only has a scope of 1 resource group.
I've tried going to Azure Active Directory --> App Registrations --> Packer, but there is nowhere here to assign my custom created role. The 'Roles and Administrators' tab gives me no clarity as none of our custom roles are here, and creating a new role only seems to allow Permission actions in the format of microsoft.directory/applications/
Viewing the Managed Application page for this app provides no answers either, only allowing for User and Group assignment.
I've scoured the documentation but haven't found anything relevant to this use case so far.
You shouldn't need a custom role for this. The Contributor role is built-in and can be assigned to any scope. The reason your custom role can't be seen is that you're missing the "isCustom": true setting from the root of the object.
If you wish to assign contributor at the resource group level, you can use the Portal, PowerShell, Azure CLI, or even the REST APIs. This is known as a role assignment.
Since you seem to be using the CLI, you can assign the role at the RG scope as follows:
Assuming your application is running using a service principal:
az role assignment create --assignee <packer-service-principal> --role Contributor --scope /subscriptions/123456789/resourceGroups/packer --assignee-principal-type ServicePrincipal
If you want to use the Portal, you can go to Resource Groups -> packer -> Access control (IAM) -> Role assignments -> Add