How to add authroized client applications (in portal : app registration -> Expose API -> add Authorized client applications) during app registration using powershell Azure CLI.
There is no az command to directly add preauthorized clients to a app registration instead you will have to use Graph API (beta) to update the same from Graph Explorer or az rest command.
Get OauthPermissionId with az command :
az ad app show --id $appId --query "oauth2Permissions[].id"
I tested the same from Graph Explorer :
Ran Patch : https://graph.microsoft.com/beta/applications/<appObjectId>
With Request body as :
{
"api": {
"preAuthorizedApplications": [
{
"appId": "authorizedappClientID",
"permissionIds": [
"oauth2PermissionId"
]
}
]
}
}
Output:
Reference for az rest can be fount in this SO thread answered by Joy Wang .
Related
is there a way to add Add role to existing App registration in Azure Active Directory using REST API/CLI/Powershell?
https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps
Yes, using the Azure CLI you can specify application roles within the manifest.json. Here an example:
[
{
"allowedMemberTypes": ["User"],
"description": "Approvers can mark documents as approved",
"displayName": "Approver",
"isEnabled": "true",
"value": "approver"
}
]
The corresponding CLI command:
az ad app create --display-name mytestapp --identifier-uris https://mytestapp.websites.net --app-roles #manifest.json
Source.
How to link an existing B2C tenant programatically via Azure CLI? Running this line:
az resource create --resource-group <rg> --resource-type Microsoft.AzureActiveDirectory/b2cDirectories --name <tenant>.onmicrosoft.com --location Europe --properties "{\"tenantId\": \"<tenantId>\", \"sku\": { \"name\": \"Standard\", \"tier\": \"A0\" } }"
Returns BadRequestError: The 'sku' property is required for creating a b2c directory resource but it is there
The ARM "B2C Link Resource" looks like this:
{
"type": "Microsoft.AzureActiveDirectory/b2cDirectories",
"apiVersion": "2017-01-30",
"name": "[parameters('name')]",
"location": "[parameters('location')]",
"tags": {},
"sku": {
"name": "Standard",
"tier": "A0"
},
"properties": {
"tenantId": "[parameters('tenantId')]"
}
}
Further Information:
I have tried different variations regarding the sku portion such as leaving it out completely or moving it as a dedicated parameter --sku Standard etc but none of them seem to work
Removing an existing link via az resource delete --ids /subscriptions/<subscriptionId>/resourceGroups/<rg>/providers/Microsoft.AzureActiveDirectory/b2cDirectories/<tenant>.onmicrosoft.com works perfectly fine
Why do we need this? We automate our infra deployment with Terraform. We're aware of the limitations automating B2C tenants (see here, here or here) so we aim for removing/adding the b2c link via pipeline to at least keep the subscription clean on destroying/applying infra.
Linking an existing B2C tenant via Azure Portal looks like this
Any advice appreciated. Thanks for your help!
I don't think Azure CLI currently can have the ability to manage B2C tenants.
As you are aware already, there is a detailed discussion done https://github.com/Azure/azure-cli/issues/12058
Other Programmatic Approach:
I had captured Fiddler Traces to understand the flow / or the endpoint that is responsible. I was able point to the below endpoint. I was checking for the create a new Azure B2C Tenant.
PUT https://management.azure.com/subscriptions/SUBSCRIBTION/resourceGroups/RESOURCEGROUP/providers/Microsoft.AzureActiveDirectory/b2cDirectories/contosoorganiztion.onmicrosoft.com?api-version=2019-01-01-preview
{"location":"United States","sku":{"name":"Standard","tier":"A0"},"properties":{"createTenantProperties":{"displayName":"Contoso Organization","countryCode":"US"}}}
However, I was not able to check the "Link to existing the Tenant" (for your requirement) option at my end due to permissions at my end. But I am assuming there should be a similar endpoint responsible for the same. You could capture Fiddler traces with Https decrypted (or any tool that will help capturing the decrypted HTTPS Traffic), trying to link an existing tenant to understand the endpoint and the request body.
Note :
Keep mind this API/endpoint is not supported and subject to change thus not recommended for production environments:
You will need access token in order to hit the endpoint.
To obtain token, resource id of the Azure portal would be :74658136-14ec-4630-ad9b-26e160ff0fc6
az account get-access-token --resource 74658136-14ec-4630-ad9b-26e160ff0fc6
I have created a RBAC enabled service principal in Azure to configure Key Vault access within my OS using environment variables. When you create a service principal, the Azure CLI responds with the service principal details, containing the clientSecret value. Creation command:
az ad sp create-for-rbac -n <http://my-name> --sdk-auth
I would like to know if and how I can request the clientSecret later on. When I use
az ad sp show --id <my-service-principal-uuid>
or
az ad sp credential list --id <my-service-principal-uuid>
the clientSecret is not in the response information.
Is there any way to retrieve the clientSecret other than at the moment of creation?
You cannot retrieve it after creation. The best you can do is to reset it, at which point you will be shown the new value:
PS C:\> az ad sp credential reset --name foo
{
"appId": "...",
"name": "foo",
"password": "...",
"tenant": "..."
}
This means that you will need to update the credential manually wherever you've made use of it, for example in Azure DevOps if you've created an Azure RM service connection with that particular service principal.
You can get like below
Create a service principal
SPA_SP_APP_ID=$(az ad sp create-for-rbac --name $AKS_SP_NAME --skip-assignment --query appId)
Retrieve Service principal APPID and Client Secret
SPA_SP_SECRET=$(az ad sp credential reset --name $SPA_SP_APP_ID --query "password")
EDIT
As Moss Mentioned above, you cannot retrieve once it is created.
I'm creating and app registration with azure cli using
az ad app create ...
function.
In the manifest of app registration there is a field:signInAudience
which i want to set to: AzureADandPersonalMicrosoftAccount
Calling
az ad app update --id [[APP_ID]] --set signInAudience=AzureADandPersonalMicrosoftAccount
returns
Property 'signInAudience' not found on root. Send it as an additional property .
Updates to converged applications are not allowed in this version.
How can I change it?
You can update the app with --available-to-other-tenants
az ad app update --id xxxx --available-to-other-tenants
This will set signInAudience property in manifest to either AzureADMultipleOrgs or AzureADMyOrg.
Check az ad app update -h for more help or Microsoft Docs
It's possible with version 2.37.0 and above, with the new --sign-in-audience parameter:
az ad app create --display-name "My test app" --sign-in-audience AzureADandPersonalMicrosoftAccount
From the app create documentation:
--sign-in-audience
Specifies the Microsoft accounts that are supported for the current application.
accepted values: AzureADMultipleOrgs, AzureADMyOrg, AzureADandPersonalMicrosoftAccount, PersonalMicrosoftAccount
You can try updating it using the App registrations (Preview) in the Azure Portal. Find your app and navigate to the Manifest using the left-hand navigation. Locate the signInAudience property and set it to AzureADandPersonalMicrosoftAccount. Then save your changes.
I am preparing an script that enables Diagnostics logs sending them to an Storage Account.
Get-AzureRmResource | foreach {
#For now adding all registered resources to Diagnostics Logs. Should narrow to specific resource types?
#Categories "Execution", "Request" only, the "AllMetrics" category intended to log all categories fail. Can add specific categories to each resource type.
Write-Output "Adding resource $_.ResourceId to the storage"
Set-AzureRmDiagnosticSetting -ResourceId $_.ResourceId -StorageAccountId $storageid -Enabled $true -RetentionEnabled $true -RetentionInDays 90 -Categories “Execution”,“Request”
}
This PowerShell command matches to enable the Diagnostics Logs to the resources created within the Subscription.
What about to enable the Diagnostigs Logs in Azure Active Directory? They include Audit and Sign-In logs?
Can someone please adivice?
Many thanks!
Sergio
Update:
I am required to automate the following with PowerShell:
1. Go to Azure Portal
2. On the left blade, select Azure Active Directory
3. Select Audit Logs or Sign-In logs 4. On the top Menu, select Export Data Settings
5.Click Add diagnostic setting
6. Check Archive to Storage Account and Set Retention days.
Process described in video:
Video discussing Azure AD reports shows how to enable the Logs, I am required to automate enabling the logs, not getting the report
MSOL offers these log / audit resources.
Collect and consume log data from your Azure resources
Azure Monitor diagnostic logs are logs emitted by an Azure service
that provide rich, frequent data about the operation of that service.
Azure Monitor makes available two types of diagnostic logs:
• Tenant logs - these logs come from tenant-level services that exist
outside of an Azure subscription, such as Azure Active Directory logs.
• Resource logs - these logs come from Azure services that deploy
resources within an Azure subscription, such as Network Security
Groups or Storage Accounts.
https://learn.microsoft.com/en-us/azure/monitoring-and-diagnostics/monitoring-overview-of-diagnostic-logs
Azure Active Directory Audit logs
Audit events currently provided from the management portal are also
downloadable per documentation at Azure Active Directory Audit Report
Events. It is now convenient for an admin of an organization to gather
critical changes that are happening in their Azure Active Directory
tenant.
https://blogs.msdn.microsoft.com/azuresecurity/2015/06/11/azure-active-directory-audit-logs
What other logs are you trying to enable beyond the above?
What are you after?
Note: AAD is not ADDS from a diagnostics approach perspective.
Update for OP
Audit Logs for Azure Events
https://blogs.msdn.microsoft.com/cloud_solution_architect/2015/03/10/audit-logs-for-azure-events/
Retrieving Resource Metrics and Creating Alert Rules via Azure
PowerShell
Metric Definitions
The Get-AzureRmMetric cmdlet downloads the definitions of an Azure
Insights metric. For example, the following retrieves the definitions
for a VM named myVM in a resource group named myRG:
$resourceId = '/subscriptions/SUBSCRIPTION_guid/resourceGroups/myRG/providers/Microsoft.Compute/virtualMachines/myVM'
Get-AzureRmMetricDefinition –ResourceId $resourceId `
-DetailedOutput
https://blogs.msdn.microsoft.com/cloud_solution_architect/2016/02/26/retrieving-resource-metrics-and-creating-alert-rules-via-azure-powershell
Example 4: Get all resources with a given name
PowerShell = Copy ( Try It
PS C:\> Get-AzureRmResource -Name testVM | fl
Name : testVM
ResourceGroupName : testRG
ResourceType : Microsoft.Compute/virtualMachines
Location : westus
ResourceId : /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/testRG/providers/Microsoft.Compute/virtualMachines/testVM
Example 7: Get a resource by resource id
PowerShell = Copy ( Try It
PS C:\> Get-AzureRmResource -ResourceId /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/testRG/providers/Microsoft.Compute/virtualMachines/testVM
Name : testVM
ResourceGroupName : testRG
ResourceType : Microsoft.Compute/virtualMachines
Location : westus
ResourceId : /subscriptions/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/testRG/providers/Microsoft.Compute/virtualMachines/testVM
https://learn.microsoft.com/en-us/powershell/module/azurerm.resources/get-azurermresource?view=azurermps-6.7.0
Currently, it seems that there is no powershell command to get the Azure AD Audit and Sign-In logs directly.
If Micorsoft Graph Rest API is acceptable, you could use the following Microsoft graph Rest API to do that.
GET tenant user activities https://graph.microsoft.com/beta/auditLogs/directoryAudits
GET tenant user sign-ins https://graph.microsoft.com/beta/auditLogs/signIns
We also could get the demo code from this link.
If we want to run the code. We need to do prerequisites to access the Azure Active Directory reporting API, for more information please refer to this document.
$URIfilter = "?`$filter=activityDateTime gt $PastPeriod"
$url = "https://graph.microsoft.com/beta/auditLogs/directoryAudits" + $URIfilter
GetReport $url "DirectoryAudits" $Tenantdomain
For more information about Azure AD report, please refer to this tutorial
Update:
We could use the following Rest API to enable/update the Azure Audit logs or Sign-In logs.
Put https://management.azure.com/providers/microsoft.aadiam/diagnosticSettings/{name}?api-version=2017-04-01-preview
Body
{
"properties": {
"logs": [
{
"category": "AuditLogs",
"enabled": true,
"retentionPolicy": {
"days": 0,
"enabled": false
}
},
{
"category": "SignInLogs",
"enabled": true,
"retentionPolicy": {
"days": 0,
"enabled": false
}
}
],
"metrics": [],
"storageAccountId": "/subscriptions/{subscriptionId}/resourceGroups/{resourgroupName}/providers/Microsoft.Storage/storageAccounts/{storageAccountName}"
}
I test it with postman.