Develop Reference

Azure StorageAccount minimum TLS1.2 support

I use ARM to define my resources in Azure. Now i want to define the minimum supported TLS Version within my ARM Template for a StorageAccount.
Usually i just edit the resource via the dashboard and export the generated ARM Template to then look for the new change. Unfortunately for the TLS Version this does not seam to be a part of the ARM Template definition.
I also can not find any mention in the Schema definition -> https://github.com/Azure/azure-resource-manager-schemas/blob/master/schemas/2019-06-01/Microsoft.Storage.json
Does anyone know how i can for the minimum TLS Version to be no less than 1.2 during or directly after the resource deployment?

I just created a Storage account with tls 1.2 and i can see this in the template:
"minimumTlsVersion": "[parameters('minimumTlsVersion')]",
And the parameter value is:
"minimumTlsVersion": {
"value": "TLS1_2"
},
This is the full template
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"location": {
"type": "string"
},
"storageAccountName": {
"type": "string"
},
"accountType": {
"type": "string"
},
"kind": {
"type": "string"
},
"accessTier": {
"type": "string"
},
"minimumTlsVersion": {
"type": "string"
},
"supportsHttpsTrafficOnly": {
"type": "bool"
},
"allowBlobPublicAccess": {
"type": "bool"
},
"networkAclsBypass": {
"type": "string"
},
"networkAclsDefaultAction": {
"type": "string"
}
},
"variables": {},
"resources": [
{
"name": "[parameters('storageAccountName')]",
"type": "Microsoft.Storage/storageAccounts",
"apiVersion": "2019-06-01",
"location": "[parameters('location')]",
"properties": {
"accessTier": "[parameters('accessTier')]",
"minimumTlsVersion": "[parameters('minimumTlsVersion')]",
"supportsHttpsTrafficOnly": "[parameters('supportsHttpsTrafficOnly')]",
"allowBlobPublicAccess": "[parameters('allowBlobPublicAccess')]",
"networkAcls": {
"bypass": "[parameters('networkAclsBypass')]",
"defaultAction": "[parameters('networkAclsDefaultAction')]",
"ipRules": []
}
},
"dependsOn": [],
"sku": {
"name": "[parameters('accountType')]"
},
"kind": "[parameters('kind')]",
"tags": {}
}
],
"outputs": {}
}

Authenticate system assigned identity to Event Grid API connection

Can anyone help me find the client secret for a system assigned identity in an ARM template, or suggest an alternative approach?
I've got an ARM template which creates a Logic App with system assigned identity, and now I want to set up an API connection to trigger from Event Grid (without using the portal UI or a separate powershell command).
I can't figure out how to get the client secret for the system assigned identity. This would allow me to follow the answers in these previous questions:
Create API Connection for Azure Data Factory with service principal authentication using ARM Template
How to authenticate an Azure EventGrid API Connection using a script?
Here's what I have so far:
"resources": [
{
"apiVersion": "2016-06-01",
"type": "Microsoft.logic/workflows",
"name": "[variables('logicName')]",
"location": "[resourceGroup().location]",
"identity": {
"type": "SystemAssigned"
},
"dependsOn": [
"[variables('connections_azuretables_name')]"
],
"properties": {
"state": "Enabled",
"definition": {
<<SNIP>>
}
}
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
"name": "[variables('azureEventGridConnectionAPIName')]",
"location": "[resourceGroup().location]",
"properties": {
"api": {
"id": "[concat('/subscriptions/subscriptionId', '/providers/Microsoft.Web/locations/', 'eastasia', '/managedApis/', 'azureeventgrid')]"
},
"parameterValues": {
"token:clientId": "[reference(variables('logicName'), '2016-06-01', 'Full').identity.principalId]",
"token:clientSecret": "########### STUCK HERE #################",
"token:TenantId": "[reference(variables('logicName'), '2016-06-01', 'Full').identity.tenantId]",
"token:grantType": "client_credentials"
},
"displayName": "[variables('azureEventGridConnectionAPIName')]"
},
"dependsOn": []
}
],

A managed identity has no client secret. It only has certificates, which you cannot access.
The template would have to execute within the logic app to get the access token, which I doubt it can do.

For anyone wondering, it is pretty straightforward to create a Service Principal manually and then feed it into the ARM template:
> az ad sp create-for-rbac --name MyPrincipal
{
"appId": "##############",
"displayName": "MyPrincipal",
"name": "http://MyPrincipal",
"password": "##############",
"tenant": "##############"
}
Now pass the appId (as clientId) password (as clientSecret) and tenant (as tenantId) into the parameterValues block in Microsoft.Web/connections. This will set up an Event Grid API connection for your logic app, but with implications for access policies and overhead of identity management outside of the ARM template.
The actual solution I've used is to create a webhook event subscription on Event Grid and then set up my logic app to have a web hook trigger. This works just fine.
Here's a sample solution:
{
"name": "[parameters('topicName')]",
"type": "Microsoft.EventGrid/topics",
"location": "[resourceGroup().location]",
"apiVersion": "2018-01-01",
"properties": { }
},
{
"name": "[concat(parameters('topicName'), '/Microsoft.EventGrid/', variables('topicSubscriptionName'))]",
"type": "Microsoft.EventGrid/topics/providers/eventSubscriptions",
"location": "[resourceGroup().location]",
"apiVersion": "2018-01-01",
"properties": {
"destination": {
"endpointType": "WebHook",
"properties": {
"endpointUrl": "[listCallbackURL(resourceId('Microsoft.Logic/workflows/triggers', parameters('logicName'), 'WorkaroundWebhookTrigger'), '2016-06-01').value]"
}
},
"filter": {
"includedEventTypes": [
"All"
]
}
},
"dependsOn": [
"[parameters('topicName')]",
"[parameters('logicName')]"
]
},
{
"apiVersion": "2016-06-01",
"type": "Microsoft.logic/workflows",
"name": "[parameters('logicName')]",
"location": "[resourceGroup().location]",
"identity": {
"type": "SystemAssigned"
},
"dependsOn": [],
"properties": {
"state": "Enabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"$connections": {
"defaultValue": {},
"type": "Object"
}
},
"triggers": {
"WorkaroundWebhookTrigger": {
"type": "Request",
"kind": "Http",
"inputs": {
"schema": {
"properties": {
"data": {
"properties": {
"lorem": {
"type": "integer"
},
"ipsum": {
"type": "string"
}
},
"type": "object"
},
"dataVersion": {
"type": "string"
},
"eventTime": {
"type": "string"
},
"eventType": {
"type": "string"
},
"id": {
"type": "string"
},
"metadataVersion": {
"type": "string"
},
"subject": {
"type": "string"
},
"topic": {
"type": "string"
}
},
"type": "object"
}
}
}
},
<snip>

Azure ARM Template

Need you Help on something really quick :
How to set storage account "soft delete" option enabled using arm template?
2.What's the property that I should be using in arm template. Tried browsing through this site but couldn't get muchinformation - https://learn.microsoft.com/en-us/rest/api/storagerp/storageaccounts/getproperties
Any help is Much Appreciated.
Rocky

It seems that with the release of the 2018-11-01 version of the storage template it's now possible to enable soft delete in your ARM template.
Below you can find the template I've used:
{
"parameters": {
"NameForResources": {
"type": "string",
},
"ResourceLocation": {
"type": "string",
"defaultValue": "westeurope"
},
"Storage_Type": {
"type": "string",
"defaultValue": "Standard_LRS",
"allowedValues": [
"Standard_LRS",
"Standard_GRS",
"Standard_ZRS"
],
"metadata": {
"description": "Storage Account type"
}
}
},
"resources": [
{
"type": "Microsoft.Storage/storageAccounts",
"sku": {
"name": "[parameters('Storage_Type')]"
},
"kind": "Storage",
"name": "[parameters('NameForResources')]",
"apiVersion": "2018-11-01",
"location": "[parameters('ResourceLocation')]",
"properties": {
"encryption": {
"services": {
"blob": {
"enabled": true
},
"file": {
"enabled": true
}
},
"keySource": "Microsoft.Storage"
},
"supportsHttpsTrafficOnly": true
},
"resources": [
{
"name": "[concat(parameters('NameForResources'),'/','default')]",
"type": "Microsoft.Storage/storageAccounts/blobServices",
"apiVersion": "2018-11-01",
"properties": {
"deleteRetentionPolicy": {
"enabled": true,
"days": 30
}
},
"dependsOn": ["[concat('Microsoft.Storage/storageAccounts/', parameters('NameForResources'))]"]
}
]
}
],
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0"
}

I do not think it is currently possible to configure soft delete using ARM. Soft delete is a blob service property, not a property of the storage account.
https://learn.microsoft.com/en-us/azure/storage/blobs/storage-blob-soft-delete#powershell

For keyvaults, use "enableSoftDelete": true.
For storage accounts, add a blob service with 1) the following properties and 2) a dependsOn condition on the storage account:
{
"name": "[concat(parameters('storageAccountName'), '/default')]",
"type": "Microsoft.Storage/storageAccounts/blobServices",
"apiVersion": "2018-07-01",
"properties": {
"deleteRetentionPolicy": {
"enabled": true,
"days": 30
}
},
"dependsOn": [
"[concat('Microsoft.Storage/storageAccounts/', parameters('storageAccountName'))]"
]
}

How to enable app-service-authentication and logging into a blob via ARM-Template?

How to enable app-service-authentication and logging into a blob via ARM-Template?
hello everybody, i have a question i want to activate the app-service-authentication for anonymous requests and also the logging of everything that could happen in the website into a blob of a storageaccount via the resource template. what should i add to the template-json-file to do that?
thanks for every help
Edit:
I found out something.
with this snippet it work but that are not the correct settings
"properties": {
"name": "<#= website.Name #>",
"siteConfig": {
"alwaysOn": true,
"siteAuthEnabled": true,
"siteAuthSettings": null,
"httpLoggingEnabled": true,
"logsDirectorySizeLimit": 35,
"detailedErrorLoggingEnabled": true
},
now it looks like so:
but that is how it should be looking for:

According to your scenario, I have deployed my ARM template to enable Application Logging and Web server logging against Blob Storage, enable App Service Authentication and allow Anonymous requests for my Web App. Here are some detailed steps, you could refer to them.
1.Create Azure Resource Group project and add the Web App template;
2.Add "MONITORING > Diagnostic logs" configuration as follows:
3.Add "SETTINGS > Authentication/Authorization" configuration as follows:
4.Deploy the Web App and check it on Azure Portal:
Here is my website.json, you could refer to it.
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"hostingPlanName": {
"type": "string",
"minLength": 1
},
"skuName": {
"type": "string",
"defaultValue": "F1",
"allowedValues": [
"F1",
"D1",
"B1",
"B2",
"B3",
"S1",
"S2",
"S3",
"P1",
"P2",
"P3",
"P4"
],
"metadata": {
"description": "Describes plan's pricing tier and capacity. Check details at https://azure.microsoft.com/en-us/pricing/details/app-service/"
}
},
"skuCapacity": {
"type": "int",
"defaultValue": 1,
"minValue": 1,
"metadata": {
"description": "Describes plan's instance count"
}
}
},
"variables": {
"webSiteName": "[concat('webSite', uniqueString(resourceGroup().id))]"
},
"resources": [
{
"apiVersion": "2015-08-01",
"name": "[parameters('hostingPlanName')]",
"type": "Microsoft.Web/serverfarms",
"location": "[resourceGroup().location]",
"tags": {
"displayName": "HostingPlan"
},
"sku": {
"name": "[parameters('skuName')]",
"capacity": "[parameters('skuCapacity')]"
},
"properties": {
"name": "[parameters('hostingPlanName')]"
}
},
{
"apiVersion": "2015-08-01",
"name": "[variables('webSiteName')]",
"type": "Microsoft.Web/sites",
"location": "[resourceGroup().location]",
"tags": {
"[concat('hidden-related:', resourceGroup().id, '/providers/Microsoft.Web/serverfarms/', parameters('hostingPlanName'))]": "Resource",
"displayName": "Website"
},
"dependsOn": [
"[resourceId('Microsoft.Web/serverfarms/', parameters('hostingPlanName'))]"
],
"properties": {
"name": "[variables('webSiteName')]",
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms', parameters('hostingPlanName'))]"
},
"resources": [
{
"name": "logs",
"type": "config",
"apiVersion": "2015-08-01",
"dependsOn": [ "[resourceId('Microsoft.Web/sites/', variables('webSiteName'))]" ],
"tags": {
"displayName": "websiteLogs"
},
"properties": {
"applicationLogs": {
"fileSystem": {
"level": "Off"
},
"azureTableStorage": {
"level": "Off",
"sasUrl": null
},
"azureBlobStorage": {
"level": "Error",
"sasUrl": "https://{your-storageaccount-name}.blob.core.windows.net/{container-name}?{sasToken}",
"retentionInDays": null
}
},
"httpLogs": {
"fileSystem": {
"retentionInMb": 35,
"retentionInDays": null,
"enabled": false
},
"azureBlobStorage": {
"sasUrl":"https://{your-storageaccount-name}.blob.core.windows.net/{container-name}?{sasToken}",
"retentionInDays": null,
"enabled": true
}
},
"failedRequestsTracing": {
"enabled": true
},
"detailedErrorMessages": {
"enabled": true
}
}
},
{
"name": "authsettings",
"type": "config",
"apiVersion": "2015-08-01",
"dependsOn": [ "[resourceId('Microsoft.Web/sites/', variables('webSiteName'))]" ],
"tags": {
"displayName": "websiteAuthSettings"
},
"properties": {
"enabled": true,
"httpApiPrefixPath": null,
"unauthenticatedClientAction": 1,
"tokenStoreEnabled": true,
"allowedExternalRedirectUrls": null,
"defaultProvider": 0,
"clientId": null,
"clientSecret": null,
"issuer": null,
"allowedAudiences": null,
"additionalLoginParams": null,
"isAadAutoProvisioned": false,
"googleClientId": null,
"googleClientSecret": null,
"googleOAuthScopes": null,
"facebookAppId": null,
"facebookAppSecret": null,
"facebookOAuthScopes": [
""
],
"twitterConsumerKey": null,
"twitterConsumerSecret": null,
"microsoftAccountClientId": null,
"microsoftAccountClientSecret": null,
"microsoftAccountOAuthScopes": [
""
]
}
}
]
}
]
}
Additionally, you could retrieve the configurations from resources.azure.com. Here is the screenshot for you to have a better understanding of the ARM template:

WebApp logging and authentication can be enabled via following resources in your template
{
"apiVersion": "2015-08-01",
"name": "logs",
"type": "config",
"location": "[resourceGroup().location]",
"dependsOn": [ "[resourceId('Microsoft.Web/Sites', variables('webSiteName'))]" ],
"properties": {
"applicationLogs": {
"fileSystem": {
"level": "off"
},
"azureTableStorage": {
"level": "off",
"sasUrl": null
},
"azureBlobStorage": {
"level": "off",
"sasUrl": null,
"retentionInDays": null
}
},
"httpLogs": {
"fileSystem": {
"retentionInMb": 35,
"retentionInDays": null,
"enabled": true
},
"azureBlobStorage": {
"sasUrl": null,
"retentionInDays": null,
"enabled": false
}
},
"failedRequestsTracing": {
"enabled": true
},
"detailedErrorMessages": {
"enabled": true
}
}
},
{
"apiVersion": "2015-08-01",
"name": "authsettings",
"type": "config",
"location": "[resourceGroup().location]",
"dependsOn": [ "[resourceId('Microsoft.Web/Sites', variables('webSiteName'))]" ],
"properties": {
"enabled": false,
"isAadAutoProvisioned": false
}
}
If you are not sure, what values should be in template.
Do following:
Provision Web App through the portal
Enable necessary settings
Go to https://resources.azure.com/ and check how template is configured for your Web App
Make changes in your template json file

​Log all the things
You could enable Diagnostics Logging (https://learn.microsoft.com/en-us/azure/app-service-web/web-sites-enable-diagnostic-log)
for your App Service and add it to your App Service Website by following this guide https://learn.microsoft.com/en-us/azure/monitoring-and-diagnostics/monitoring-enable-diagnostic-logs-using-template
For a general logging solution that helps you keep track of (almost) everything that happens in an App Service web site you could use Application Insights (AI). You can add Application Insights to your ARM template by following this article https://learn.microsoft.com/en-us/azure/application-insights/app-insights-powershell#create-an-azure-resource-manager-template. This will help you setup AI for your web and define any specific tracking and telemetry you want to log.
Basically this is what you need to add to your ARM template in order to add AI to an App Service:
"resources": [
{
"apiVersion": "2014-08-01",
"location": "[parameters('appLocation')]",
"name": "[parameters('appName')]",
"type": "microsoft.insights/components",
"properties": {
"Application_Type": "[parameters('applicationType')]",
"ApplicationId": "[parameters('appName')]",
"Name": "[parameters('appName')]",
"Flow_Type": "Redfield",
"Request_Source": "IbizaAIExtension"
}
},
{
"name": "[variables('billingplan')]",
"type": "microsoft.insights/components/CurrentBillingFeatures",
"location": "[parameters('appLocation')]",
"apiVersion": "2015-05-01",
"dependsOn": [
"[resourceId('microsoft.insights/components', parameters('appName'))]"
],
"properties": {
"CurrentBillingFeatures": "[variables('pricePlan')]",
"DataVolumeCap": {
"Cap": "[parameters('dailyQuota')]",
"WarningThreshold": "[parameters('warningThreshold')]",
"ResetTime": "[parameters('dailyQuotaResetTime')]"
}
}
},
"__comment":"web test, alert, and any other resources go here"
]
Of course, you need to provide values for all the parameters and variables based on the price plan and quotas you want to set.
You could then setup Continuous Export (https://learn.microsoft.com/en-us/azure/application-insights/app-insights-export-telemetry) from AI to export all logged telemetry to a separate Azure Storage blob for long term retention of your logged data. Unfortunatelly you cannot setup Continuous Export from the ARM template, but it will likely be available soon: https://visualstudio.uservoice.com/forums/357324-application-insights/suggestions/13718607-enable-programatic-configuration-of-continuous-exp
Authenticate all the things
Setting up Authentication in your App Service you can specify the authentication options as properties for your WebSite resource. I suggest you start by configuring the desired authentication model using the portal or PowerShell first and then extract the template from the resulting deployment https://learn.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-export-template as the actual properties and values to set are not well documented.
Creating an ARM template from the portal
You can do all the changes to your website, setup diagnostics directly in the portal and then extract a template that reflects what is currently deployed in that Resource Group.
Just go to your Resource Group and select Automation script, this will extract the template definition. It may not be the prettiest template or best structured, but it will contain your deployment (unless it shows a warning for some resources).

Tags Not Being Deployed to Server Farm with Azure ARM template

EDIT 11/15/2016: This was a bug in Azure which was fixed a couple of days ago.
Original post:
I'm trying to create several app services which depend on a server farm. I'm using an ARM template to deploy it. I'm using the same tags and tag format on every other resource in the template and they are getting created, but for some reason the tags on the server farm aren't. I can create the tags on the server farm through the Azure Portal and the Resource Explorer, but not through the ARM template.
Here's part of my resources section:
{
"comments": "",
"type": "Microsoft.Web/serverfarms",
"sku": {
"name": "S3",
"tier": "Standard",
"size": "S3",
"family": "S",
"capacity": 1
},
"tags": {
"tag1": "[parameters('tag1Value')]",
"tag2": "[parameters('tag2Value')]",
"tag3": "[parameters('tag3Value')]",
"tag4": "[parameters('tag4Value')]",
"tag5": "[parameters('tag4Value')]",
"tag6": "[parameters('tag6Value')]",
"tag7": "[parameters('tag7Value')]"
},
"name": "[variables('serverFarmName')]",
"apiVersion": "2015-08-01",
"location": "[parameters('location')]",
"properties": {
"name": "[variables('serverFarmName')]",
"numberOfWorkers": 1
},
"dependsOn": []
},
[...]
Any known issues with this? Do I have the tags in the wrong place?
Edit 8/8/2016:
Deploying just a server farm works correctly, but as soon as I add a site to that server farm the tags aren't deployed correctly. Here's what happens: Deployment starts, the server farm is created. Before the site is created I can rush into the Azure portal and see the tags created correctly on the server farm. As soon as the site is created I refresh, go back into the server farm, and the tags have disappeared.

It works fine on my side, you can try to leverage the Azure Resource Group project in Visual studio as mentioned at https://blogs.msdn.microsoft.com/kaevans/2015/11/22/creating-arm-templates-with-azure-resource-explorer/.
Here is my simple test template for your information:
{
"$schema": "http://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"tag1Value": { "type": "string" },
"tag2Value": { "type": "string" },
"tag3Value": { "type": "string" },
"tag4Value": { "type": "string" },
"tag5Value": { "type": "string" },
"tag6Value": { "type": "string" },
"tag7Value": { "type": "string" },
"garysfName": {
"type": "string",
"minLength": 1
},
"garysfSKU": {
"type": "string",
"allowedValues": [
"Free",
"Shared",
"Basic",
"Standard"
],
"defaultValue": "Free"
},
"garysfWorkerSize": {
"type": "string",
"allowedValues": [
"0",
"1",
"2"
],
"defaultValue": "0"
}
},
"variables": {
},
"resources": [
{
"name": "[parameters('garysfName')]",
"type": "Microsoft.Web/serverfarms",
"location": "[resourceGroup().location]",
"apiVersion": "2014-06-01",
"dependsOn": [ ],
"tags": {
"displayName": "garysf",
"tag1": "[parameters('tag1Value')]",
"tag2": "[parameters('tag2Value')]",
"tag3": "[parameters('tag3Value')]",
"tag4": "[parameters('tag4Value')]",
"tag5": "[parameters('tag4Value')]",
"tag6": "[parameters('tag6Value')]",
"tag7": "[parameters('tag7Value')]"
},
"properties": {
"name": "[parameters('garysfName')]",
"sku": "[parameters('garysfSKU')]",
"workerSize": "[parameters('garysfWorkerSize')]",
"numberOfWorkers": 1
}
},
{
"name": "[variables('garyarmwebappName')]",
"type": "Microsoft.Web/sites",
"location": "[resourceGroup().location]",
"apiVersion": "2015-08-01",
"dependsOn": [
"[concat('Microsoft.Web/serverfarms/', parameters('garysfName'))]"
],
"tags": {
"[concat('hidden-related:', resourceGroup().id, '/providers/Microsoft.Web/serverfarms/', parameters('garysfName'))]": "Resource",
"displayName": "garyarmwebapp"
},
"properties": {
"name": "[variables('garyarmwebappName')]",
"serverFarmId": "[resourceId('Microsoft.Web/serverfarms/', parameters('garysfName'))]"
}
}
],
"outputs": {
}
}
And the parameters JSON file:
{
"$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"tag1Value": { "value": "tag11" },
"tag2Value": { "value": "tag22" },
"tag3Value": { "value": "tag33" },
"tag4Value": { "value": "tag44" },
"tag5Value": { "value": "tag55" },
"tag6Value": { "value": "tag66" },
"tag7Value": { "value": "tag77" },
"garysfName": {
"value": "garyserverfarms"
}
}
}
And you can refer to https://ms.portal.azure.com/?flight=1&flight.browsegrid2=true&flight.pov2=true&flight.resourcemenuperf=true#blade/HubsExtension/SubscriptionTagsListBlade to check the tag list on Azure portal.