I am creating an API client for Azure Compute. I want the ability to start/stop/restart my Azure virtual machines.
In the past when I've created apps using the Graph API, I created a new app registration and then gave the app permissions for the actions I wanted under 'Microsoft Graph API' permissions list.
However, I cannot find Azure Compute listed in the available Microsoft APIs. I'm confused as to what I need to do in order to get API permissions for Azure compute as opposed to some of the other APIs.
I've spent the morning searching for tutorials or example implementations to look through, but combinations of Azure/Compute/API/permissions/etc... don't seem to ever come up with the results that I'm looking for.
Has anyone done something like this? Is it possible to use application permissions for Azure compute or is it entirely separate? Will it require a service account instead?
However, I cannot find Azure Compute listed in the available Microsoft
APIs. I'm confused as to what I need to do in order to get API
permissions for Azure compute as opposed to some of the other APIs.
The API you're looking for is Azure Service Management.
Once you add this delegated permission, you will be able to perform operations on your Virtual Machines provided your Service Principal is assigned an appropriate role (Virtual Machine Contributor, for example) in an Azure Subscription.
You can assign the App an RBAC role as though it were a user that you were giving permission to restart VMs. For example, you could go to the resource group that contains the VM, then go to Access Control (IAM) -> Add Role Assignment -> Add the app registration to the Contributor role.
Related
I have two subscriptions.
On one subscription I run logic apps and on the logic apps I have azure functions.
The other subscription contain target resources for the automation via logic apps and azure functions.
In order to run the Logic Apps and Azure functions associated it with it, what privileges do I need on target subscriptions? I want to be able to do things like stop VM, change NSG settings, run malware scans, etc
Do I need to run the logic app using an account that has owner permissions on both the subscriptions?
Regards,
Kelly
Its best to use a service principal for having centralized access control.
With this, you can use the service principal to authenticate and authorize actions against resources. It can be configured for the Azure Resource Manager connector in Logic Apps as well.
Another option would be to use Managed Identity, but that is supported only for the HTTP Action.
Even in your Function Apps, you could either setup Managed Identity or use the Client Credentials Flow using the Service Principal details.
As for the exact permissions for this service principal, you can use this reference of built-in roles for providing granular control. For example, to just stop/start VMs, your service principal would need Virtual Machine Contributor.
You could also provision finer access to resources by creating custom roles.
I have a Java application running on premise in order to manage Azure app registrations and groups. For that purpose I registered an app and its service principle in Azure. I am using one of the samples under (https://github.com/Azure-Samples/aad-java-manage-users-groups-and-roles/). I am having trouble about giving right permissions to my app so that it can register other apps, create groups, assign them to groups and do client secret operations. I am receiving 403 unauthorized response. What are least possible Azure AD permissions for these operations? Which steps and options should I take/follow to implement that requirements in portal?
Thanks
UPDATE 1
Giving owner right is a big move. So that's not the answer I was looking for. That's why I am not marking it as a solution for my question but that would definitely work if you are willing to do that. Code also works.
Part of my question was least possible permissions. After experimenting I found that in app permissions:
Windows Azure Active Directory->Read Write Directory Data
Windows Azure Active Directory->Read Write All Applications
Microsoft Graph->Read Write Directory Data
Microsoft Graph->Read Write All Domains
Microsoft Graph->Read Write All Groups
solved the problem. Active Directory ones allowed me to create app and create group, graph ones allowed me to add app to group. Instead of Graph, adding app as User Access Admin also let me the app to group.
UPDATE 2
I am trying to repeat same process with another app. This time although I gave same permissions as I did in Update 1 this time adding new app to group fails with 403. Any idea how this really works? I am really confused...
You need create a service principal and give it Owner role to your subscription. You could check the code, the new created user is gived CONTRIBUTOR to your subscription. So, your sp need Owner role.
// Assign role to AD user, it needs `Owner` role.
RoleAssignment roleAssignment1 = authenticated.roleAssignments()
.define(raName1)
.forUser(user)
.withBuiltInRole(BuiltInRole.READER)
.withSubscriptionScope("3b4d41fa-e91d-4bc7-bc11-13d221b3b77d")
.create();
System.out.println("Created Role Assignment:");
You could do it on Azure Portal.
<your subscription>--><Access Control>--><Add>.
More information about this please refer to this official document.
Update:
I test in my lab, you don't need give your sp Graph permission, you only need give your sp your subscription Owner role. This is my test result.
I have some Azure Functions that I share to my partner companies who then run the Azure Functions in their own Azure subscriptions.
Occasionally the partners run into issues and reach out to me for help. I have to instruct them to manually pull the Azure Function logs and send to me via email.
Is there anyway they can grant me permission to pull the logs from their Azure Subscription?
It depends on where you have the logs.
Either way, they can grant you RBAC permission to their resource in their subscription. Generally, they have read only access options available. All resources have the same experience for modifying RBAC (but they do differ on which policies they support). It's pretty straightforward, but this doc has more information: https://learn.microsoft.com/en-us/azure/active-directory/role-based-access-control-configure
If you're using our default Storage logs, do yourself a favor and turn on App Insights because it's great. Then, if you still want to use Storage, you can get RBAC access or a SAS token and grab those logs from the Storage Account associated with the Function App. (Name should be in the AzureWebJobsDashboard setting). If you get a SAS token, you can use the Storage Explorer by choosing the SAS URI option when you connect.
If you're using App Insights, good job, you've made the right decision. You can get RBAC access to the App Insights resource and use all their great UI experience/etc. You can also get an API Key and make direct API calls against it, in the case that RBAC wouldn't work. (I would try to get RBAC access, but if that's not possible, here's a link to App Insights REST API docs: https://dev.applicationinsights.io/quickstart)
Short answer, use RBAC to get granted limited permissions (and App Insights because it's great)
In my azure account I have 2 directories, lets call them directory A and B.
With some recent changes I need to switch a app service from a subscription in directory A to a subscription that is on directory B.
Is this possible to achieve, and if it is how?
EDIT 1
As directory I mean the directory that you can see in the image below:
EDIT 2
Since It seems that I have mislead people I will try to explain what i want to achieve with images.
I want to move the App Service from the App Service Plan in the directory A as you can see in here:
to the App Service Plan in the directory B that you can see in here:
It looks like you want to move resources between subscriptions. It is possible to do this but there are a few restictions and rules around what you can do.
You can definitely move an App Service between subscriptions. However, in your case, as the subscriptions in question exist in different AD tenants, you will need to change the tenant of one of the subscriptions. You can only do this if you are a Service Administrator and signed in using a Microsoft i.e non organizational account.
Check this reference document from Microsoft, it explains in detail how the transfer process works.
I think we might need some additional information, since it seems that the terms we're using are sometimes equivocal. Microsoft Azure subscriptions are not associated to Azure Active Directories, but to an Service Account. You can add how many Azure ADs you want to an Azure subscription, but the Azure subscription itself will be managed by the service account (which is not necessarily member of a certain Azure AD).
Further, only the service administrator can manage Azure resources, like VMs, App Services and so on. Azure AD admins can only manage identity aspects that define identity life cycles within that specific Azure AD. The service admin could add a co-admin a user from the default Azure AD and that user would then also be able to manage Azure resources, like App Services and so on.
So the Azure App Service is tied to a Azure subscription that is managed by a service account, not by the Azure AD. Please check the official documentation on this topic. Also please clarify exactly what you would like to do.
I need to assign publish permission to one of my developers so that he should be able to publish to only one cloud service & do not affect others.
Azure websites have these concepts called download publishing profile.
I could not find anything similar for cloud service. Can it be
achieved?
As you know Azure Management Portal does not have any role defined where we could map a user account login to manage a set of resources (say cloud service 1 & 2)
It is not possible as of today. It seems that it should be possible with Resource Groups and Role Based Access Control (RBAC) however currently cloud services can't be added in resource groups and assigned RBAC.
One way you could achieve this is have a custom application consuming Service Management API and implement your own RBAC in that application. However it is still a "hack" and not proper solution.
Why don't you try using "publish from source control"? When the developer checks in it will auto publish the code.
I believe the new portal will allow the creation of roles for publishing profiles; it already allows adding additional users to your organization; but to get what you want for now; publishing from source code should do the trick.