I have been working on creating New Tenant from API or Command Line in Azure Active Directory and I could not find a way to do it.
I have been also using Azure GraphAPI but it doesn't support this.
Is there any way from command or API that I can use to automate creation of new tenants?
I have researched on google and stackoverflow, but I didn't find any way to do it from command or API.
and is there any plan of Microsoft to provide such API in future? (edited)
There's no public, documented or supported (by MSFT) API available for this. That being said you might try using the portal internal API with something like this:
Invoke-WebRequest -Uri "https://main.iam.ad.ext.azure.com/api/Directories" `
-Method "POST" `
-Headers #{
"Accept-Language"="en"
"Authorization"="Bearer <azure ad access token issued for aud=74658136-14ec-4630-ad9b-26e160ff0fc6>"
} `
-ContentType "application/json" `
-Body "{`"companyName`":`"<company name>`",`"initialDomainPrefix`":`"<initial domain prefix (the one that will be appended to onmicrosoft.com)>`",`"countryCode`":`"<iso (2 letter) country code>`"}"
Related
I'm trying to follow the guide outlined at this link to generate an access token for AKS for the system assigned managed identity.
The code snippet at the link is doing the following from an app service kudu console:
$resource = "https://graph.microsoft.com"
$endpoint = $env:IDENTITY_ENDPOINT
$header = $env:IDENTITY_HEADER
$apiVersion = "2019-08-01"
$headers = #{ 'X-Identity-Header' = $header }
$url = "$($endpoint)?api-version=$apiVersion&resource=$resource"
$response = Invoke-RestMethod -Method Get -Uri $url -Headers $headers
$response.access_token
Although this snippet works, the resource identifier varies depending on the resource for which you're requesting the access token. I'm not sure what resource value must be specified to get this for AKS. I have found it for the following, but not for AKS:
https://servicebus.azure.net
https://graph.microsoft.com
https://management.azure.com
https://database.windows.net
https://relay.azure.net
https://eventhubs.azure.net
Does anyone know what this ought to be for AKS?
Figured it out. Apparently after deploying AKS a new Microsoft generated enterprise application is created under your tenant called "Azure Kubernetes Service AAD Server" and has a universal GUID:
6dae42f8-4368-4678-94ff-3960e28e3630.
This should be used as the resource.
Surprisingly there's no mention on any Microsoft authored documentation regarding this. Stumbled across this on other sites.
Hope this helps someone else.
Some references:
Reference to this on github
Reference to this on related SO post
When you create a ADB2C Tenant Resource, an application registration is also created, named b2c-extensions-app. Do not modify. Used by AADB2C for storing user data. This is a special application which is needed for crud operations.
Around the internet and in the docs, it is mentioned that it gets created automatically, but that's not the case. It is created only after you login into that tenant and go to app registrations, it is a trigger of some sorts. How do I know this? I reached to Microsoft support.
My question: this interferes with some of my automation scripts. Does anyone know of an endpoint to which I can make a rest request so this app gets created.
Okay, after a lot and I mean a lot of trial and error, I finally found the endpoint that causes the creation of that app. I will show a code snippet in PowerShell.
$context = Connect-AzAccount ...
# Aquire an access token from the resource: https://management.core.windows.net/
$tokenItem = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate(
$context.Account,
$context.Environment,
$TenantId,
$null,
'Never',
$null,
'https://management.core.windows.net/')
Invoke-WebRequest -Uri "https://main.b2cadmin.ext.azure.com/api/tenants/GetAndInitializeTenantPolicy?tenantId=<your_tenant_name>&skipInitialization=false" `
-Method "GET" `
-Headers #{
"Authorization" = "Bearer $($tokenItem.AccessToken)";
"x-ms-client-request-id" = ([guid]::NewGuid().Guid)
}
Can we make REST API calls to an azure function from an Azure VM? We cannot store user name and password for the API. Is there any other authentication we can use to make a call to the azure function? eg: Managed identity, certificates?
Yes, you could use Managed identity(MSI) to get the token, then use the token to make REST API call to your azure function, please follow the steps below.
1.Navigate to the VM in the portal -> Identity -> enable the System-assigned identity.
2.Navigate to the function app in the portal -> Authentication / Authorization -> configure your function app with Azure AD auth, follow this doc, don't forget to set the Log in with Azure Active Directory , after configuration, it will take a while to create an AD App for your function app, it will appear like below at last.
3.Then in the function app, create an HTTP trigger to have a test, Note: its Authorization level needs to be set as Anonymous.
4.In my sample, I RDP into the VM, then use the powershell to get the token, then use the token to call the function, in your case, you can also use other languages depends on your requirements. My function name is joyfun111, replace it with yours in the script, it works on my side.
$response = Invoke-WebRequest -Uri 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https://joyfun111.azurewebsites.net' -Method GET -Headers #{Metadata="true"}
$content = $response.Content | ConvertFrom-Json
$Token = $content.access_token
Invoke-RestMethod -Uri 'https://joyfun111.azurewebsites.net/api/HttpTrigger1?name=world' -Method POST -Headers #{Authorization="Bearer $Token"}
Update:
If so, you just need to use the function key along with the function url, change the Authorization level to Function, disable the Azure AD auth in Authentication / Authorization, then use the command like below.
Invoke-RestMethod -Uri 'https://joyfun111.azurewebsites.net/api/HttpTrigger1?code=10X/IKJIeElrCRIxxxxH6A==&name=world' -Method POST -UseBasicParsing
You can get the function url in the function page.
I'm just wondering in this article https://learn.microsoft.com/en-us/rest/api/resources/tenants/list
there's a "try it" button once you click it, it will list all your tenant or directory.
then once you select any of the directory it will give you a bearer token.
.
The question is, is there's a way to get a bearer token thru API? Or get a bearer token that depends on the selected tenant? Thanks!
By the return token of that site, im passing it thru this api https://app.vssps.visualstudio.com/_apis/accounts to get all my organization base on the selected tenant.
If you want to work with the command in PowerShell, the Get-AzAccessToken cmdlet can fetch a token for you.
I tested the following script in PowerShell on Azure Cloud Shell:
$token = (Get-AzAccessToken -ResourceUrl 'https://management.azure.com').Token
$headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"
$headers.Add("Authorization","Bearer $token")
$url = "https://management.azure.com/tenants?api-version=2020-01-01"
# Send the request
Invoke-RestMethod $url -Method 'Get' -Headers $headers
You can get the access token (Bearer) via below API. Please refer the link.
https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth-ropc
Normally if you need to access any azure resource, then you have to create AAD app in that tenant in order to get the token. But your case, you have to get all Tenant details via REST api. So You can create the AAD app on of your tenant.
I can't find an example anywhere! The format is posted here at the Applications Insights REST API site. It is only the format and no example. I think I was able to follow the format, but when I tried it, I got an error message of "Authentication failed. The 'Authorization' header is missing." Typically, to get this token, you have to register your app in Azure AD and follow that process. I don't have an app I need registered. I want to use their api/app. And the reason I want to use the Azure API format and not the Public API format is to get around the rate limit. We need to make requests about once a minute. Help!
According to your description, you need to create a Service Principle firstly, then use it to get API token message. Please refer to this link: Use portal to create an Azure Active Directory application and service principal that can access resources. You will get client id(app id) and client_secret. You could use the following script to get token(use Power Shell).
##get token
$TENANTID="******"
$APPID="<client_id>"
$PASSWORD="<client_secret>"
$result=Invoke-RestMethod -Uri https://login.microsoftonline.com/$TENANTID/oauth2/token?api-version=1.0 -Method Post -Body #{"grant_type" = "client_credentials"; "resource" = "https://management.core.windows.net/"; "client_id" = "$APPID"; "client_secret" = "$PASSWORD" }
$token=$result.access_token
After you get token, you need construct header message. Like below:
$Headers=#{
'authorization'="Bearer $token"
'host'="management.azure.com"
'contentype'='application/json'
}
Then, you could use API to get the information you want.
Invoke-RestMethod -Uri $url -Headers $Headers -Method GET
Update:
If you want to use Applications Insights REST API, don't need to use service principle to get token. You need to create a API key. Please refer to this link.