I find myself in a situation where I have a subscription key in a project I inherited, for which I need to determine the product that the key is attached to. We have a couple hundred products, and manually inspecting each one and "show"ing the values of each of its subscription keys is not something I want to do... Is there a way of scripting this? My Googling so far has only revealed solutions for obtaining keys from a known product, which is the opposite of what I need...
Subscription Key is not unique so you can't get a product using a subscription key as many products from different services might have subscriptions that holds the same subscription keys so no such an api to do this.
In general you can write a script using the list product subscription api and list secrets api to achieve such a thing.
https://learn.microsoft.com/en-us/rest/api/apimanagement/2019-12-01/productsubscriptions/list#code-try-0
https://learn.microsoft.com/en-us/rest/api/apimanagement/2019-12-01/subscription/listsecrets#code-try-0
If you are looking just to see to which product a specific call has been made then you can use any of the solutions below and I prefer the log analytics one.
https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-use-azure-monitor
If you have a key and want to know which product is the key for, you can use Azure PowerShell: API management module to do this.
Just try the code below:
$apimName = "<apim name>"
$apimSresourceGroup = "<apim resource group name>"
$key = "<your ssubscription key>"
$apim_context = New-AzApiManagementContext -ResourceGroupName $apimSresourceGroup -ServiceName $apimName
$subs = Get-AzApiManagementSubscription -Context $apim_context
foreach($sub in $subs){
if($sub.PrimaryKey -eq $key -or $sub.SecondaryKey -eq $key){
write-host 'this key is for product:'$sub.ProductId' belongs to user with ID:' $sub.UserId ' subscription name:'$sub.Name
}
}
Result:
Let me know if you have any further questions.
Related
I would like to know if there is a way to list down all secrets, keys, certificates inside azure keyvault. I can check on portal but that takes lot of time if I have to export this info in excel.
Anyway I can do with powershell ?
Thanks in advance!
The Get-AzureKeyVaultSecret module is probably your best bet.
Get-AzureKeyVaultSecret -VaultName "vaultname" | Select Name
Change vaultname to the name of your vault and it will show you the names of all the items stored in the given vault. You can also adjust the Select to get back all the data you need, or pipe to Export-Csv directly.
I have a requirement for generating alert like sending mail to the admin for the user who have high level of access granted for more than 3 days. I am able to find the users details like DisplayName, SignInName, RoleDefinitionName with Get-AzureRmRoleAssignment command, but the problem is How can i know the time stamp when was this user assigned this role. Please help me with powershell script to find the time stamp of when the user was assigned this role(for example owner) in azure.
Use Get-AzureRmLog to get the activity logs for Azure RBAC changes. Please note that the log can only be kept for 90 days.
For example:
#get the role assignment
$ra = Get-AzureRmRoleAssignment -ObjectId 256d1966-019b-479c-a71f-d5a1xxxxxx43
#find the role assignment id, for example: $ra[1].RoleAssignmentId
$ra[1].RoleAssignmentId
#get the azureRm log in the past 10 days by filtering with resource id
$rmlog = Get-AzureRmLog -ResourceProvider Microsoft.Authorization -StartTime (Get-Date).AddDays(-10) | Where-Object{$_.ResourceId -eq $ra[1].RoleAssignmentId}
#get the SubmissionTimestamp and EventTimestamp, see which one is what you want
$rmlog.SubmissionTimestamp
$rmlog.EventTimestamp
I have created a new custom AppRole in App Manifest and I want to assign this new AppRole to all the user's of the application. I researched on this and I find several links on how to assign new AppRole to a user using Powershell or Bash, but I need to assign new AppRole to all the users (nearly 1500 users) using a script. Does anyone have any idea how to do this ?
Below are few links I looked into, but it assign role to a single user:
https://learn.microsoft.com/en-us/powershell/module/azuread/new-azureaduserapproleassignment?view=azureadps-2.0
https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/assign-user-or-group-access-portal
You already looked at Azure Portal and the UI available and it isn't very well suited for bulk operations (only one role can be assigned at a time, users have to be selected one by one and there isn't a way to bulk select users based on some criteria etc.)
Following options might help you:
Assign a group to role instead of individual users
This requires a premium version of Azure AD. It's much more convenient not just for first time assignment but for managing overall.
Scripting/API options (PowerShell, CLI, Azure AD Graph API, Microsoft Graph API)
Idea will be to loop through all users (or desired subset of users based on some criteria) and assign the appropriate app role to them.
Here's a sample script for PowerShell.
Connect-AzureAD -TenantId <Your Tenant Id>
$app_name = "RolesWebApp"
$app_role_name = "Writer"
# Get the service principal for the app and app role
$sp = Get-AzureADServicePrincipal -Filter "displayName eq '$app_name'"
$appRole = $sp.AppRoles | Where-Object { $_.DisplayName -eq $app_role_name }
$users = Get-AzureADUser -Top 10
foreach ($user in $users)
{
# Assign the user to the app role
New-AzureADUserAppRoleAssignment -ObjectId $user.ObjectId -PrincipalId
$user.ObjectId -ResourceId $sp.ObjectId -Id $appRole.Id
}
Take a look at this SO thread where we discussed something very similar and has more details on each of the individual options.
Special note on Microsoft Graph API:
Even though for most scenarios it will be recommended to work with Microsoft Graph API instead of Azure AD Graph API. This particular functionality is only available in beta endpoint. So it would not be advisable to use it for any production code. Working with appRoleAssignments
I am calling powershell script to add ADF into key vaults access policies using the following command
If I grant it through portal UI, it works. What could be wrong with the following code or should i use different Api?
$Id = (Get-AzureRmDataFactoryV2 -ResourceGroupName $ResourceGroupName -Name $DataFactoryName).Identity.PrincipalId
Write-Host "Add permissions to key vault"
Set-AzureRmKeyVaultAccessPolicy -VaultName $AKVName -ObjectId $Id -PermissionsToSecrets Get,Set
I get this Error:Set-AzureRmKeyVaultAccessPolicy : 'AccessPolicies' exceeds maximum item count of '16'.
It should add permission to ADF for the given key vault
Thanks
I found my answer in the below post
https://social.msdn.microsoft.com/Forums/azure/en-US/ee3ec74a-3103-4795-92fb-ee5ec5298d38/add-key-vault-access-policy-using-power-shell-does-not-work?forum=AzureKeyVault
Access policies via groups on Azure Key Vault don't seem to work.
If I create a new key vault
New-AzureRmKeyVault -VaultName $vaultName
And check the keys (which there aren't any of currently)
Get-AzureKeyVaultKey -VaultName $vaultName
That works.
If I add access to a group that the current user is a member of
$group = (Get-AzureRmADGroup -SearchString 'All Developers')[0].Id
Set-AzureRmKeyVaultAccessPolicy -VaultName $vaultName -ResourceGroupName $resourceGroupName -ObjectId $group -PermissionsToKeys all -PermissionsToSecrets all
And remove direct access
Remove-AzureRmKeyVaultAccessPolicy -VaultName $vaultName -ResourceGroupName $resourceGroupName -UserPrincipalName $upn
The list operation now fails
Get-AzureRmKeyVault -VaultName $vaultName -ResourceGroupName $resourceGroupName
Get-AzureKeyVaultKey : Operation "list" is not allowed
How can I permission by group?
I discovered today that it works for users in permissioned group objects. Doesn't work for service principals in those groups.
In other words, if I authenticate using a client id and client secret, the associated service principal must have an access policy directly set on the key vault. If I permission a security group, a user in that group can in fact access the key vault. I guess this has something to do with how the JWT includes security groups in it with users, but not service principals...
The reason that adding an access policy to a group is that it isn't supported. If you look at the help for Set-AzureRmKeyVaultAccessPolicy there is this for ObjectId
-ObjectId <Guid>
Specifies the object ID of the user or service principal in Azure Active Directory for which to grant permissions.
Required? true
Position? named
Default value none
Accept pipeline input? true(ByPropertyName)
Accept wildcard characters? false
As you can see ObjectId only supports either Service principals or users.
This is reflected in the parameters of the source code for Set-AzureRmKeyVaultAccessPolicy and further up the chain the REST API when posting to
https://management.azure.com/subscriptions/{subscription-id}/resourceGroups/{resource-group-name}/providers/Microsoft.KeyVault/vaults/{vault-name}?api-version={api-version}
The payload contains the objectId parameter which is defined as
Specifies the object ID of a user or service principal in the Azure Active Directory tenant for the vault. The ID must be specified as a GUID.
I would imagine that this functionality will be added at some point in future, but at the moment it isn't possible.
This Access Denied / 403 Forbidden error can also happen when an app has made requests to a Key Vault before it was added to the Azure Active Directory Group.
Perhaps this has something to do with caching of service principal information on the App Service instance? I was unable to find documentation of this.
Solution: restart the App Service.