I trying to programmatically create an AWS application within Azure AD with SAML identity provider. I have already done everything needed on the AWS side, but am struggling for Azure. I need to create the enterprise application, and then download the Federation Metadata XML file.
I know how to do this through the Azure console, but am trying to automate the process and need to do all of this through code. I have looked into Graph API and terraform, but cannot seem to find the best way to do this, and am looking for suggestions, or if anyone has done this before.
So I found out a pretty decent way to do this using Microsoft Graph API, for anyone interested,
https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/amazon-web-service-tutorial
Related
I am currently trying to get Graph API to work using only the Azure Portal. For example, I can configure Azure AD authentication in my code (example) or I can configure it through the Azure Portal (example).
Is there some way to configure Microsoft Graph through the Azure Portal like in my second example? So effectively, I would not need to write any configuration in my startup class and let the app service itself configure and inject the ITokenAcquisition or, even better, the GraphServiceClient?
The reason I am trying to do this is that I don't really want to deal with handling token caching myself and was wondering if there is a simpler way of doing it.
I've a databricks code which writes files to Sharepoint online using my personal AD credentials for authentication. However I'm not allowed to use my personal AD credentials for security reasons and password expires ever 90 days.
With that said I explored options such as getting a Service account created but that was not possible due to licensing issues.
Are there other possibilities to approach this?
Is it possible to use Azure Service Principle for authentication? If yes could you please advise how to achieve this?
I'm trying to setup SSO and provisioning from my directory on GSuite to an Azure AD.
There's no problem with SSO, besides the fact that you need to first create the guest accounts on the AAD side.
I've searched around on how to provision AAD from GSuite, but the few documentations/forum posts I found all point to it being impossible in this direction without making some custom scripting.
Is there a hidden way I haven't found? If not, where can I find information on how to set up this custom implementation?
Thanks!
I have a requirement to automate renewal of all the soon to be expiring azure resources PIM role but it seems there is no PowerShell module available at this moment for the PIM.
I also tried exploring rest api option but it appears that there is no rest end point available but I found graph api endpoints which seems to be supporting this feature but as per Microsoft documentation it doesn't support access via service principal so not sure how to proceed further on this.
Did anyone try this before, any suggestion?
I am designing an application that will consist of:
SPA written in React, deployed to an instance of Azure App Service
REST API written in .Net Core Web API, deployed to another instance of Azure App Service
Azure SQL Database in the same Azure tenant as the app services above
All these resources will be connected to the same instance of Azure AD (also in the same tenant).
Conceptually, I suppose the authentication could work roughly like this:
The user connection to the SPA and obtains an auth token
The token would then be passed to the API and then the API will use that token to authenticate the user to the SQL Database (this seems possible)
However, I have not been able to find any walkthroughs or other documentation that would demonstrate this seemingly straightforward way of implementing authentication. Seems like this is a typical enough scenario for it to be widely documented by bloggers or Microsoft itself, so not being able to find it makes me wonder if I am not thinking about this right, or maybe I am not looking in the right places.
Can someone please help me figure out what is the right way to approach this and point me to some online resources that could guide me through this?
Thank you!
It's much more common for the REST API to use its Managed Service Identity to obtain a token for Azure SQL Database, and use that. It's always been rare for web apps to use the browser user's identity to connect to SQL Server.
See, eg: Tutorial: Secure Azure SQL Database connection from App Service using a managed identity