Access to Time Series Insights is handled by acquiring an access token for a Application in Azure Active Directory which is being given access to time series insights according to the documentation.
In a scenario where my application is running in Azure App Service, is it possible to skip the step of creating a application in AD and use the Managed Identity of App Service to access Time Series Insights this way? How can i obtain the Access Token in this scenario?
yes you can absolutely do that. In that case, you'd follow the Azure AD guidance on how to acquire tokens for resources as an MSI. Please see the documentation here. The resource would be https://api.timeseries.azure.com/ and one of the optional properties is required. Note that you'd also have to first grant the MSI either the reader or contributor role for your TSI environment.
Related
Stuff in Azure are secured with Service Accounts. In order for me to see stuff I need to download the Service Account certificate and then log in via the Azure CLI using the extracted certificate and the Service Account Application Id. So now I can see everything the Service Account can see, great. But it is a pain in the neck and slow. So my question: Can I use the same certificate and credentials to log into the Azure Portal website so I can browse around using the web browser instead?
Using a Service Principal for interactive logins to the Azure Portal is not possible - which is by design. In order to be able to see the same resources as the Service Principal through the Azure Portal, you would require a user account that holds the Azure RBAC Reader role against those resources that are in scope of the Service Principal role assignments.
As you mentioned performance being an issue with using the Service Principal login, you could try Azure Resource Graph queries. These are supported by Azure CLI, Azure PowerShell as well as all the major Azure SDK's. Obviously, this won't bring you the visual experience like the Azure Portal but might resolve the performance piece maybe.
However, requesting/creating a user account that has the corresponding RBAC roles assigned would be the only way to allow you to see the resources through the Azure Portal.
I have an azure resource that is running in tenantA.
I have a service in tenantB that needs access to the resource in the tenantA.
What are my options to achieve this other than using the raw username/pass or accesskey ? Is multi-tenant app registration in tenantA an option ? How can this be setup?
Can I use a managed identity to access a resource in a different directory/tenant
Answer is No , Managed Identify in cross directory/tenant scenarios
However you can use service principal (app registration is part of process) to enable that, i suggest you read and know the difference from https://thomasthornton.cloud/2020/10/14/azure-managed-identities-and-service-principals/ , great article !
Yes, you need a multi-tenant application to achieve this.
Since you are trying to access an Azure resource in another tenant, I am guessing there is no user involvement, and this is an app only flow?
If so, here are some quick steps to achieve this:
Create the app registration in TenantB.
Add the application to TenantA
Configure the azure resource in TenantA, to grant permissions to this application.
The application in TenantB can now access the Azure resource in TenantA.
I wrote a blog post that has more details on this at https://blog.identitydigest.com/cross-tenant-access/... it includes a small code sample to showcase how to access key vault and Microsoft graph
I want to access (read & write data) to azure time series insight through the api without registering any application. My job is it send/push the jmeter result to azure time series insight, is there any way to do it as I don't have access to create/register any application for it.
You can't.
You must register an application. This is how you tell Azure AD that you intent to talk to Azure service that is being protected by Azure AD. These are the rules of engagement, and a standard protocol flow (e.g. OpenID Connect / OAuth require a client registration).
This is explicitly documented in the relevant Authentication & Authorization for Time Series Insights docs..
I am creating my first app function using powershell in the Azure portal, It's just to scale a SQLDB on I have tried to use this tutorial as a guide.
MSI example
I turned on MSI for the function and configured resources groups Giving the contributor role to the resource
When I run the function within the portal, I get the message doesn't have authorization to perform action. from this tutorial I believe this is all I had to do ? I have waited over a day to see if it's a timing issue, from the example I Have followed and this MS document managed identies for app service
I don't believe I need to add any secret key for this to work?
Function Error message
Setting the function MSI identity to on
Seeting the access control in
The service principal you are using doesn't have rights within that tenant.
Tenants have subscriptions and service principals belong to tenants. Azure resource manager also exposes role based authorization for a given principal, which would give it rights on Azure resources. It appears the service principal doesn't have rights to read from that subscription.
Go to portal and find your subscription, click on Access Control (IAM) and then click on Add role assignment with correspond service principal which you use to acquire token.
After you have given successful permission, refresh and try again.
I have some Azure Functions that I share to my partner companies who then run the Azure Functions in their own Azure subscriptions.
Occasionally the partners run into issues and reach out to me for help. I have to instruct them to manually pull the Azure Function logs and send to me via email.
Is there anyway they can grant me permission to pull the logs from their Azure Subscription?
It depends on where you have the logs.
Either way, they can grant you RBAC permission to their resource in their subscription. Generally, they have read only access options available. All resources have the same experience for modifying RBAC (but they do differ on which policies they support). It's pretty straightforward, but this doc has more information: https://learn.microsoft.com/en-us/azure/active-directory/role-based-access-control-configure
If you're using our default Storage logs, do yourself a favor and turn on App Insights because it's great. Then, if you still want to use Storage, you can get RBAC access or a SAS token and grab those logs from the Storage Account associated with the Function App. (Name should be in the AzureWebJobsDashboard setting). If you get a SAS token, you can use the Storage Explorer by choosing the SAS URI option when you connect.
If you're using App Insights, good job, you've made the right decision. You can get RBAC access to the App Insights resource and use all their great UI experience/etc. You can also get an API Key and make direct API calls against it, in the case that RBAC wouldn't work. (I would try to get RBAC access, but if that's not possible, here's a link to App Insights REST API docs: https://dev.applicationinsights.io/quickstart)
Short answer, use RBAC to get granted limited permissions (and App Insights because it's great)