I have to use this API : PATCH https://vsaex.dev.azure.com/{organisation}/_apis/userentitlements/{userId} to give read access to some projects to all users in my organisation. I am able to call this API, with success, but I don't know how to get the right GUID for the users. (To get the right Guid for the user I used Fiddler to spy the request).
When I use this API, (GET https://vssps.dev.azure.com/{organisation}/_apis/graph/users?api-version=6.0-preview.1) I get all users of my organisation, but in the list, there no the userId, I have only the originId, and it is the guid from the AAD, and I cannot update the user with that information.
I tried too to use the descriptor field, without any success. Does somebody have an idea to get this specific userId?
Example of User list I get with this API :
{
"count": 133,
"value": [{
"subjectKind": "user",
"metaType": "member",
"directoryAlias": "COD0001",
"domain": "10a83eaa-05c5-4b22-a201-63cddba4fe8c",
"principalName": "bidon.person#example.com",
"mailAddress": "bidon.person#example.com",
"origin": "aad",
"originId": "7c3408d6-62f4-43ff-bdbe-5be97000ba30",
"displayName": "Personne bidon",
"_links": {
"self": {
"href": "https://vssps.dev.azure.com/BIDON/_apis/Graph/Users/aad.ZDYzNzUwNzctNWJjYy03ZTkzLWIzZGUtMDEzNTdhM2JiMDIx"
},
"memberships": {
"href": "https://vssps.dev.azure.com/BIDON/_apis/Graph/Memberships/aad.ZDYzNzUwNzctNWJjYy03ZTkzLWIzZGUtMDEzNTdhM2JiMDIx"
},
"membershipState": {
"href": "https://vssps.dev.azure.com/BIDON/_apis/Graph/MembershipStates/aad.ZDYzNzUwNzctNWJjYy03ZTkzLWIzZGUtMDEzNTdhM2JiMDIx"
},
"storageKey": {
"href": "https://vssps.dev.azure.com/BIDON/_apis/Graph/StorageKeys/aad.ZDYzNzUwNzctNWJjYy03ZTkzLWIzZGUtMDEzNTdhM2JiMDIx"
},
"avatar": {
"href": "https://dev.azure.com/BIDON/_apis/GraphProfile/MemberAvatars/aad.ZDYzNzUwNzctNWJjYy03ZTkzLWIzZGUtMDEzNTdhM2JiMDIx"
}
},
"url": "https://vssps.dev.azure.com/BIDON/_apis/Graph/Users/aad.ZDYzNzUwNzctNWJjYy03ZTkzLWIzZGUtMDEzNTdhM2JiMDIx",
"descriptor": "aad.ZDYzNzUwNzctNWJjYy03ZTkzLWIzZGUtMDEzNTdhM2JiMDIx"
},
...
]
}
To get id you should use User Entitlements - Search User Entitlements which is
GET https://vsaex.dev.azure.com/{organization}/_apis/userentitlements?api-version=6.0-preview.3
then you will get response like
"members": [
{
"id": "<YOUR ID HERE>",
"user": {
"subjectKind": "user",
"metaType": "member",
"domain": "Windows Live ID",
Another option is use az cli.
1 - First you need to install the az cli extension if it is not installed.
az extension list-available --output table | grep devops
az extension add --name azure-devops
2 - Configure organization if is needed
az devops configure --defaults organization=https://dev.azure.com/myorganization
3 - maybe you need to do a login and insert de devops PAT token (paste it)
az devops login
token:
4 - Use de command user list with the option --top if you need to show more than 200 users
az devops user list --top 15000
5 - Use pipe with grep command to filter or send it to a file to find the user that you want to find.
az devops user list --top 15000 > devops-users.txt
az devops user list --top 5000 | grep myemail#mycompany.com
6 - the field that you want is the id:
"id": "a69fdd3c-yyyyy-6fa6-90ba-xxxxxx",
If you has permissions you can use also de command az devops user show
az devops user show --user myemail#mycompany.com
Docs:
install az cli extension
az devops user
Related
I created conditional access policy using this from my previous question reply here. It's working as expected.
POST https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies
Content-type: application/json
{
"displayName": "Block access to Application Admins.",
"state": "enabled",
"conditions": {
"clientAppTypes": [
"all"
],
"applications": {
"includeApplications": [
"appID"
]
},
"users": {
"includeRoles": [
"9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3"//ID of Application Admin role
]
}
},
"grantControls": {
"operator": "OR",
"builtInControls": [
"block"
]
}
}
I want to change few properties like roles to User administrator and grantControls to allow access with mfa in this existing policy from Graph.
In Portal, we have edit option but is this possible from Graph? How to achieve that?
TIA
I tried to reproduce the same in my environment via Graph Explorer and got below results:
I have one existing conditional access policy with below properties:
To update this policy via Graph API, make use of below query based on your requirement:
PATCH https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies/<id>
Content-type: application/json
{
"displayName": "Require MFA to User Administrators.",
"state": "enabled",
"conditions": {
"users": {
"includeRoles": [
"fe930be7-5e62-47db-91af-98c3a49a38b1" //ID of User Administrator role
]
}
},
"grantControls": {
"operator": "OR",
"builtInControls": [
"mfa"
]
}
}
Response:
When I checked the same in Portal, properties updated successfully like below:
You can get the id of User Administrator role like below:
Go to Azure Portal -> Azure AD -> Roles and administrators -> All roles -> User Administrator
UPDATE:
You can get the id of policy using below query:
GET https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies?$filter=displayName eq 'policyName' &$select=id,displayName
Response:
When I use az login using service principal
e.g az login --service-principal -u “12121” -p “1212” --tenant “12121”
It will show the all the list of subscriptions which it has access like
[
{
"cloudName": "AzureCloud",
"homeTenantId": "123",
"id": "215645",
"isDefault": true,
"managedByTenants": [],
"name": "Sub1",
"state": "Enabled",
"tenantId": "123",
"user": {
"name": "123456",
"type": "servicePrincipal"
}
},
{
"cloudName": "AzureCloud",
"homeTenantId": "123",
"id": "rr",
"isDefault": false,
"managedByTenants": [
{
"tenantId": "123"
}
],
"name": "Sub2",
"state": "Enabled",
"tenantId": "123",
"user": {
"name": "123456",
"type": "servicePrincipal"
}
},
...
...
]
Among the list for some sub the SPN have direct reader access(RBAC) to the subscription. But for the other sub (lets say sub2) the access is not directly given to the subscription level, instead the access has been given to resource(s) level.
Question: How to get all the list of resources within sub2 that have access provided to the service principal ?in other words, I have to find(list) what kind of access the service principal assigned to any/all the resources within sub2.
I know azure cli doing this behind the scene to retrieve this information.That why it can show all the list of subscription after the successful login. But i don't know what that is
Is there any cli command or graph API to retrieve that information ?
P.S:I don't know the scope or resource where the SPN is assigned too
If you want to list the role assignments for a specific user, you can use the az role assignment list command.
az role assignment list --assignee {assignee}
Note: To view role assignments for the current subscription and below, add the --all parameter:
az role assignment list --assignee {assignee} --all
If you are already logged in with the service principal, you can omit the --assignee parameter
A lot of Azure API endpoints require you pass in the subscriptionID and resource group name of the resouce you want to work with.
From a bash script running on an Azure Linux VM, how can I get these info? I can't have the Azure CLI installed hence looking for some REST API.
There is this old answer which I found convoluted and requires the CLI anyway.
One answer even mentions this API to get all info of one given VM:
/subscriptions/[subscription-id]/resourceGroups/[resource-group-name]/providers/Microsoft.Compute/virtualMachines/[virtual-machine-name]
It seems to be a chicken and egg problem.
You could use this REST API - Subscriptions - List to list all the subscriptions the user can access for an Azure AD tenant.
GET https://management.azure.com/subscriptions?api-version=2019-06-01
For which tenant, it depends on the bearer token you got from, when you get the token, decode in https://jwt.io/, you will find that like below. If you use this token to call this API, it will get all the subscriptions the user can access in the tenant I hid in the screenshot.
If you want to get the resource group the VM is in, you can use this REST API - Virtual Machines - List All, no need to pass the resource-group-name, it can list all the VMs with the subscriptionId, you can get the subscriptionId from the Subscriptions - List.
GET https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.Compute/virtualMachines?api-version=2019-03-01
So in conclusion, if you already know the subscriptionId which the VM is in, you can list all the VMs in the subscription and find the VM in the result, then you will find the resource group name. If you don't know the subscriptionId, you can just list all the subscriptions the user can access in one tenant, and list all the VMs in every subscription. Besides, if you even don't know the tenant-id, you can use Tenants - List to gets all the tenants for your account.
I've found it. The Azure Instance Metadata Service returns a lot of metadata about the Azure VM where the request has made from. I used the following REST endpoint to retrieve the VM's subscriptionId and resourceGroupName:
curl -H Metadata:true "http://169.254.169.254/metadata/instance?api-version=2017-08-01"
{
"compute": {
"location": "",
"name": "",
"offer": "",
"osType": "",
"placementGroupId": "",
"platformFaultDomain": "",
"platformUpdateDomain": "",
"publisher": "",
"resourceGroupName": "",
"sku": "",
"subscriptionId": "",
"tags": "",
"version": "",
"vmId": "",
"vmScaleSetName": "",
"vmSize": "",
"zone": ""
},
"network": {
"interface": [
{
"ipv4": {
"ipAddress": [
{
"privateIpAddress": "",
"publicIpAddress": ""
}
],
"subnet": [
{
"address": "",
"prefix": ""
}
]
},
"ipv6": {
"ipAddress": []
},
"macAddress": ""
}
]
}
}
I have an ARM template that creates an Azure Key Vault followed by an Azure Kubernetes service. The problem is that the Azure Kubernetes service needs a Service Principle's Client ID and Client Secret passed in the first time I create it. So I run the application.json without the kubernetes_servicePrincipalClientId and kubernetes_servicePrincipalClientSecret parameters in the production.parameters.json file:
application.json
{
"comments": "Kubernetes Service Principal Client ID",
"type": "Microsoft.KeyVault/vaults/secrets",
"name": "[concat(parameters('key_vault_name'), '/KubernetesServicePrincipalClientId')]",
"apiVersion": "2018-02-14",
"properties": {
"contentType": "text/plain",
"value": "[parameters('kubernetes_servicePrincipalClientId')]"
}
},
{
"comments": "Kubernetes Service Principal Client Secret",
"type": "Microsoft.KeyVault/vaults/secrets",
"name": "[concat(parameters('key_vault_name'), '/KubernetesServicePrincipalClientSecret')]",
"apiVersion": "2018-02-14",
"properties": {
"contentType": "text/plain",
"value": "[parameters('kubernetes_servicePrincipalClientSecret')]"
}
}
The second time I run the ARM template, I add the following lines to my production.parameters.json file, so that the Client ID and Client Secret are retrieved from Azure Key Vault where they were stored the first time I ran the ARM template.
production.parameters.json
"kubernetes_servicePrincipalClientId": {
"reference": {
"keyVault": {
"id": "/subscriptions/[Subscription Id]/resourcegroups/[Resource Group Name]/providers/Microsoft.KeyVault/vaults/[Vault Name]"
},
"secretName": "KubernetesServicePrincipalClientId"
}
},
"kubernetes_servicePrincipalClientSecret": {
"reference": {
"keyVault": {
"id": "/subscriptions/[Subscription Id]/resourcegroups/[Resource Group Name]/providers/Microsoft.KeyVault/vaults/[Vault Name]"
},
"secretName": "KubernetesServicePrincipalClientSecret"
}
}
Unfortunately it looks like you can't create a service principal in an ARM template. Is there a better way to configure all this in an automated way, so that regardless of whether or not I'm running the template the first time or second time, I don't have to perform any manual steps?
no, those apis are not exposed to arm, there is no way of managing a service principal with an ARM Template. you can however create a script that will provision the service principal and pass its details to the arm template, or you can use some sort of tool to handle all of this for you (pulumi\terraform\ansible)
I want to build a SAAS Service for Azure marketplace using single-sign-on.
I have read this document Microsoft identity platform access tokens, but can not find anything relate to User's Organization.
Is there any way to get user's Organization name?
For now I only can parser from email.
You can call MS Graph API to get the user's organization details: https://learn.microsoft.com/en-us/graph/api/organization-get?view=graph-rest-1.0&tabs=http.
The endpoint is at https://graph.microsoft.com/v1.0/organization
Sample response:
{
"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#organization",
"value": [
{
"assignedPlans": [
{
"assignedDateTime": "datetime-value",
"capabilityStatus": "capabilityStatus-value",
"service": "service-value",
"servicePlanId": "servicePlanId-value"
}
],
"businessPhones": [
"businessPhones-value"
],
"city": "city-value",
"country": "country-value",
"countryLetterCode": "countryLetterCode-value",
"displayName": "displayName-value"
}
]
}
You can call this endpoint even with the basic User.Read permission.