I have an Azure Event Grid Trigger Inside my Function's App. The Function is subscribed to Event Grid Topic through an Event Subscription. The Function works perfectly and is triggered when I have no Authentication Configured inside the Authentication / Authorization Blade of the Functions App. But when I integrate B2C AD App from the Blade, the topic is not delivered and the function is not triggered. Also, I can see "Unauthorized" Errors inside the Event Subscription. The B2C Flow is required for other HTTP triggers inside the Function App. How can I give exclusive access to the Event Grid so that this message is delivered without the B2C Flow?
You can try below approach:
Enable Event Grid to use your Azure AD Application:
Use the PowerShell script below in order to create a role and service principal in your Azure AD Application. You will need the Tenant ID and Object ID from your Azure AD Application:
Modify the PowerShell script's $myTenantId to use your Azure AD
Tenant ID.
Modify the PowerShell script's $myAzureADApplicationObjectId to use the Object ID of your Azure AD Application.
Run the modified script.
$myTenantId = "<the Tenant Id of your Azure AD Application>"
Connect-AzureAD -TenantId $myTenantId
$myAzureADApplicationObjectId = "<the Object Id of your Azure AD Application>"
$eventGridAppId = "4962773b-9cdb-44cf-a8bf-237846a00ab7"
$eventGridRoleName = "AzureEventGridSecureWebhook"
Function CreateAppRole([string] $Name, [string] $Description)
{
$appRole = New-Object Microsoft.Open.AzureAD.Model.AppRole
$appRole.AllowedMemberTypes = New-Object System.Collections.Generic.List[string]
$appRole.AllowedMemberTypes.Add("Application");
$appRole.DisplayName = $Name
$appRole.Id = New-Guid
$appRole.IsEnabled = $true
$appRole.Description = $Description
$appRole.Value = $Name;
return $appRole
}
$myApp = Get-AzureADApplication -ObjectId $myAzureADApplicationObjectId
$myAppRoles = $myApp.AppRoles
$eventGridSP = Get-AzureADServicePrincipal -Filter ("appId eq '" + $eventGridAppId + "'")
Write-Host "App Roles before addition of new role.."
Write-Host $myAppRoles
if ($myAppRoles -match $eventGridRoleName)
{
Write-Host "The Azure Event Grid role is already defined.`n"
}
else
{
$myServicePrincipal = Get-AzureADServicePrincipal -Filter ("appId eq '" + $myApp.AppId + "'")
$newRole = CreateAppRole -Name $eventGridRoleName -Description "Azure Event Grid Role"
$myAppRoles.Add($newRole)
Set-AzureADApplication -ObjectId $myApp.ObjectId -AppRoles $myAppRoles
}
if ($eventGridSP -match "Microsoft.EventGrid")
{
Write-Host "The Service principal is already defined.`n"
}
else
{
$eventGridSP = New-AzureADServicePrincipal -AppId $eventGridAppId
}
New-AzureADServiceAppRoleAssignment -Id $myApp.AppRoles[0].Id -ResourceId $myServicePrincipal.ObjectId -ObjectId $eventGridSP.ObjectId -PrincipalId $eventGridSP.ObjectId
Write-Host "My Azure AD Tenant Id: $myTenantId"
Write-Host "My Azure AD Application Id: $($myApp.AppId)"
Write-Host "My Azure AD Application ObjectId: $($myApp.ObjectId)"
Write-Host "My Azure AD Application's Roles: "
Write-Host $myApp.AppRoles
Configure the event subscription :
In the creation flow for your event subscription, select endpoint type 'Web Hook'. Once you've given your endpoint URI (webhook uri of event grid endpoint - https://FUNCTION_DOMAIN/runtime/webhooks/eventgrid?functionName={FUNCTION_NAME}), click on the additional features tab at the top of the create event subscriptions blade.
In the additional features tab, check the box for 'Use AAD authentication' and configure the Tenant ID and Application ID:
Copy the Azure AD Tenant ID from the output of the script and enter
it in the AAD Tenant ID field.
Copy the Azure AD Application ID from the output of the script and
enter it in the AAD Application ID field.
Edit:
For more details about this solution, visit here.
Related
I'd like to add a Scope to an Azure AD App / Service Principal (UI=Expose an API) with Powershell.
$app = New-MgApplication -DisplayName $name -SignInAudience "AzureADMyOrg"
Update-MgApplication -ApplicationId $app.id -IdentifierUris #("api://$($app.AppId)")
$oauth_permission_scopes = #{
AdminConsentDescription = "admin desc"
AdminConsentDisplayName = "admin name"
Type = "Admin"
Value = "Read.all"
Id = $([guid]::NewGuid())
}
$sp = New-MgServicePrincipal -AppId $app.AppId -Notes $description -Tags #("HideApp","WindowsAzureActiveDirectoryIntegratedApp") #HideApp=VisibleToUsers
Update-MgServicePrincipal -ServicePrincipalId $sp.Id -Oauth2PermissionScopes $oauth_permission_scopes
But i get the message:
Update-MgServicePrincipal_UpdateExpanded1: Property 'oauth2PermissionScopes' is read-only and cannot be set.
Can this only be added in the UI?!
I tried to reproduce the same in my environment and got below results:
I ran the same code as you to add scopes and got same error as below:
When I checked the same in Portal, application is created but scope not added like below:
To add scope to Azure AD Application with PowerShell (Expose an API), you need to modify your script as suggested by Cpt.Whale like this:
$api = #{
oauth2PermissionScopes = #(
#{
AdminConsentDescription = "admin desc"
AdminConsentDisplayName = "admin name"
Type = "Admin"
Value = "Read.all"
Id = $([guid]::NewGuid())
}
)
}
Update-MgApplication -ApplicationId $app.id -Api $api
Response:
When I checked the same in Portal, scope added successfully in Expose an API tab of Azure AD application as below:
On a App Registration I want to remove the App Roles by first disable the active ones and afterwards removing them.
I checked the commands by the developer tools what is executed and I come to the following request:
$graphApiUrl = 'https://graph.microsoft.com/v1.0/applications'+'/'+$apiAppReg.appId
$body = '{"appRoles":[{"description":"Applications can read","displayName":"Reader","id":"xxxxxxx-xxxx-xxxx-xxxx-xxxxxx","isEnabled":false,"value":"Read","allowedMemberTypes":["Application"]}]}
'
az rest --method PATCH --url $graphApiUrl --headers 'Content-Type=application/json' --body '$body'
I tried this in all orders, but it seems that this is resulting in an error.
btw. the boby is copy from the request from the azure website
After reproducing from my end, I could able to achieve your requirement using PowerShell. To Disable the App Role I have set IsEnabled=$false for each app role in my Application.
Below is the script that worked for me to disable the app role.
$App = Get-AzureADApplication -Filter "appId eq '$appId'"
$AppRoles = $app.AppRoles
for($I=0;$I -lt $AppRoles.Count;$I++)
{
$app.AppRoles[$I].IsEnabled=$false
Set-AzureADApplication -ObjectId $app.ObjectId -AppRoles $AppRoles
}
To Remove the app roles from the application I have used $AppRoles.Remove($AppRoles[$I]). Below is the complete code that worked to delete the app roles from my Application.
for($I=0;$I -lt $AppRoles.Count;$I++)
{
$AppRoles.Remove($AppRoles[$I])
Set-AzureADApplication -ObjectId $app.ObjectId -AppRoles $AppRoles
}
Below is the complete working code
Connect-AzureAD
$AppId = "<APPLICATION_ID>"
$ObjectId = "<OBJECT_ID>"
$App = Get-AzureADApplication -Filter "appId eq '$appId'"
$AppRoles = $app.AppRoles
for($I=0;$I -lt $AppRoles.Count;$I++)
{
$app.AppRoles[$I].IsEnabled=$false
Set-AzureADApplication -ObjectId $app.ObjectId -AppRoles $AppRoles
}
for($I=0;$I -lt $AppRoles.Count;$I++)
{
$AppRoles.Remove($AppRoles[$I])
Set-AzureADApplication -ObjectId $app.ObjectId -AppRoles $AppRoles
}
It is possible to return a list that shows all the Azure AD groups the current account is belonging to?
Both using Azure portal web UI and PowerShell are appreciated!
Here's a few different ways other than using the Portal
Azure AD PowerShell Module
Get-AzureADUserMembership
$user = "user#domain.com"
Connect-AzureAD
Get-AzureADUserMembership -ObjectId $user | Select DisplayName, ObjectId
Microsoft Graph PowerShell Module
Get-MgUserMemberOf
$user = "user#domain.com"
Connect-MgGraph
(Get-MgUserMemberOf -UserId $user).AdditionalProperties | Where-Object {$_."#odata.type" -ne "#microsoft.graph.directoryRole"} | ForEach-Object {$_.displayName}
Microsoft Graph API HTTP Request through PowerShell
List memberOf
$user = "user#domain.com"
$params = #{
Headers = #{ Authorization = "Bearer $access_token" }
Uri = "https://graph.microsoft.com/v1.0/users/$user/memberOf"
Method = "GET"
}
$result = Invoke-RestMethod #params
$result.Value | Where-Object {$_."#odata.type" -ne "#microsoft.graph.directoryRole"} | Select DisplayName, Id
Microsoft Graph Explorer
GET https://graph.microsoft.com/v1.0/users/user#domain.com/memberOf
For Portal, simply click on the user for which you want to find this detail and then click on "Groups" button.
If you want to use PowerShell, the Cmdlet you would want to use is Get-AzureADUserMembership.
In Azure, how can you configure an alert or notification when a SQL Server failover happened if you setup a SQL server with Failover groups and failover policy is set to automatic? If it can't be setup in Monitor can it be scripted elsewhere?
Found a way to script this in Azure using Automation Accounts > Runbook > using Powershell. A simple script like this should do it. Just need to figure out the run as account and trigger it by schedule or alert.
function sendEmailAlert
{
# Send email
}
function checkFailover
{
$list = Get-AzSqlDatabaseFailoverGroup -ResourceGroupName "my-resourceGroup" -server "my-sql-server"
if ( $list.ReplicationRole -ne 'Primary')
{
sendEmailAlert
}
}
checkFailover
Azure SQL database only support these alert metrics:
We could not using the alert when SQL Server failure happened. You can get this from this document: Create alerts for Azure SQL Database and Data Warehouse using Azure portal.
Hope this helps.
Thanks CKelly - gave me a good kick start to something that should be standard in Azure. I created an Azure Automation Account, added the Az.Account, Az.Automation and Az.Sql modules then added a bit more to your code. In Azure I created a SendGrid account.
#use the Azure Account Automation details to login to Azure
$Conn = Get-AutomationConnection -Name AzureRunAsConnection
Connect-AzAccount -ServicePrincipal -Tenant $Conn.TenantID -ApplicationId $Conn.ApplicationID -CertificateThumbprint $Conn.CertificateThumbprint
#create email alert
function sendEmailAlert
{
# Send email
$From = "<email from>"
$To = "<email of stakeholders to receive this message>"
$SMTPServer = "smtp.sendgrid.net"
$SMTPPort = "587"
$Username = "<sendgrid username>"
$Password = "<sendgridpassword>"
$subject = "<email subject>"
$body = "<text to go in email body>"
$smtp = New-Object System.Net.Mail.SmtpClient($SMTPServer, $SMTPPort)
$smtp.EnableSSL = $true
$smtp.Credentials = New-Object System.Net.NetworkCredential($Username, $Password)
$smtp.Send($From, $To, $subject, $body)
}
#create failover check and send if the primary server has changed
function checkFailover
{
$list = Get-AzSqlDatabaseFailoverGroup -ResourceGroupName "<the resourcegroup>" -server "<SQl Databse server>"
if ( $list.ReplicationRole -ne 'Primary')
{
sendEmailAlert
}
}
checkFailover
This process may help others.
I want to lock down site creation to a certain group of admin suresh. We have created a group for this, but what do I tell the SharePoint Admin to do in order to achieve this?
To lock down site creation, you basically need to run a few PowerShell commands as below using Azure AD PowerShell. Run them commands with Global admin priviledges.
I am assuming that you have created an Azure AD group with certain users who will have access to create the site.
$creds = Get-Credential
Connect-AzureAD -Credential $creds
$group = Get-AzureADGroup -All $True | Where-Object {$_.DisplayName -eq "ENTER GROUP DISPLAY NAME HERE"}
$policySetting = Get-AzureADDirectorySetting | where-object {$_.displayname -eq "Group.Unified"}
if($policySetting -eq $null) {
$template = Get-AzureADDirectorySettingTemplate | Where-Object {$_.DisplayName -eq "Group.Unified"}
$settings = $template.CreateDirectorySetting()
$settings["EnableGroupCreation"] = $false
$settings["GroupCreationAllowedGroupId"] = $group.ObjectId
$policySetting = New-AzureADDirectorySetting -DirectorySetting $settings
}
else{
$policySetting["EnableGroupCreation"] = $false
$policySetting["GroupCreationAllowedGroupId"] = $group.ObjectId
Set-AzureADDirectorySetting -Id $policySetting.Id -DirectorySetting $policySetting
}
Links:
Installing the Azure AD module
Code modified from - Managing Office 365 group creation using Azure AD PowerShell v2