I have multiple subscriptions in an Azure tenant and I'd like to list all resources (IP addresses, VMs, etc) in the tenant. Is this the same as listing the resources from all subscriptions?
We can easily list all resources in a subscription with a service principal to access it. However, there are some problems when you try to do this for a tenant. It it possible to create a service principal or an equivalent that applies to the whole tenant or to all the subscriptions in the tenant (depending on the answer to the first question) that would allow to list all resources with a script?
EDIT:
Actually, what I'm precisely trying to do is to list all public IPs in a Azure tenant with a python script:
def get_public_ips(self):
"""#returns: All public ip adresses in the ressource defined by the service principal"""
ips=[]
rmc = get_client_from_auth_file(ResourceManagementClient, auth_path=PATH+"azure_creds.json")
for r in rmc.resources.list(filter="resourceType eq 'Microsoft.Network/publicIPAddresses'", expand='True'):
#There were no way to get the ip adress directly...
ip = rmc.resources.get_by_id(r.id, "2019-09-01")
ips.append(ip.properties['ipAddress'])
return common.sanitize_ips_list(ips)
The script can already list all IPs but it is using a service principal to authenticate: https://learn.microsoft.com/en-us/python/api/msrestazure/msrestazure.azure_active_directory?view=azure-python
I wonder how to do the same thing with a whole tenant. Is this event possible? Would the same script script work by simply using another way to authenticate, i.e.by using an authentication entity that has reading rights on the whole resources of the tenant?
Thanks
you can use tags and filter by tags
https://learn.microsoft.com/en-us/azure/azure-resource-manager/resource-group-using-tags
The following command will return you all resources in your tenant:
az resource list
The following command will return you all public ip addresses in your tenant:
az resource list --resource-type 'Microsoft.Network/publicIPAddresses'
az resource show --ids '<resource id>'
Field 'properties.ipAddress' is likely what you are looking for.
Related
While adding managed identities to the Keyvault Access Policy is easy
Now there's quite a few VMs that should be given access to the cluster.
It seems possible to select multiple managed identities add once and ascribe the same permissions to them, but I haven't managed to do this yet (ctrl + click, alt + click, selected multiple... all does not work). I cannot find it in the documentation either, however, it clearly states "selected items" below. How can I achieve this?
You cannot assign many managed identities at once. Neither for Portal nor via Azure CLI. You will need to assign one by one unfortunately..
Usually, Azure CLI is more capable of doing more jobs but it accepts only one assignee at a time.
az role assignment create --role
[--assignee]
[--assignee-object-id]
[--assignee-principal-type {Group, ServicePrincipal, User}]
[--condition]
[--condition-version]
[--description]
[--resource-group]
[--scope]
[--subscription]
Optional Parameters
--assignee
Represent a user, group, or service principal. supported format: object id, user sign-in name, or service principal name.
--assignee-object-id
Use this parameter instead of '--assignee' to bypass Graph API invocation in case of insufficient privileges. This parameter only works with object ids for users, groups, service principals, and managed identities. For managed identities use the principal id. For service principals, use the object id and not the app id.
--assignee-principal-type
Use with --assignee-object-id to avoid errors caused by propagation latency in AAD Graph.
accepted values: Group, ServicePrincipal, User
--condition
Condition under which the user can be granted permission.
--condition-version
Version of the condition syntax. If --condition is specified without --condition-version, default to 2.0.
--description
Description of role assignment.
--resource-group -g
Use it only if the role or assignment was added at the level of a resource group.
--scope
Scope at which the role assignment or definition applies to, e.g., /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333, /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup, or /subscriptions/0b1f6471-1bf0-4dda-aec3-111122223333/resourceGroups/myGroup/providers/Microsoft.Compute/virtualMachines/myVM.
--subscription
Name or ID of subscription. You can configure the default subscription using az account set -s NAME_OR_ID.
Checkout Assign a managed identity access to a resource using Azure CLI.
Create a user-assigned managed identity and grant it access to the Key Vault. Then assign the user-assigned managed identity to each VM.
This blog might help.
Problem
I have an azure pipeline YAML file. It is able to run through a service connection which accesses a service principal with all the proper authority, etc.
But I am now trying to clean up the code; we have multiple service principals running on multiple subscriptions and resource groups. They need to create storage accounts, which need to be unique.
So I am trying to create a storage account built partially from the associated subscription and resource group of the service principal creating the storage account.
Example Solution
For the subscription, it is fairly easy. I can do something like this, from within a PowerShell script called inside the pipeline:
$subscriptionId = $(az account show --query 'id' -o tsv)
Write-Output "##vso[task.setvariable variable=AZURE_SUBSCRIPTION_ID;isoutput=true;issecret=true]$subscriptionId"
Now I have the variables $subscription ID and AZURE_SUBSCRIPTION_ID set, and can access subscription information within the pipeline itself.
Question
But how can I do something similar with resource groups?
There is no equivalent to az account show with resource groups, without knowing the resource group name itself. (Eg, I have to type az group show -name <RG-name>, but it is precisely the name that I am trying to get.)
Again, to be clear, I am running inside of a particular resource group and subscription, it is those that are associated with the service connection. Now I simply want that information available to the pipeline.
I'm not sure if I completely understand what you are trying to accomplish. But I suspect that the options below might help.
Get role assignments
If you created separate service connections for each individual resource group you can simply check the role assignments for the SPN and determine the scope of the service connection.
If you, for example, use the Azure PowerShell task, you have configured it with a Service Connection. So when the task starts, it has the context of the service principal. You can then do Get-AzRoleAssignment which should output the Resource Groups to which its authorised. Again, this is only useful if you use a service connection per RG, as you otherwise get results for multiple RGs. (Or for subscriptions and Management groups, if you also assigned a role to those scropes)
Use the Azure DevOps API
You can use the Get Service Endpoint request of the Azure DevOps API to get the service connections. The JSON output will contain information regarding the scope of the service connection.
If you find working with the API directly a bit hard, you can try the PSDevOps PowerShell module to interact with the Azure DevOps API. It has the Get-ADOServiceEndpoint command that allows you to get the available service endpoints.
When using Azure Key Vault management REST API or cmdlet Add-AzureRmKeyVaultNetworkRule to allow a virtual network to access a key vault, I get the following error:
The client '{guid}' with object id '{guid}' does not have authorization to perform
action 'microsoft.network/virtualnetworks/taggedTrafficConsumers/validate/action'
over scope '/subscriptions/{guid}/resourcegroups/{resource-group}/providers/microsoft.network/virtualnetworks/{vnet-name}/taggedTrafficConsumers/Microsoft.KeyVault'
What is wrong?
Your subscription is not giving Microsoft.KeyVault resource provider permission to access Microsoft.Network resources. The fix is to register your subscription to Microsoft.KeyVault again:
Register-AzureRmResourceProvider -ProviderNamespace Microsoft.KeyVault
This will add required permissions for Microsoft.KeyVault and Microsoft.Network integrations, including the ability to limit access to a given Virtual Network.
For more information: https://learn.microsoft.com/en-us/azure/azure-resource-manager/resource-manager-supported-services
This are the steps required to solve it:
https://learn.microsoft.com/en-us/azure/azure-resource-manager/management/resource-providers-and-types#azure-portal
You just need to register the resource provider in the subscription, this doesn't only happens with Key Vault, my issue was with Sql Server as well :)
So I leave this answer here in case someone else needs it
This feels like a bug/limitation in both the Azure Portal and Azure CLI. We ran into this when trying to allow a subnet of a VNET in subscription X to access a storage account in subscription Y.
For us, the workaround was to look-up the name of the service principal that was mentioned in the error in our Azure AD directory using the "Search your tenant" box on the "Overview" tab of the directory (NOT the subscription but the Azure AD directory for the tenant). The name of the SP turned out to be "Storage Resource Provider" (yours may be different, so that's why you need to look it up in Azure AD), so we granted that SP "Owner" role (temporarily) in the other subscription. Then provisioning worked!
There should be a finer-grained set of permissions you need to grant than just "Owner" but when we granted just the "validate" permission, we got a new error:
Failed to save firewall and virtual network settings for storage account 'XXX'. Error: An operation is currently performing on this storage account that requires exclusive access.
Also experienced this error when adding a vnet to a storage-account in another subscription.
Fixed by adding a storage-account to the subscription using the portal. Then the vnet could be added to the storage-account.
Note: the result is the same as #fernacolo does with a powershell command.
I was trying to invoke data factory pipeline from azure function programmatically. Its throwing following error.
link:
http://eatcodelive.com/2016/02/24/starting-an-azure-data-factory-pipeline-from-c-net/
AuthorizationFailed: The client 'XXXX-XXXXX-XXXX' with object id 'XXX829e05'XXXX-XXXXX' does not have authorization to perform action
'Microsoft.DataFactory/datafactories/datapipelines/read' over scope
'/subscriptions/XXXXXX-4bf5-84c6-3a352XXXXXX/resourcegroups/fffsrg/providers/Microsoft.DataFactory/datafactories/ADFTestFFFS/datapipelines/ADFTutorialPipelineCustom'.
tried to search similar issues, but none of the search result gave me solution to my problem, Can you please guide us what could be the issue?
Objective is to, run data factory pipeline whenever file being added to blob. so to achieve the result we are trying to invoke data factory pipeline from azure function using blob trigger.
Step 1: login to your azure portal
Step 2: find Subscriptions in left side menu bar and click.
step 3: Click on Access Control IAM and then click on Add.
Step 4: In Add Permission window, select contributor for role. In select input box, type the app name you created in Azure AD (Created in Azure Active Directory)and select it. In my case I created Azure Resource Management.
Step 5:After you have given successful permission, click on Refresh in your subscription window and you will see your app showing in the list. See below example.
SEE Common problem when using Azure resource groups & RBAC
https://blogs.msdn.microsoft.com/azure4fun/2016/10/20/common-problem-when-using-azure-resource-groups-rbac/
This issue is more likely to happen in newer subscriptions and usually happens if a certain resource type has never been created before in that subscription.
Subscription admins often fix this issue by granting resource group owners contributor rights on the subscription level which contradicts with their strategy of isolating access down to the level of resource group level not the subscription level.
Root cause
Some admins say, that some resources require access to the subscription level to be able to create these resources and that ‘owner’ rights on a resource group level is not sufficient. That is not true.
Let’s take a step back to understand how this all works first.
To provision any resources in azure (using the resource manager model) you need to have a resource provider that supports the creation of that resource. For example, if you will provision a virtual machine, you need to have a ‘Microsoft.Compute’ resource provider available in the subscription first before you can do that.
Resource providers are registered on the level of the subscription only.
Luckily, the Azure Resource Manager (ARM) is intelligent enough to figure that out for you. When a new Azure resource gets provisioned, if the resource provider required for that resource type is not registered in the subscription yet, ARM will attempt to register it for you. That action (resource provider registration) requires access to the subscription level.
By default, any new azure subscription will be pre-registered with a list of commonly used resource providers. The resource provider for IoTHub for instance, is not one of them.
When a user is granted owner rights only on a specific resource group, if that user tries to provision a resource that requires registering a resource provider for the first time, that operation will fail. That is what happened in our case above when trying to provision IoThub.
So the bottom line is, we DO NOT need to grant access permissions to the subscription level for users to be able to create resources like HDInsight, IotHub and SQLDW …etc within their resource groups that they have owner rights on, as long as the resource providers for these resources is already registered.
You get the error that you are not authorized to perform action 'Microsoft.DataFactory/datafactories/datapipelines/read' over scope of pipeline because you don't have the relevant permissions on the datafactory.
You either need to have "Contributor" /"DataFactoryContributor" permissions to create & manage data factory resources or child resources. More details of the azure RBAC roles in the following link:
https://learn.microsoft.com/en-us/azure/active-directory/role-based-access-built-in-roles
Since the customer is trying to use the ADF client from inside Azure Function, the recommendation is to use AAD application and service principal for authentication of ADF client. You can find the instructions for creating AAD application and service principal here:
https://learn.microsoft.com/en-us/azure/azure-resource-manager/resource-group-authenticate-service-principal
Please follow the instructions on how to create the Active Directory application, service principal, and then assign it to the Data Factory Contributor role in the following link and the code sample for using service principal with ADF client.
We recently had this issue with the same message and found that it was caused by the user being logged in with a different subscription (we have 2). Using az login --subscription resolved the problem for us.
For anyone else running into a similar issue with the same error message - After "az login" I was recieving the same error when attempting to create a resource group as Owner, I solved this with:
az account set --subscription "Azure Subscription 1"
Basically it stems from the subscription not being set, you can find the details here:
https://learn.microsoft.com/en-us/cli/azure/manage-azure-subscriptions-azure-cli#get-the-active-subscription
Solution:
Step 1: Register an app in Azure Active directory.
Step 2: Assign 'Data Factory Contributor' role to the same app. we can achieve this by using power shell.
The below code works for me. Please try out in power shell after logged in with Azure credential.
Implementation:
Step 1: $azureAdApplication = New-AzureRmADApplication -DisplayName <AppName> -HomePage <URL> -IdentifierUris <URL with domain> -Password <Password>
Step 2: New-AzureRmRoleAssignment -RoleDefinitionName "Data Factory Contributor" -ServicePrincipalName $azureAdApplication.ApplicationId
Follow this post : https://learn.microsoft.com/en-us/azure/azure-resource-manager/resource-group-create-service-principal-portal
In this post , Role is given as "Reader" which should be "Owner" instead otherwise it would give permission error on deployment.
I solved by following this post:
https://www.nwcadence.com/blog/resolving-authorizationfailed-2016
with the command in PowerShell:
Get-AzureRmResourceProvider -ListAvailable | Select-Object ProviderNamespace | Foreach-Object { Register-AzureRmResourceProvider -ProviderName $_.ProviderNamespace}
I solved by finding the Enterprise Application > Object ID.
(it is weird that it does not use App Reg > Application Id)
https://jeanpaul.cloud/2020/02/03/azure-data-factory-pipeline-execution-error/
I have C# code running on an Azure Windows VM. Is there a way for me to find out what Resource Group this VM is in?
VM has been deployed with Azure Resource Management API (new, not classic)
The following will guarantee the ability to distinguish between vm's with the same name across different resource groups:
From your C# code, find the vmId (involves running one of the commands at the following link or possibly using an Azure SDK: https://azure.microsoft.com/en-us/blog/accessing-and-using-azure-vm-unique-id/). If using a Linux VM, be sure to take into account the different endian-ness, otherwise the vmId will not match.
Once you have the vmId, you can use either CLI or Powershell (or potentially an Azure SDK) to list all of the VM's in the subscription, then search through the list to find which VM has the vmId you got from the machine. Then you should be able to parse out the resource group name from the "id" field of the json for that VM (which, as Gaurav mentioned, is a string with the resource group in it). For an example, try the following:
azure vm list --json -vv
This command will show you the url's it is using to make the requests and the response body. In this body you will find the "vmId" and "id" field. For instance, one of the requests it sends is:
https://management.azure.com/subscriptions/{my-subscription-id}/providers/Microsoft.Compute/virtualMachines?api-version=2015-06-15
and the response body for this is the json with the relevant entries. Hope this helps! :)
One way to find out the resource group is to list all the virtual machines in your Azure Subscription. The URL you would use for that would be:
https://management.azure.com/subscriptions/[subscription-id]/providers/Microsoft.Compute/virtualMachines?api-version=2015-06-15
It will return you a list of all Virtual Machines in your Azure Subscription in JSON format where each item represents a Virtual Machine. You can first filter by the name property to find the matching Virtual Machine. Then the property which is important to you there is id which is always of the format:
/subscriptions/[subscription-id]/resourceGroups/[resource-group-name]/providers/Microsoft.Compute/virtualMachines/[virtual-machine-name]
You could simply parse this to get the resource group name.
How did you deploy the VM? Through portal.azure.com? Through CLI? Powershell? In any of these cases, usually you are required to specify a resource group name. In fact, in the portal, if you click on "Virtual Machines", it should say the resource group:
resource group of VM in portal
write-host(Get-AzVm -name "hostname").ResourceGroupName