I have a requirement to automate renewal of all the soon to be expiring azure resources PIM role but it seems there is no PowerShell module available at this moment for the PIM.
I also tried exploring rest api option but it appears that there is no rest end point available but I found graph api endpoints which seems to be supporting this feature but as per Microsoft documentation it doesn't support access via service principal so not sure how to proceed further on this.
Did anyone try this before, any suggestion?
Related
This is more of an 'Is this possible' question. A developer on the team suggested using Azure AD for user management, but one of the requirements is that the app admin be able to add/manage user access through the application without having to go to the Azure Portal.
So the question is, is the Graph API (or some other mechanism) full featured enough to replace the portal (at least for basic user set up and management) and allow all actions to be done from the application UI?
Thanks.
Simple answer to your question is Yes. Graph API can be used to manage users and their access to applications instead of using Azure Portal. In fact, Azure Portal itself makes use of Graph API to perform these operations.
You may also need to use Azure REST API if you're planning on managing Azure resources as well through this custom application especially Authorization APIs if you want to manage access to Azure resources (Azure Role-based access control) through your application.
I'm writing an application that needs to create service principals and grant them permissions to read/write to an Azure event hub.
Currently, I'm using the Java SDK (azure-resourcemanager) to create service principals and assign roles.
I have noticed that both az CLI and java SDK are calling the Azure AD Graph endpoints.
To my best understanding, the Azure AD Graph is reaching EOF soon. does this mean I need to replace my java code, or will the java code implementations be adjusted to the newer Microsoft graph API?
I have looked at the Microsoft Graph java sdk and it seems less mature and less intuitive to use than AzureResourceManager (which its API is much more similar to other Azure java SDKs)
Can anyone from the Azure team help with that?
You don't need to make the change currently.
If AAD Graph is retired, SDKs that rely on AAD Graph are bound to reintegrate with new APIs (most likely MS Graph) or Microsoft will release new SDKs(This is less likely, because the customer’s existing code will be changed significantly).
Besides, Microsoft Graph mainly manages AAD resources. See the samples here: Create servicePrincipal.
If you need to assign RBAC role you still need to look into other SDKs.
As Allen mentioned, the likely scenario will be that certain future version of azure-resourcemanager would change to use MS graph internally for cases like creating a service principal, while keeping backward-combability on user-facing APIs (i.e., .servicePincipals().define(NAME)...create()).
The RBAC part will likely not impacted. Only the object ID of the service principal is required for RBAC, regardless of how that service principal is created/retrieved (via AAD graph or MS graph).
Currently it is not planned when this will happen.
Happened in 2.2.0 version.
We are actually looking to cover a solution from our jira platform.
We are using AZURE AD identitity management for handdling application catalog access.
Our goal is to automate the process of creating/adding a user into Azure AD from a Service Request issue from Jira Service Desk portal.
For exemple :
1- user submit a request from Jira Service Desk in order to have access to Confluence and RunDeck application
2 - The process should add automatically the user to the proper group in AD which then will have access to the application.
Does anyone have a solution how to approach this use case ?
Regards
Inbound Provisioning from Atlassian Jira to Azure AD is currently not supported. You can, however, voice your interest in such a feature or support similar ones in the Azure AD Feedback Forum.
Also, you can use the Graph API to automate user creation. Once a service request is complete, you can invoke the API for user creation from within Jira.
I have some Azure Functions that I share to my partner companies who then run the Azure Functions in their own Azure subscriptions.
Occasionally the partners run into issues and reach out to me for help. I have to instruct them to manually pull the Azure Function logs and send to me via email.
Is there anyway they can grant me permission to pull the logs from their Azure Subscription?
It depends on where you have the logs.
Either way, they can grant you RBAC permission to their resource in their subscription. Generally, they have read only access options available. All resources have the same experience for modifying RBAC (but they do differ on which policies they support). It's pretty straightforward, but this doc has more information: https://learn.microsoft.com/en-us/azure/active-directory/role-based-access-control-configure
If you're using our default Storage logs, do yourself a favor and turn on App Insights because it's great. Then, if you still want to use Storage, you can get RBAC access or a SAS token and grab those logs from the Storage Account associated with the Function App. (Name should be in the AzureWebJobsDashboard setting). If you get a SAS token, you can use the Storage Explorer by choosing the SAS URI option when you connect.
If you're using App Insights, good job, you've made the right decision. You can get RBAC access to the App Insights resource and use all their great UI experience/etc. You can also get an API Key and make direct API calls against it, in the case that RBAC wouldn't work. (I would try to get RBAC access, but if that's not possible, here's a link to App Insights REST API docs: https://dev.applicationinsights.io/quickstart)
Short answer, use RBAC to get granted limited permissions (and App Insights because it's great)
I'm looking to manage certain settings of Azure via Azure Powershell from C#. I need to manage subscriptions for many many customers programmatically.
I want to ensure that anytime I open a PowerShell session to deal with particular customer's subscription, nothing of that session is left over in registry, certificate store, etc.
I have management certificates available to me as encrypted byte arrays. I can save them on the hard drive if needed.
I am also happy to call Powershell cmdlets not thru Powershell session but directly thru referencing objects in the .DLL
I would prefre to avoid the use of Management API directly in certain scenarios which is why I'd like to do so via Powershell
Is this possible? If so, how do I avoid using the certificate store? Ideally, I would prefer to just have a way to call into the cmdlet from C# without going thru Powershell session
You should start using Azure Active Directory credentials instead of X.509 certificates. Both the Azure Service Management (ASM) and Azure Resource Manager (ARM) mode of Azure PowerShell supports AAD while certificate authentication can only be used for ASM. Using AAD credentials means you NEVER need to use certificates of X.509 certificates, and be subject to the management difficulties they impose. You would need to be added as a co-admin to your clients subscriptions for ASM support (and the production portal) and provided an appropriate role for ARM support (and the preview portal). However, your customers could restrict your ARM and preview portal access with RBAC.
PowerShell has one cmdlet called clear-azureprofile ... And it clears all connections ... If you really want to be sure you better also clear the IE cookies and start a new PoSh session after both actions (so best to do it at the end of each session)... I agree with Neil btw: Stay clear from the certs... Aim for AAD
BUT ... Why don't you take a look at the management libraries(MAML? It's the basis for all you don't need to call REST and you can avoid PowerShell (that also uses MAML.) it's downloadable as nuget package
Find it here http://www.nuget.org/packages/Microsoft.WindowsAzure.Management.Libraries
And find info on it here http://azure.microsoft.com/en-us/updates/management-libraries-for-net-release-announcement/ and here http://www.bradygaster.com/post/getting-started-with-the-windows-azure-management-libraries
Hope this helps!
Only automated way is with a AAD account for the subscription. Be aware, the token expires in 12 hours. See June's fantastic blog post.
http://www.sapien.com/blog/2014/10/23/saving-passwords-for-add-azureaccount/