Context
I am willing to get a resource details with the Azure REST API. And more particularly, I want to get the IAM associated with a resource.
Problem
So, I searched in the doc reference and found that endpoint: https://learn.microsoft.com/en-us/rest/api/resources/resources/get which provides an identity response attribute that meets my needs.
However, I can't find any information about the required path parameter parentResourcePath. What does that parameter mean and how can I get its value for a specific resource ?
Also, when I tried going through the resources group path, I can get a path to the resource details but without the parentResourcePath parameter, and the response doesn't include the identity attribute.
Finally, am I going the right way (using GET resource API) ? And if so, where can I find that parentResourcePath value ?
Actually, you have a better choice - Resources - Get By Id.
The /subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{parentResourcePath}/{resourceType}/{resourceName} in the api Resources - Get named resourceId which used in the Resources - Get By Id.
But if you combinate the properties manually, it is not easy, Azure has many different resource providers, resourcetype.
Generally, you could find the resourceId in your resource in the portal -> Properties. Also, the response of this API will include the identity which you need.
Sample:
Get a web app resource.
The resourceId is like /subscriptions/xxxxxxx/resourceGroups/joywebapp/providers/Microsoft.Web/sites/joywebapp2.
You can click Try it in the doc to try the api.
Response:
Well I made it throught the Role assignment list for scope endpoint, giving the subscription/resourcegroup/resource in the scope. And the output contains a principalId attribute that seems to point to a user or group or service principal.
Ref: https://learn.microsoft.com/en-us/rest/api/authorization/roleassignments/listforscope
Related
Within Azure, we set up our OATH2.0 credentials in AAD with three separate AppRegistrations.
I will be referring to these below.
1: Client : this is the main registration.
2: Read: This one holds the AppRole 'Read'
3: Write: This one holds the AppRole 'Write'
Here's some pictures to clearify:
3 Registrations
enter image description here
AppRole inside Read:
enter image description here
enter image description here
I am trying to automate adding these last two as APIpermissions to the first one with powershell.
I have found this command:
Add-AzADAppPermission and took a good look at the documentation here:https://learn.microsoft.com/en-us/powershell/module/az.resources/add-azadapppermission?view=azps-9.3.0
However, Either I am missing something, or this maybe cannot be done with custom appregistrations?
I keep getting the message
"Resource does not exist or one of its queried reference-property objects are not present."
I have checked that I am on the correct Tenant, and I have sufficient rights.
There are four parameters to consider, some more clear to me then others.
APIid: Which I assume, based on the documentation, should be Client.AppId
ApplicationId: Could be ObjectId/ ApplicationId from Read, but perhaps it's from it's corresponding ServicePrincipal (External Application)?, the documentation is not very clear on this one.
ObjectId: Can replace ApplicationId, but I have the exact same question. the documentation does not specify anything other then "The unique identifier in Azure AD."
PermissionId: The documentation says but in the examples they use Guids. I have seen other examples with Strings like "User.Read", so I figure this could be my DisplayName from the appRole inside my Read / Write AppRegistrations.
I've looked for other examples beside the documentation, but so far I've found only examples regarding Built-in appRoles in MsGraph.
The fact that the message is twofold (either it is not there OR something is missing) does not help either.
Bottom line is, I can't figure out which Guid goes where.
I have tried numerous combinations of parameters and AAD Guids, be it ObjectIds and AppIds from both AppRegistrations and their respective Service Principles.
I tried to reproduce the same in my environment and got the same error as below:
Note that: By using Add-AzADAppPermission, one can add the API permissions to the Application, but it is not possible to add
custom roles as API permissions.
Add-AzADAppPermission -ObjectId ObjectID -ApiId APIIdofthepermissions -PermissionId GUIDofAPIPermission
I am trying to add Group.Read.All Microsoft Graph API permission like below:
Add-AzADAppPermission -ObjectId ObjectID -ApiId 00000003-0000-0000-c000-000000000000 -PermissionId 5f8c59db-677d-491f-a6b8-5f174b11ec1d
Is there any way to have a schema attribute for a resource to allow updates, but not actually be identified as a change needed to the resource? Or, is there a way to use something like HasChangesExcept within DiffSuppressFunc or CustomizeDiff?
I'm looking to implement a feature where a resource is optionally dependent on a datasource for something that is not actually part of configuration. In this case, the datasource is providing an access token that is used to create and interact with the resource. Yes, this should just be part of provider configuration, but I'm looking to avoid including this feature in the provider config for a few reasons. Mainly, I'm building the feature to cover a gap with backend software, the feature will be unnecessary eventually.
Here's an example of the hcl I'm trying to achieve:
datasource "auth" "foo {
user
pw
}
resource "service" "foo" {
name = bar
details = baz
access_token = datasource.auth.foo.access_token
}
Because the auth datasource creates a new access_token on each plan, each plan also identifies a change to the service resource.
I believe an appropriate workaround here would be that the access_token in state for the resource is only updated when any of the other fields of the resource is updated.
To accomplish this, I looked at DiffSuppressFunc and CustomizeDiff. However, both are missing a feature I'd look for:
DiffSuppressFunc - receives *schema.ResourceData which is great, but at this level the diffs attribute of ResourceData isn't populated, this renders the HasChangesExcept method unusable.
CustomizeDiff - receives *schema.ResourceDiff which does have access to diffs, but does not have HasChangesExcept implemented. This would be okay for one resource, but I'm looking to implement the access_token option to multiple resources and wanted to check all the keys dynamically.
I am trying to get a subscription by ID from Microsoft Graph REST. If I list the subscriptions using GET /subscriptions, things are working fine and I am able to list all subscriptions. But if I take a subscription id from the list and try to get the details using GET /subscriptions/{id}, I am getting the following error:
{
"error":
{
"code":"ExtensionError",
"message":"There was an error processing a storage extension.",
"innerError":
{
"date":"2021-10-12T06:59:47",
"request-id":"ffa4f181-148d-49ed-8c9d-f551f6ddd6f0",
"client-request-id":"ffa4f181-148d-49ed-8c9d-f551f6ddd6f0"
}
}
}
Any ideas on where I might be going wrong?
PS: I am trying to get an individual subscription because the /subscriptions route does not provide the clientState property which is required for me.
When I route to the same /subscription got the #odata.context link.
I open the same link and search for clientState and got its type but not its value.
Note: the clientState property value is not returned for security purposes.
refer this github
Note : Client State is not set for the List Subscription on purpose by design, because subscription collections could be listed by say some other user (example tenant admin using Subscription.Read.All). It is not desirable to share this Client state information through the Listing API for that user who is not the creator of the subscription.
Reference : https://github.com/microsoftgraph/microsoft-graph-docs/issues/5248
I need a starting point to solve the following problem:
Assume there is a model with different entities (e.g. school classes) and different roles that are connected to entities.
Now I want to check in my Azure Function if Bob has a role on this entity which entitles him to rate a student from the school class.
I think of a claim of the form:
TEACHER : [
"class 2b"
]
before.
Which Azure Resources do I need to map such a thing?
I already use Azure AZ for the ID token and my API is implemented in an Azure Function.
I would like to call Azure AD to get an access token which contains those roles and resources of my domain.
I'm afraid that this form is not supported by Azure AD.
The supported form should be "{claim name}": "{claim value}".
If you accept this form, you can refer to my previous answer.
What you need to modify is:
When you create the extensionProperty, you should name the extensionProperty as "TEACHER".
Post https://graph.microsoft.com/v1.0/applications/{object id of the Azure AD application}/extensionProperties
{"name":"TEACHER","dataType":"string","targetObjects":["User"]}
And update the extension property for your account:
Patch https://graph.microsoft.com/v1.0/me
{"extension_6d8190fbf1fe4bc38a5a145520221989_TEACHER":"class 2b"}
Then you can get the custom claim as "TEACHER": "class 2b".
When I try to link a variable group to key vault in VSTS, every time I select my endpoint, it tells me:
"Specified Azure endpoint needs to have "Get, List" secret management permissions on the selected key vault. Click "Authorize" to enable VSTS to set these permissions or manage secret permissions in Azure portal."
It makes no sense. That specific endpoint has Get and List for secrets, keys, certificates. The endpoint is using the correct Service Principal Client ID- I know because I pulled its corresponding app registration up in Azure by searching with that ID. And the app registration is specifically listed in the key vault's Access policies, with the correct permissions.
Trying to click "Authorize" in VSTS just give me
"Resource not found for the segment 'DirectoryDataService.getServicePrincipalsByAppIds'. For troubleshooting refer to https://go.microsoft.com/fwlink/?linkid=835898"
and the endpoint is broken until I re-verify it.
I'm kind of at my wit's end here- everything is set exactly as https://learn.microsoft.com/en-us/vsts/build-release/concepts/library/variable-groups?view=vsts says it should be.
Edit: Turns out the Azure tried to add the app reg as a person instead of an app when I listed it in the ARM template by object ID (app ID most definitely does not work there). So now I just need to figure out how to add it as an application in the ARM template...
Edit Edit: Soooo... the Object ID the Azure Portal shows for an App Registration? That's not the Object ID the ARM template wants. It wants the... I'm not sure what you'd call it. In Powershell, you use it with -Object ID, but when you list the properties, it's under "Id". Whatever. To get it, you run
Get-AzureRmADServicePrincipal -SearchString "[your-app-reg-name]"
And it shows up under Id. That's what you want to use as an object ID in your ARM template.
According to the error Resource not found for the segment 'DirectoryDataService.getServicePrincipalsByAppIds, the issue seems more related to Azure side.
To access azure-keyvault you need four things :
- clientId = "<client id of your application registed on Azure AD>";
- domain = "<your talnet id>";
- secret = "<client key of your application registed on Azure AD>";
- subscription = "<your subscription id>";
Then these will combine ApplicationTokenCredentials, finally Authorize to KeyVaultClient . Suggest you take a look at this question: Azure keyvault client 1.0.0 initiate client
Besides also double check/confirm the specific endpoint has Get and List for secrets, keys, certificates.