Azure service to query Azure Active Directory - azure

Suggest any azure service which
can connect customer azure active directory
can query customer azure active directory
keep my application azure active directory in sync with any future change (add/remove user) on customer azure active directory ?

Service to connect/query Azure AD : Microsoft Graph API can help you query Azure AD
Sync changes between two different Azure AD tenants: AFAIK there isn't any service that will do this for you, you need to write something custom yourself that can make use of Microsoft Graph API
Notification on changes: Microsoft Graph API supports change notifications for some scenarios.. User and Group resource types are supported.. see if this covers what you're looking for Use the Microsoft Graph API to get change notifications
Incremental changes: Microsoft Graph API also supports delta queries for some operations, which could help in figuring out incremental changes.
Authentication: Most probably client credentials grant flow using Application permissions, with a daemon app would make sense for such scenario. Although, this is something you'll need to decide based on how you finally implement.
Permissions required: Microsoft Graph API permissions reference
Function or WebJob or something else: it's a little subjective I guess. I don't have a clear single recommendation. WebJob might be better if it turns out to be long running, but I'm not sure. You may need a separate question or find some already answered good questions about this.

In response to Rohit's answer: -
I agree there isn't any Microsoft service as of now that sync changes between two different Azure AD tenants.
Not here to brag or promote but to give a direction, the company where I work has a product which solves exactly this problem and we have few customers who are using it to keep their partner tenants in sync. In case you are looking for a pre-made product feel free to reach out to me.
Other wise if you need any help on creating your own then what Rohit mentioned are quite good steps to follow, if you still need help with that direction let me know.

Related

Can I set up Azure bot service within Azure VNET?

I am developing a chatbot on Microsoft teams for internal use only, which needs to be deployed and hosted on the intranet. In order to NOT make the bot's APIs public I plan to use Azure VNET. Within this VNET how can I connect the azure bot service resource?
Could someone please guide me on how to set this up? Also, direct me to any concepts that I need to understand, to tackle this problem.
I can't advise on the VNET side of things (hopefully the Microsoft Bot engineers here on the site can advise), but here some other things that might be of use/interest in securing your bot for on premises/internal company use:
Of course you'll side-load this app into the private company store, not the real Teams app store - do you need any info on how to do this?
I'd strongly suggest blocking access to your bot from tenant(s) other than your own - Microsoft have a sample middleware to do just this, but as per this link it's now been rolled into the core Bot Framework SDK. This means that even if someone from another tenant (i.e. company) tried to access your bot, it would reject their messages.
There are also mechanisms to sign users in, like using a signin card that could be applicable here, but I'm not sure you can lock users to a specific tenant this way. This would definitely be useful though if your bot is accessing any outside resources though, as it could be used to lock access to those.
Probably (2) above is your easiest and best bet, and it's pretty easy to implement.

azure devops access log

I am looking to find access logs for azure devops to
1) List time and date of authorized users who have accessed the code repository
2) List the changes made for all of the the repository and by whom
3) Assuage audit fears of unauthorized users downloading the code
Looks like there is auditing capabilities slotted in the roadmap but I need something now. I tried using the azure portals activity logs but I get zero results for azure devops events
Note: we do not use Active Directory integration yet
Any help is greatly appreciated
For auditing repo changes, every write operation in source control is part of its history.
For limiting read access, you already know the solution, because you said you aren't using it yet: Azure AD. Limit access to within your organization.
For auditing access, as you said, there is no solution yet, it's on the backlog. The reason it's on the backlog is because there is no way to do it at the moment.

Get Azure Dashboard data via api

Scenario:
One team had built one application, and application is running on azure.
maintenance is taken care by same team, we don't want to give full access of production instance to developer team, but want to give read permission, like - monitoring of logs, cpu usages etc.
Solution according to me is build an application which will get dashboard data and log data from azure via api and that data will be displayed to development team.
I am referring these 2 links
https://msdn.microsoft.com/en-us/library/azure/dn722415.aspx
https://azure.microsoft.com/en-in/documentation/articles/api-management-get-started/
Question:
Still I am not able to find api which will give the dashboard data. if anyone know api for the same, please help.
Is there any alternative solution for this scenario.
If you deploy your app using the new Azure Resource Manager mode, it provides a Role Based Access Control to your resources. You can deploy your app inside a Resource Group and provide read access to your developers. They will be able to view the information about the services that your app are made of but without the option to change anything.
This session from Build 2015 can help you to understand what ARM is and what you can do with it: https://channel9.msdn.com/Events/Build/2015/2-659

Visual Studio Online - Live ID vs Work Accounts

We're completely upgrading our production and development environment from co-located boxes to an Azure implementation and we'll be developing using Visual Studio Online. Up until this point our dev has occurred on a Remote Desktop environment where developers were logging into Windows server and developing on that RDP box.
We want to set this up and we have some confusion about the Account types/set up types.
It appears there are two ways to set up our Azure and two ways to set up our developers. We are a MS partner w/ some MSDN licenses and Azure credits.
So for Azure we can use our existing MS accounts and just set up an Azure Pay As You Go (PAYG) subscription. This was suggested to us initially but it seems weird to have the entire companies Azure environment going through an individuals live ID. Then we saw we can sign up as an Organization now and it uses Azure AD. We have not been using Active Directory and we're not sure how much complexity this is going to add to our administration. Is there a discernible difference/benefit to going one way or the other?
Then, when we sign up our developers we can either have everyone sign up with their live ID's (we have MSDN w/ VS Premium credits for all developers) or we can set them up using Active Directory with Work Accounts. Having our credits allotted in work accounts sounds like a good way to control things at first reading, but it also seems a bit more complex. I'm wondering if there is much difference between MSDN accounts signed up w/ live IDs or AD Work Accounts. I can't find a real comparison article or pro/con type of discussion anywhere.
It sounds like you have already figured out the main differences. As an organization, I would suggest signing up for Azure as an organization. You can do that here. This is going to give you the management capabilities for resources typically needed by an organization.
Your developers can continue to use the MSDN subscriptions. As Dylan commented, these are not to be used for production environments. You should consider using these for Dev/Test environments and activating your MSDN benefits. This will save you some money. More on that here.
Visual Studio Online will work with your Work Accounts and again give you more control over managing your online resources. This link describes the sign-up process for both Microsoft Accounts and Work Accounts. And if you scroll down a bit you will find your original question specifically addressed.
Finally, you can also add your Work Account(s) to your existing MSDN subscriptions if you like. This way you (and your developers) can use the same account credentials when accessing Azure Subscriptions. Information on how to do that is available in this link.
Your Work Account subscription should be limited to personnel responsible for managing your "production" environment.
After signing up for Azure as an Organization, you can add users to the directory as described here. You can also add "external" users using their existing Microsoft Accounts. It's just a few dialogs to add a user.

how to write a cloud-based Active directory .NET application

I work for a network management company and I want to write a .Net application (MVC 4) that will allow us to service Active Directory users from a cloud-based application.
As I have never written a cloud-based app, I don't know if I'm using that term correctly or not. I am in the requirements gathering stage. Basically, I'd like to provide our customers with the ability, for example, to change their own password using our cloud-based application.
is this an application that should be written specifically using Azure? If not, what tools and platform(s) should I take into consideration?
What tutorials or other resources are available ?
Actually, I don't even know enough about Active Directory and Cloud computing to ask the right questions. But, I hope someone will point me in the right direction
Read How to Authenticate Web Users with Windows Azure Active Directory Access Control. There are great walk-throughs there. There is more reading and code samples here - Access Control Service 2.0.
That's using ACS.
You could go direct to Azure Active Directory if you wished?
Refer: Adding Sign-On to Your Web Application Using Windows Azure AD.
If you use Office 365, you already have an AAD tenant.

Resources