I'm trying to get a full list of function endpoints in my Azure function app from a Powershell script. I can get the list of functions from the management.azure.com API, but it just has the function name, like...
/subscriptions/ea4a3766-c3a8-4b9c-xxxx-xxxxxxxxxxxx/resourceGroups/MyResourceGroup/providers/Microsoft.Web/sites/MyFunctionAppName/functions/FunctionName
But the function actually has an endpoint of (for instance) http://myfunctionapp.azurewebsites.net/api/allsources/{sourceName}
How can I get that endpoint name from the Azure management API from Powershell? It's displayed in the "Get Function URL" button on the portal, so I would imagine it has to be there somewhere.
EDIT: The suggested duplicate still doesn't provide the actual function endpoint. For instance, I have a function called CheckLock. Its endpoint per the "Get Function URL" button on the portal (and the one that I want) is: https://myfunctionapp.azurewebsites.net/api/account/lock/{id}?code=myfunctioncode
What I'm getting from the suggested duplicate is:
#{
name=CheckLock;
function_app_id=/subscriptions/ea4a3766-c3a8-xxxx-xxxx-xxxxxxxxxxxx/resourceGroups/myresourcegroup/providers/Microsoft.Web/sites/myfunctionappname;
script_root_path_href=https://myfunctionappname.scm.azurewebsites.net/api/vfs/site/wwwroot/CheckLock/;
script_href=https://myfunctionappname.scm.azurewebsites.net/api/vfs/site/wwwroot/bin/Funcs.dll;
config_href=https://myfunctionappname.scm.azurewebsites.net/api/vfs/site/wwwroot/CheckLock/function.json;
secrets_file_href=https://myfunctionappname.scm.azurewebsites.net/api/vfs/data/functions/secrets/CheckLock.json;
href=https://myfunctionappname.scm.azurewebsites.net/api/functions/CheckLock;
config=;
files=;
test_data=
}
I got it. In the data for the function itself, the route is part of the properties.config object.
Request should look like this: https://management.azure.com/subscriptions/{subscriptionid}/resourceGroups/{resourceGroupName}/providers/Microsoft.Web/sites/{functionAppName}/functions/{functionName}?api-version=2016-08-01
In the return value is a properties object, and within that is config object. Underneath that is the route property which contains the trigger endpoint.
In Powershell, it's this:
$functionData = Invoke-RestMethod -Method Get -Uri $functionName -Headers $accessTokenHeader
$triggerUrl = "https://$functionAppName.azurewebsites.net/api/" + $functionData.properties.config.route
You can test it here: https://learn.microsoft.com/en-us/rest/api/appservice/webapps/getfunction
Hope this helps someone else! Thanks to those who contributed.
AZ PowerShell has introduced the Invoke-AzResourceAction cmdlet. This does exactly what it says on the tin - it allows you to invoke an action against an Azure Resource.
It's possible to get a Function Key and URL through the listkeys action as follows -
$functionApp = Get-AzWebAppSlot -Name $FunctionAppName -ResourceGroup $ResourceGroupName -Slot $Slot
$functionSecrets = Invoke-AzResourceAction -ResourceId ("{0}/functions/{1}" -f $functionApp.Id, $FunctionName) -Action "listkeys" -ApiVersion "2019-08-01" -Force
The variable $functionSecrets now contains two properties -
key: The default function-level key (will only work for $FunctionName).
trigger_url: The URL to trigger $FunctionName. Note that this property does not honour custom routes.
The url you can get via Get Function URL named trigger_url, seems you could not be able to get all of them in a function app, but you can get it for one specific function, See : Web Apps - List Function Secrets, the trigger_url in the response body is what you want.
POST https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Web/sites/{name}/functions/{functionName}/listsecrets?api-version=2016-08-01
Response body:
{
"key": "xxxxxxxxxxxxxxxxxxx",
"trigger_url": "https://xxxxx.azurewebsites.net/api/HttpTrigger1?code=xxxxxxxxxxxxxxx"
}
Note: If you get an error like below, you need to add an application setting AzureWebJobsSecretStorageType : Files for your function app.
{
"error": {
"code": "Conflict",
"message": "System.InvalidOperationException: Runtime keys are stored on blob storage. This API doesn't support this configuration. Please change Environment variable AzureWebJobsSecretStorageType value to 'Files'. For more info, visit https://aka.ms/funcsecrets\r\n at Kudu.Core.Functions.FunctionManager.<GetKeyObjectFromFile>d__9`1.MoveNext() in C:\\Kudu Files\\Private\\src\\master\\Kudu.Core\\Functions\\FunctionManager.cs:line 141\r\n--- End of stack trace from previous location where exception was thrown ---\r\n at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)\r\n at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\r\n at Kudu.Core.Functions.FunctionManager.<GetFunctionSecretsAsync>d__12.MoveNext() in C:\\Kudu Files\\Private\\src\\master\\Kudu.Core\\Functions\\FunctionManager.cs:line 220\r\n--- End of stack trace from previous location where exception was thrown ---\r\n at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)\r\n at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\r\n at Kudu.Services.Functions.FunctionController.<GetSecrets>d__12.MoveNext() in C:\\Kudu Files\\Private\\src\\master\\Kudu.Services\\Functions\\FunctionController.cs:line 141"
}
}
Quick tip : if you can get azure context with Get-AzContext, you can get the access token to the header like this : (Get-AzContext).TokenCache[0].ReadItems().AccessToken
Related
I want to capture the file operation events in OneDrive. So I created a tenant in azure and attached an App with it. I provided the necessary permissions to the app.
I am able to get the access token using the client key, secret created in portal.azure.com. This means that tenant, app and client secret is correct.
Now I am using Office365 management API to subscribe to the content type Audit.SharePoint but in response I get this message,
{'error': {'code': 'AF10001', 'message':
'The permission set () sent in the request does not include the expected permission.'}}
Can anybody help ?
Note: I am using free account. I am wondering if this error is coming because its a free account.
==============================================================
After updating the Azure AD license to P2. It could further but subscription still failed with following error.
{'error': {'code': 'StartSubscription [CorrId=a2c6111b-7908-486b-ab69-9f6ccac7679e][TenantId=9cef4c36-5f08-49c4-9f61-7d4a7860444c,ContentType=Audit.SharePoint,ApplicationId=13d763cd-abbc-456d-96e3-57af430f025f,PublisherId=46b472a7-c68e-4adf-8ade-3db49497518e]
[AppId', 'message': '3d763cd-abbc-456d-96e3-57af430f025f] failed. Exception:
Microsoft.Office.Compliance.Audit.DataServiceException: Tenant 9cef4c36-5f08-49c4-9f61-7d4a7860444c does not exist.\r\n
at Microsoft.Office.Compliance.Audit.API.AzureManager.
<GetSubscriptionTableClientForTenantAsync>d__52.MoveNext() in
d:\\dbs\\sh\\nibr\\0705_172037\\cmd\\2\\sources\\dev\\auditing\\src\\auditapiservice\\common\\AzureManager.cs:line 2116\r\n--- End of stack trace from previous location where exception was thrown
---\r\n
at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\r\n at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\r\n at Microsoft.Office.Compliance.Audit.API.AzureManager.<GetAPISubscriptionAsync>d__22.MoveNext() in
d:\\dbs\\sh\\nibr\\0705_172037\\cmd\\2\\sources\\dev\\auditing\\src\\auditapiservice\\common\\AzureManager.cs:line 550\r\n--- End of stack trace from previous location where exception was thrown ---\r\n at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\r\n at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\r\n
at Microsoft.Office.Compliance.Audit.API.StartController.<StartSubscription>d__0.MoveNext() in d:\\dbs\\sh\\nibr\\0705_172037\\cmd\\1\\sources\\dev\\auditing\\src\\auditapiservice\\apifrontendservicerole\\Controllers\\StartController.cs:line 76'}}
====================================================
MS Support told to have atleast one license of exchange online. So I started basic trial version of Office 365 for two users in AD.
With this, I was able to start auditing for users/admins from compliance.microsoft.com
But on hitting the subscription API, I get following error.
"error":{"code":"StartSubscription [CorrId=0a7a9c46-012c-4510-aff6-888a840a74f6][TenantId=9cef4c36-5f08-49c4-9f61-7d4a7860444c,ContentType=Audit.SharePoint,ApplicationId=13d763cd-abbc-456d-96e3-57af430f025f,PublisherId=46b472a7-c68e-4adf-8ade-3db49497518e][AppId","message":"3d763cd-abbc-456d-96e3-57af430f025f] failed. Exception: Microsoft.Office.Compliance.Audit.DataServiceException: Tenant 9cef4c36-5f08-49c4-9f61-7d4a7860444c does not exist.\r\n at Microsoft.Office.Compliance.Audit.API.AzureManager.d__52.MoveNext() in d:\\dbs\\sh\\nibr\\0712_070108\\cmd\\y\\sources\\dev\\auditing\\src\\auditapiservice\\common\\AzureManager.cs:line 2116\r\n--- End of stack trace from previous location where exception was thrown ---\r\n at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\r\n at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\r\n at Microsoft.Office.Compliance.Audit.API.AzureManager.d__22.MoveNext() in d:\\dbs\\sh\\nibr\\0712_070108\\cmd\\y\\sources\\dev\\auditing\\src\\auditapiservice\\common\\AzureManager.cs:line 550\r\n--- End of stack trace from previous location where exception was thrown ---\r\n at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()\r\n at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)\r\n at Microsoft.Office.Compliance.Audit.API.StartController.d__0.MoveNext() in d:\\dbs\\sh\\nibr\\0712_070108\\cmd\\6\\sources\\dev\\auditing\\src\\auditapiservice\\apifrontendservicerole\\Controllers\\StartController.cs:line 76"}}
Note: I am using free account. I am wondering if this error is coming because its a free account.
According to ehowardl3:
Check Azure Active Directory licensing level, Azure Active Directory licensing requires either a Premium P1 or Premium P2 license to be able to pull event information through the Office 365 Management API. Microsoft does not grant permission to use the API to enable subscriptions for Free or Basic licensing options.
{'error': {'code': 'AF10001', 'message':
'The permission set () sent in the request does not include the expected permission.'}}
Once you get the required license, to resolve above error, according to documentation:
AF10001: The permission set ({0}) sent in the request did not include the expected permission ActivityFeed.Read.
So, make sure to grant ActivityFeed.Read permission in Azure Active Directory
Updated answer:
Microsoft.Office.Compliance.Audit.DataServiceException: Tenant *** does not exist
To resolve above mentioned exception, according to markjjo:
Make sure that unified auditing is enabled for your Office 365 organization, as per documentation, try the following PowerShell command:
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled $true
References: Office 365 Management API - Postman sample and Can not connect with office 365
I am trying to get the createdTime field for Azure resources through the Azure Resource Graph Explorer and it seems the Azure Resource Graph Explorer does not support this value. I cannot find it anywhere.
The odd thing is that the resources endpoint does have this value, so it does exist somewhere.
See the documentation of this endpoint here: https://learn.microsoft.com/en-us/rest/api/resources/resources/list (look at the $expand URI parameter). I tested this endpoint and it works. I can see the createdTime for all my resources within one subscription.
So why does the Resource Graph Explorer not have/expose this field?
Resource Graph Explorer provides browsable information about the Azure Resource Manager resource types and properties that you can query. Resource Graph Explorer also provides a clean interface for working with multiple queries, evaluating the results, and even converting the results of some queries into a chart that can be pinned to an Azure dashboard.
Some resource you can see creation Time such as below, but if you want to query you need to give detailed time. The article you provided is about resource list.
For Graph I don't know but using PowerShell or Rest you can use this sniped code.
$subscriptionID = "11111-111-1111-111111"
$resourceGroupName = "myResourceGroup"
#assumes you have an active Az CLI context authenticated to target subscription. Can also be done with Az PowerShell, but requires a different token retrieval method
$accessToken = az account get-access-token --query accessToken
#specify target API endpoint
$uri = "https://management.azure.com/subscriptions/$($subscriptionID)/resourcegroups/$($resourceGroupName)?api-version=2019-08-01&%24expand=createdTime"
$headers = #{
"Authorization" = "Bearer $($accessToken)"
}
#consume ARM endpoint
$rgInfo = Invoke-RestMethod -Uri $uri -Headers $headers -Method 'GET'
$creationDate = $rgInfo.createdTime
Code from michaeldroessler
I'm sending a Postman request to get the metrics from an event grid like this:
https://management.azure.com/subscriptions/{suscription id}/resourceGroups/{name of resource group}/providers/microsoft.insights/metricDefinitions/?api-version=2018-01-01
I'm also attaching the Bearer token.
However, I keep getting the following response:
{
"message": "An error has occurred.",
"exceptionMessage": "ApiVersion: 2018-01-01 does not support query at non Arm resource Id level",
"exceptionType": "Microsoft.Online.Metrics.MetricsMP.Utilities.RPRequestFormatException",
"stackTrace": " at Microsoft.Online.Metrics.MetricsMP.Controllers.MPController_MetricDefinitions_Base.<MetricDefinitionAtResourceGroup>d__4.MoveNext() in ...
....
}
What does that mean and how can I fix it? I've been looking on the Internet and there's not much information.
Your URL is wrong.As far as I know,if you want to retrieve metric definitions, the rest api is that
Method: GET
Request URI:
https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{resourceType}/{resourceName}/providers/microsoft.insights/metricDefinitions?api-version={apiVersion}
For more details, please refer to
https://learn.microsoft.com/en-us/rest/api/monitor/metricdefinitions/metricdefinitions_list
https://learn.microsoft.com/en-us/azure/monitoring-and-diagnostics/monitoring-rest-api-walkthrough.
To get the metric definitions use this rest API
https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/{resource
ProviderNamespace}/{resource
Type}/{resourceName}/providers/microsoft.insights/metricdefinitions?api-version=2018-01-01
To get the metrics with optional parameters use this rest API
https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/microsoft.insights/metrics?timespan={timeSpan}&interval={timeGranularity}&aggregation={AggregationType}&metricnames={metricName}&api-version=2018-01-01
You missed the resource type and name in the request url, the url should be like below:
https://management.azure.com/{resourceUri}/providers/microsoft.insights/metricDefinitions
Reference: https://learn.microsoft.com/en-us/rest/api/monitor/metricdefinitions/list
If you want to list metric definitions of an event grid, your url should be:
GET https://management.azure.com/subscriptions/{subscription id}/resourceGroups/{resource group name}/providers/Microsoft.EventGrid/topics/{event grid topic name}/providers/microsoft.insights/metricDefinitions?api-version=2018-01-01
Test result:
I am trying to make a simple image analysis project using AI-tools for Visual Studio. I have created an Azure Cognitive Service as a ComputerVision service. It has been more than 10 minutes since I created it so the api keys should be valid. Then I created a new project by right clicking on it. But when I run it then I get this exception:
Please input image url or locate a local image file. If input is empty, example image will be used.
No url or file specified, use the example https://oxfordportal.blob.core.windows.net/vision/Analysis/1-1.jpg
One or more errors occurred.
at System.Threading.Tasks.Task.ThrowIfExceptional(Boolean includeTaskCanceledExceptions)
at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification)
at System.Threading.Tasks.Task`1.get_Result()
at GetImageDetailsService.Program.Main(String[] args) in C:\Users\X\Documents\Visual Studio 2017\Projects\CognitiveServiceTest\GetImageDetailsService\Program.cs:line 27
Microsoft.Azure.CognitiveServices.Vision.ComputerVision.Models.ComputerVisionErrorException: Operation returned an invalid status code 'Unauthorized'
at Microsoft.Azure.CognitiveServices.Vision.ComputerVision.ComputerVisionAPI.<DescribeImageWithHttpMessagesAsync>d__30.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at Microsoft.Azure.CognitiveServices.Vision.ComputerVision.ComputerVisionAPIExtensions.<DescribeImageAsync>d__4.MoveNext()
--- End of stack trace from previous location where exception was thrown ---
at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task)
at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)
at System.Runtime.CompilerServices.ConfiguredTaskAwaitable`1.ConfiguredTaskAwaiter.GetResult()
at Microsoft.CognitiveServices.Samples.ComputerVisionApiExtensions.<DescribeImage>d__2.MoveNext() in C:\Users\X\Documents\Visual Studio 2017\Projects\CognitiveServiceTest\GetImageDetailsService\ComputerVisionApiExtensions.cs:line 34
Apparently I am not authorized. What can be causing this?
I am logged into my Azure subscription and I have funds (I am using F0 tier). I have also checked that the region is correct and that the api key matches.
Edit: When I change the api key to something different in the application call then I still get an unauthorized exception.
Edit2: Added code that calls the api.
var client = new ComputerVisionApiExtensions(ComputerVisionSubscriptionKey, ComputerVisionRegion, null);
var result = client.DescribeImage(imagePath).Result;
I was getting the same thing and thought it would be worthwhile to submit an issue. I got a response for a fix, tested it, and it all worked!
To solve the issue, just put this.AzureRegion = GetRegion(region); inside the constructor in the ComputerVisionApiExtensions.cs file.
For the Computer Vision API type of Azure Cognitive Services, the request for analyzing an image would look like as follows:
POST https://{location-of-your-Computer-Vision-API}.api.cognitive.microsoft.com/vision/v1.0/analyze?visualFeatures=Categories&language=en
Host: {location-of-your-Computer-Vision-API}.api.cognitive.microsoft.com
Content-Type: application/json
Ocp-Apim-Subscription-Key: {subscription-key-under-the-same-region-of-your-Computer-Vision-API}
{"url":"https://oxfordportal.blob.core.windows.net/vision/Analysis/1-1.jpg"}
Note: You must use the same region in your REST call as you used to
get your subscription keys. For example, if you got your
subscription keys from westus, replace "westcentralus" in the URL
below with "westus".
If your Azure Cognitive Services is under East Asia, while you use the subscription key to request westcentralus.api.cognitive.microsoft.com instead of eastasia.api.cognitive.microsoft.com, then you could get 401 Access Denied and the following response:
{
"statusCode": 401,
"message": "Access denied due to invalid subscription key. Make sure to provide a valid key for an active subscription."
}
You could use fiddler to capture the network traces when running your application to narrow this issue. Also, you could follow the detailed tutorials under "RESOURCE MANAGEMENT > Quick start" of your Cognitive Services via Azure Portal.
I am writing an app that is using Windows Azure AD to authenticate to SharePoint Online.
I'm trying to provision some files from the app to an existent site collection on the SharePoint tenant.
This works with the default site collection located on [subdomain].sharepoint.com but when I'm trying to provision files on a non default site collection,i.e. [subdomain].sharepoint.com/mysite the code throws this exception:
[WebException: The remote server returned an error: (400) Bad Request.]
System.Net.HttpWebRequest.GetResponse() +6540964
Microsoft.IdentityModel.Clients.ActiveDirectory.<GetResponseSyncOrAsync>d__2.MoveNext() +382
System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess(Task task) +93
System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task) +52
Microsoft.IdentityModel.Clients.ActiveDirectory.<SendPostRequestAndDeserializeJsonResponseAsync>d__0`1.MoveNext() +414
[AdalServiceException: AADSTS50001: Resource 'https://[subdomain].sharepoint.com/sites/mysite' is not registered for the account.
Trace ID: f9d32123-4a42-4890-bf5d-7e979083ed18
Correlation ID: 71a6d021-270d-4974-8bd6-b17fb06aab9d
Timestamp: 2014-12-19 11:21:30Z]
Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.RunAsyncTask(Task`1 task) +89
Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext.AcquireTokenByRefreshToken(String refreshToken, ClientCredential clientCredential, String resource) +59
...Authorization.Azure.TokenHelper.GetContext(String refreshToken, String site) in d:\...\Authorization\Azure\TokenHelper.cs:30
...Authorization.AuthorizationManager.GetClientContextFromAzureCode(String code, String site) in d:\..\Authorization\AuthorizationManager.cs:57
...Pages.Install.btnInstall_Click(Object sender, EventArgs e) in d:\..\Pages\Install.aspx.cs:65
System.Web.UI.WebControls.Button.OnClick(EventArgs e) +9628114
System.Web.UI.WebControls.Button.RaisePostBackEvent(String eventArgument) +103
System.Web.UI.WebControls.Button.System.Web.UI.IPostBackEventHandler.RaisePostBackEvent(String eventArgument) +10
System.Web.UI.Page.RaisePostBackEvent(IPostBackEventHandler sourceControl, String eventArgument) +13
System.Web.UI.Page.RaisePostBackEvent(NameValueCollection postData) +35
System.Web.UI.Page.ProcessRequestMain(Boolean includeStagesBeforeAsyncPoint, Boolean includeStagesAfterAsyncPoint) +1724
I checked App permission in AD and it has permissions to write on all site collections. Is there something wrong with my configuration or should I try a different approach?
We had the same issue here. In our C# app we use HttpClient to hit the SharePoint REST API to read items from a list. During development, we had set up a list under Team Site. The URL we used to hit the API looked a bit like this:
https://mycompany.sharepoint.com/_api/web/lists/getbytitle('MyList')/items
In the App.config we set up a ServiceResourceId parameter. This was used as the resource parameter when calling the AcquireToken() method of Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext. Importantly, we also used this as our base URL for API calls.
When we tried to move over to a production scenario, the list in question sat within a custom site - not the team site. We could log into a browser and hit the URL like this and see results being returned:
https://mycompanylive.sharepoint.com/MySiteName/_api/web/lists/getbytitle('MyList')/items
We had changed the ServiceResourceId to https://mycompanylive.sharepoint.com/MySiteName/ which no longer allowed us to sign in and threw the exception you mention. The fix was to have a config parameter with the base service URL which is used when authentication then another parameter used as the base URL when calling the API. In the example I mentioned, it looks like this:
<!-- Pass this to AcquireToken() during authentication. This should be the root of your SharePoint instance. -->
<add key="ServiceResourceLoginId" value="https://mycompanylive.sharepoint.com/"/>
<!-- The base URI when using HttpClient to call the API. -->
<add key="APIBaseURI" value="https://mycompanylive.sharepoint.com/MySiteName/"/>