Restrict tag value modification - azure

I am writing to ask your assistance regarding an important Azure topic.
Scenario 1:
I have 30 different resources in Azure in different resource groups in a subscription. There is a tag (owner) on all resources. If the value of owner tag is a username the only person who will be able to modify the owner tag is the user whose username is equal the owner tag's value. Of course if user1 modified the owner tag's value to another existing username (user2) user1 wouldn't be able to modify the owner tag's value. In this case the only person who could modify the owner tag's value is user2. Is it possible to restrict tag value modification at any Azure resources?
Scenario 2:
I have 30 different resources in Azure in different resource groups in a subscription. I create a custom role (ops-role) which has similar privileges in Azure than a Contributor except this role doesn't have privilege to modify the tags and tags' value. Then I create a another custom role (tagger-role) which has only (or almost only) tag modification privileges. Is it possible to create these roles in Azure?
I need a solution for the 1st or the 2nd scenario. I would like to restrict the tags modification on the Azure resources.

no, this is not possible, you have to create your own api on top of azure
if my memory servers me well, there is no separate role for tags, anyone with write permission over the resource can tag so this is essentially not achievable, you need a custom api on top of azure to do that

Related

User Access Review custom report in Microsoft Azure

Is there a way I can fetch all users currently assigned permissions to each resource created under a subscription.
To put in other words, I want to traverse all the resources created under a subscription & get the list of all users, service principal names, SGs, AAD groups, along with their role who have access to each resource. This report would help me perform a periodic user access review .
Any leads/code would be appreciated.
You could simply get that with the powershell command Get-AzRoleAssignment.
Without any parameter, Get-AzRoleAssignment will get all the role assignments in the subscription, you can also leverage different parameters e.g. -ObjectId, -Scope to list assignments to a specific user/service principal/security group, or to list assignments on a specific resource group or resource.
For more details, see https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-list-powershell
Same thing also can be achieved by the REST API, Azure CLI, and SDK of different languages.

How to Add users to different group in Azure AD B2C during Registration

Is it possible to add users to different groups based on the url they are coming from. All users to be added under the same Azure B2C directory but under different group during registration.
Example:
www.admin.com - User should go to "Admin" group.
www.user.com - User should go to "Users" group.
Thanks :)
You could use azure ad dynamic user group to do that, when you create a dynamic group with rules, the system evaluates all rules in a directory to see if the change would trigger any group adds or removes. If a user satisfies a rule on a group, they are added as a member of that group.
Reference - Dynamic membership rules for groups in Azure Active Directory
In your case, create the dynamic user group Admin, to add the users to the Admin group, you just need to add the rule like (user.userPrincipalName -match ".*admin.com*."), another one is the same logic.
After the system updated the group completely, it will appear like below.

Can we restrict user access from a resource group?

I have multiple resource groups in azure but only want to restrict users to 1. Don't want to have to manually assign user to all resource but one so wondering if it can be done the opposite way?
yes, you need to remove users permissions on the subscription level and grant them permissions on the resource group level.
Reading:
https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal
https://learn.microsoft.com/en-us/azure/role-based-access-control/overview

Microsoft GraphAPI: How do I retrieve the assigned groups of an azure user?

As you can see my question above, I was wondering if it is possible to retrieve the assigned groups of an Azure Active Directory (AAD) based user via Microsoft GraphAPI.
My situation is, that I have an ASP.NET MVC project with Microsoft Azure enabled. My goal is, that an Azure user can login on my website with it's Azure account.
The idea is, that an azure user is an admin or an user (depending on the azure groups) and depending of this role group, the user can view more or less of my webpage.
For example:
When Peter logs in with his azure account on my webpage, he should only be able to see:
Add new Document
Edit Document
Remove Document
because he is only assigned as "User" in Azure Active Directory.
But when Sabrina logs in with her azure account on my webpage, then she should be able to do the same as Peter, but she also can see:
Manage Products
Add new customer
etc.
because she is been assigned as an admin in Azure Active Directory.
My problem is, that I did not find out how I retrieve the assigned group of an user with Microsoft GraphAPI. The part, which user can see or not after I got the roles is not a big deal.
I already tried this API call:
https://graph.microsoft.com/v1.0/me/
But it seems, that the response of this call does not include the actual assigned group of that user.
Do you think it is possible to retrieve the assigned group of an azure user? Is this even possible? Or do I have to do something else to retrieve these information?
I hope you understand my point and I am also looking forward for any response. Thanks in advance!
Add /memberOf to the URL to receive the groups a user is member of.
https://graph.microsoft.com/v1.0/me/memberOf
Here's a link to the specific graph api - https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/user_getmembergroups
Take a look at this sample application on Github. It does something very similar with a task tracker application, where different users are able to perform different actions based on the group they belong to -
https://github.com/Azure-Samples/active-directory-dotnet-webapp-groupclaims/blob/master/README.md
Also, in cases where a user is a member of too many groups, you get back an overage indicator and have to make a separate call to get all groups. Read about “hasgroups” and “groups:src1” claims here - https://learn.microsoft.com/en-us/azure/active-directory/develop/v1-id-and-access-tokens
According to your system architecture, if some user has too many joined groups, the API https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/user_getmembergroups will return too many groups.
But if the groups with permissions in your system are not too much, you can use this API: https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/user_checkmembergroups to check if the current user is the member of specified groups.
It is not good idea to use this API: https://graph.microsoft.com/v1.0/me/memberOf. Because it returns only the groups that the user is a direct member of, but security group can be member of security group.

Sitecore security - combining roles

Is there a way to combine access rights for a Sitecore item?
For example, I have a page that I would like to lock down to users who are a member of two different roles rather than just just one, and a user who has just one of the roles should be denied access.
I know you can have roles within roles but wondering if there was a simpler way to achieve this?
I'm using Sitecore 7.2.
If you are trying to check this in code, you can easily do so using
var user = AuthenticationManager.GetActiveUser();
return user.IsInRole("Role1") && user.IsInRole("Role2") ? "Granted":"Denied";
But if you are trying to achieve this in Sitecore Security on an item, then an AND of those 2 roles will be assigned. Ex: If I allow access to an item in Role1 but deny in Role2, the user with Roles 1 and 2 will have his/her access denied.
The simplest way to approach this is to define a new role with appropriate access rights and assign the relevant users to it, either manually or by script. That keeps your access rights transparent. You could code your way around the issue, but you could end up creating an admin nightmare, where it's near to impossible to see which roles and users have access to which items. E.g. what would you expect to see in the Access Viewer when looking at one of the roles, or at a user with one or both of the roles? There's a big difference between assigning access rights programmatically and evaluating them programmatically.
One way that you could achieve it via the Security Editor is by utilising Sitecore's Roles in Roles functionality.
Essentially you will want to create a New Role in the Role Manager that will contain the two roles, Role A and Role B. Select your New Role in the Role Manager and click Member Of button. In the modal click Add and select the two roles this New Role needs to contain.
In the Security Editor select the New Role and assign the read, write, create etc permissions to the required Items.
Now when users access those Items they must have Role A and Role B before given access - they will not need the New Role assigned to their account.
If you have a large number of roles to manage and combinations of those it will be very time consuming to manually create those combinations.

Resources