I have registered an application in AzureAD: AnalysisService
It has the following IDs:
Application (client) ID: ID1
Directory (tenant) ID: ID2
and I have defined the following permission it:
My aim is scaling up and down my Azure Analysis Service in logic app with the following ID
Subscription ID: ID3
In logic app I have the following request:
{
"uri": "https://management.azure.com/subscriptions/**ID3**/resourceGroups/ServerName/providers/Microsoft.AnalysisServices/servers/Model?api-version=2017-08-01",
"method": "PATCH",
"authentication": {
"tenant": "ID2",
"audience": "https://management.core.windows.net",
"clientId": "ID1",
"secret": "*sanitized*",
"type": "ActiveDirectoryOAuth"
},
"body": {
"sku": {
"capacity": 1,
"name": "S4",
"tier": "Standard"
},
"tags": {
"testKey": "testValue"
}
}
}
After sending this request I get the following error:
{
"statusCode": 403,
"headers": {
"Pragma": "no-cache",
"x-ms-failure-cause": "gateway",
"x-ms-request-id": "xxxxxx-4dea-xxx-xxxx-xxx",
"x-ms-correlation-request-id": "xxxxxxxx-4dea-xxxx-xxxx-5dea12ba0cca",
"x-ms-routing-request-id": "WESTEUROPE:20190211T181536Z:xxxxxx-4dea-4fa8-bccd-xxxxxx",
"Strict-Transport-Security": "max-age=31536000; includeSubDomains",
"X-Content-Type-Options": "nosniff",
"Connection": "close",
"Cache-Control": "no-cache",
"Date": "Mon, 11 Feb 2019 18:15:35 GMT",
"Content-Length": "413",
"Content-Type": "application/json; charset=utf-8",
"Expires": "-1"
},
"body": {
"error": {
"code": "AuthorizationFailed",
"message": "Client \"ID4\" with the object ID \"ID4\" has no permission to run the action \"Microsoft.AnalysisServices/servers/write\" over \"/subscriptions/ID3/resourceGroups/ServerName/providers/Microsoft.AnalysisServices/servers/ModelName\"."
}
}
}
what should I do more to solve this problem?
UPDATE
I have granted my service principal (which represents Azure AD application) the following specific permissions over my Analysis Services instance:
I have also control it in management studio as described here and I can see the serviceprincipal also there:
But I get still the same error message
Is the ID4, the object ID of my logic app? should I add my logic app also in IAM of my Analysis Service?
You should grant your service principal (which represents Azure AD application) those specific permissions: Microsoft.AnalysisServices/servers/write over your Analysis Services instance: /subscriptions/ID3/resourceGroups/ServerName/providers/Microsoft.AnalysisServices/servers/ModelName. Alternatively, you can grant those permissions on the resource group level, or subscription level.
Here's how you do it: https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal.
In short: go to the resource, click IAM on the left, click + Add Role Assignment on the top of the blade and pick your role\identity. This particular permissions falls under something like Analysis Services contributor.
ps. you can always create a custom role to follow least privilege principle: https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles
Related
I have created below role in the app registration manifest:
"appRoles": [
{
"allowedMemberTypes": [
"User"
],
"displayName": "Student",
"id": "d1c2ade8-98f8-45fd-aa4a-6d06b947c66f",
"isEnabled": true,
"description": "Student",
"value": "Student"
}
],
Now I am using appRoleAssignment api to assign a role to the user. I am following this documentation. In this page, it says that we need to use below api with the json body:
POST https://graph.microsoft.com/v1.0/servicePrincipals/{id}/appRoleAssignments
Content-Type: application/json
Content-Length: 110
{
"principalId": "principalId-value",
"resourceId": "resourceId-value",
"appRoleId": "appRoleId-value"
}
I am unable to understand what I should use in principalId, resourceId and appRoleId. As per that page, it says that:
principalId: The id of the client service principal to which you are assigning the app role.
resourceId: The id of the resource servicePrincipal (the API) which has defined the app role (the application permission).
appRoleId: The id of the appRole (defined on the resource service principal) to assign to the client service principal.
But what I could understand is that principalId is the ID of the user I have in the active directory for which I want to assign the role.
which in my case is the ObjectId in below photo:
is this correct.?
resourceId is the tennant id and appRoleId is the id I used while creating the app role above which is d1c2ade8-98f8-45fd-aa4a-6d06b947c66f
Putting it all together if I make a request in python
token = get_token()
headers = {'Authorization': 'Bearer ' + token, 'Content-Type': 'application/json'}
user_data = {
"principalId": "1bc79085-12qw-4fad-8da8-647f4b4b2927",
"resourceId": "c01b6482-3ccd-4533-8c98-a7c5e8067cc8",
"appRoleId": "d1c2ade8-98f8-45fd-aa4a-6d06b947c66f"
}
j_data = json.dumps(user_data)
conn = http.client.HTTPSConnection('graph.microsoft.com')
conn.request("POST", "/v1.0/servicePrincipals/1bc79085-12qw-4fad-8da8-647f4b4b2927/appRoleAssignments", j_data, headers)
response = conn.getresponse()
rdata = response.read()
I am getting below response:
{
"error": {
"code": "Request_ResourceNotFound",
"message": "Resource '1bc79085-12qw-4fad-8da8-647f4b4b2927' does not exist or one of its queried reference-property objects are not present.",
"innerError": {
"date": "2020-10-26T05:16:35",
"request-id": "1c87a140-7bc9-499d-82dd-bc1dcb54e075",
"client-request-id": "1c87a140-7bc9-499d-82dd-bc1dcb54e075"
}
}
}
Can anyone please help me debug this. Please help. Thanks
EDIT:
Error:
{
"error": {
"code": "Request_ResourceNotFound",
"message": "Resource '261eda4b-6eee-45ba-a176-259960603409' does not exist or one of its queried reference-property objects are not present.",
"innerError": {
"date": "2020-10-26T07:09:38",
"request-id": "8dc2ea73-63e5-45b5-8127-445df777c1e1",
"client-request-id": "8dc2ea73-63e5-45b5-8127-445df777c1e1"
}
}
}
Json:
{
"principalId": "f923e078-ca9d-4611-a80e-bebb712ad7d1",
"resourceId": "261eda4b-6eee-45ba-a176-259960603409",
"appRoleId": "d1c2ade8-98f8-45fd-aa4a-6d06b947c66f"
}
Post URL: https://graph.microsoft.com/v1.0/servicePrincipals/261eda4b-6eee-45ba-a176-259960603409/appRoleAssignments
GET Url to get the object id: https://graph.microsoft.com/v1.0/serviceprincipals?$select=id&$filter=displayName eq '{useracces}'
POST https://graph.microsoft.com/v1.0/servicePrincipals/{id}/appRoleAssignedTo
Content-Type: application/json
Content-Length: 110
{
"principalId": "principalId-value",
"resourceId": "resourceId-value",
"appRoleId": "appRoleId-value"
}
In this example, {id} and {resourceId-value} would both be the object id of the resource service principal, which is the enterprise app associated with the Azure AD app you have created appRoles in.
And {principalId-value} would be the object id of the user.
{appRoleId-value} is the id of the app role you created in manifest.
UPDATE:
The steps you get the object id of service principal are correct.
If you want to get it using Graph API, you can do it like this:
GET https://graph.microsoft.com/v1.0/serviceprincipals?$select=id&$filter=displayName eq '{app name}'
This Api on this URL can be helpfull ?
https://learn.microsoft.com/en-us/rest/api/dtl/virtualmachineschedules/get
Please Help !
No, the API you provided is for the VM in Azure DevTest Labs, if you want to change the auto shut downtime for a normal azure VM, use the one below.
To acquire an access token, see this link.
Request URL:
PUT https://management.azure.com/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/microsoft.devtestlab/schedules/shutdown-computevm-<VMname>?api-version=2018-09-15
Request header:
Content-Type: application/json; charset=utf-8
Authorization: Bearer eyJ0exxxxx6dyJ9
Request body(1900 means 19:00 i.e. 7:00:00 PM):
{
"properties": {
"taskType": "ComputeVmShutdownTask",
"timeZoneId": "China Standard Time",
"dailyRecurrence": {
"time": "1900"
},
"targetResourceId": "/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/Microsoft.Compute/virtualMachines/<VMname>",
"status": "Enabled",
"notificationSettings": {
"timeInMinutes": 30,
"status": "Disabled"
}
},
"location": "eastus"
}
I'm looking for documentation / examples on how to plan the shutdown of an Azure virtual machine from the Azure C# SDK.
The idea is that on creating a VM from the SDK I want set a time when the VM will automatically shutdown. I don't seem to be able to find any function in the API to do that in an obvious way.
The auto-shutdown options for a virtual machine in the Portal use the Microsoft.DevTestLab provider. This is a bit of a hack on Microsoft's part, and it's likely to change in the future.
Unfortunately, the Microsoft.Azure.Management.DevTestLabs namespace of the SDK only contains methods built to interact with true DevTest Labs, meaning that all calls to the management API have "/labs/" tacked on to the URI thus invalidating the API requests; The actual resource is:
https://management.azure.com/subscriptions/{Subsciption-Id}/resourceGroups/{Resource-Group}/providers/Microsoft.DevTestLab/schedules/shutdown-computevm-{VM-Name}?api-version=2018-09-15
(Note that the URI does not contain "/labs/")
It can be deployed using ARM, and it can be deployed/updated by calling the management API using the proper URI.
Here is an example:
PUT https://management.azure.com/subscriptions/{SUBSCRIPTION-ID}/resourceGroups/{RESOURCE-GROUP-NAME}/providers/Microsoft.DevTestLab/schedules/shutdown-computevm-{VMNAME}?api-version=2018-09-15 HTTP/1.1
User-Agent: Fiddler
Authorization: Bearer {BEARER-TOKEN-HERE}
Host: management.azure.com
Content-Type: application/json
Content-Length: 1048
{
"id": "/subscriptions/{SUBSCRIPTION-ID}/resourcegroups/{RESOURCE-GROUP-NAME}/providers/microsoft.devtestlab/schedules/shutdown-computevm-{VMNAME}",
"identity": null,
"kind": null,
"location": "{VM-LOCATION}",
"managedBy": null,
"name": "shutdown-computevm-{VM-NAME}",
"plan": null,
"properties": {
"createdDate": "2019-10-29T19:45:57.0033318+00:00",
"dailyRecurrence": {
"time": "{4-DIGIT-24HOUR-TIME-HHmm}"
},
"notificationSettings": {
"notificationLocale": "en",
"status": "Disabled",
"timeInMinutes": 30
},
"provisioningState": "Succeeded",
"status": "Enabled",
"targetResourceId": "/subscriptions/{SUBSCIPTION-ID}/resourceGroups/{RESOURCE-GROUP}/providers/Microsoft.Compute/virtualMachines/{VMNAME}",
"taskType": "ComputeVmShutdownTask",
"timeZoneId": "GMT Standard Time",
"uniqueIdentifier": "7c394xxx-3fdd-4xxa-8cdc-7c7e6xxxxxxc"
},
"resourceGroup": "{RESOURCE-GROUP-NAME}",
"sku": null,
"tags": null,
"type": "microsoft.devtestlab/schedules"
}
You can use this JSON, substituting the values enclosed with braces, and create or update the resource as required. If the resource already exists it will be overwritten.
I am using Azure AD B2C to create users.
After a user is created I would like to add them to a Group
Using Postman I have made the following request (with access token in the header). Note: I have managed to successfully create a group using the Api.
POST
https://graph.windows.net/{azure-tenant}/groups/{group-objectId/members/$ref?api-version=1.6
With Body:
{
"#odata.id": "https://graph.windows.net/{azure-tenant}/directoryObjects/{user-objectId}"
}
Which is what the documentation specifies. No matter the body that is sent I get the following error
{
"odata.error": {
"code": "Request_BadRequest",
"message": {
"lang": "en",
"value": "The request URI is not valid. Since the segment 'members' refers to a collection, this must be the last segment in the request URI. All intermediate segments must refer to a single resource."
},
"requestId": "48cf65f3-20ba-411e-8121-f7ea54252f3a",
"date": "2019-05-27T06:09:25"
}
}
I tried removing the /$ref
POST
https://graph.windows.net/{azure-tenant}/groups/{group-objectId/members?api-version=1.6
Body:
{
"#odata.id": "https://graph.windows.net/{azure-tenant}/directoryObjects/{user-objectId}"
}
as well as
{
"#odata.id": "https://graph.windows.net/{azure-tenant}/users/{user-objectId}"
}
Now the error that gets returned now is:
{
"odata.error": {
"code": "Request_BadRequest",
"message": {
"lang": "en",
"value": "Unsupported resource type 'DirectoryObject' for operation 'Create'."
},
"requestId": "2c36cc6d-383c-44f8-8609-2ac3e3efc862",
"date": "2019-05-27T06:15:26"
}
}
The documentation that I have been using https://learn.microsoft.com/en-us/graph/api/group-post-members?view=graph-rest-1.0&tabs=javascript
You are using graph.windows.net endpoint, so you should refer to azure ad graph api.
POST https://graph.windows.net/myorganization/groups/b4bda672-1fba-4711-8fb1-5383c40b2c14/$links/members?api-version=1.6
{
"url": "https://graph.windows.net/myorganization/directoryObjects/3eb6055a-baeb-44d4-a1ea-2fee86d8891b"
}
The document you referred to is microsoft graph api. The endpoint should be https://graph.microsoft.com.
You can use Microsoft Graph explorer to call these apis.
How can I get an AAD tenant name (not necessarily mine), from a GUID? This would be via the REST API ideally, but the Azure CLI/Powershell works too.
I found an answer here, but it requires going to the Azure Portal.
There are also plenty of links here and elsewhere on obtaining the tenant ID from the name, but I'm going in the opposite direction.
You can get the tenant name (and some other details) for the signed-in user by calling the /organization endpoint in MS Graph API: https://learn.microsoft.com/en-us/graph/api/organization-get?view=graph-rest-1.0.
Request: GET https://graph.microsoft.com/v1.0/organization
Response:
HTTP/1.1 200 OK
Content-type: application/json
Content-length: 411
{
"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#organization",
"value": [
{
"assignedPlans": [
{
"assignedDateTime": "datetime-value",
"capabilityStatus": "capabilityStatus-value",
"service": "service-value",
"servicePlanId": "servicePlanId-value"
}
],
"businessPhones": [
"businessPhones-value"
],
"city": "city-value",
"country": "country-value",
"countryLetterCode": "countryLetterCode-value",
"displayName": "displayName-value"
}
]
}