Azure permissions over microsoft.aadiam/diagnosticSettings/write - azure

I'm trying to call above API provider via REST with the following URL:
https://management.azure.com/providers/microsoft.aadiam/diagnosticSettings with api-version=2017-04-01-preview
However, even though the Service Principal I am using is a member of the "Global Administrator" role in my AAD tenant I am getting a does not have authorization to perform action error.
This endpoint doesn't seem to be documented though.
Anybody know what is required to call this API endpoint with a service principal?
Thanks,
David

Try to add a custom role with the action of microsoft.aadiam/diagnosticsettings/write in your AD App.
According to doc, you can use the custom role to do the operation.
This article lists the operations available for each Azure Resource Manager resource provider. These operations can be used in custom roles to provide granular role-based access control (RBAC) to resources in Azure.
For more details to create the custom role, refer to this link.
Sample:
{
"Name": "Test Operator",
"Id": "88888888-8888-8888-8888-888888888888",
"IsCustom": true,
"Description": "xxxxxx",
"Actions": [
microsoft.aadiam/diagnosticsettings/write,
microsoft.aadiam/diagnosticsettings/read
],
"NotActions": [
],
"DataActions": [
],
"NotDataActions": [
],
"AssignableScopes": [
"/subscriptions/{subscriptionId1}",
"/subscriptions/{subscriptionId2}",
"/subscriptions/{subscriptionId3}"
]
}
Update:
You can use a user account with global admin role, refer to the steps below.
1.Navigate to Azure Active Directory -> Diagnostic settings -> Add diagnostic setting -> set the properties and open the Developer Tools(F12) ->Save.
2.In the request we caught, copy the Bearer token.
3.Then we can test the api in the postman.
Request URL:
Put https://management.azure.com/providers/microsoft.aadiam/diagnosticSettings/{name}?api-version=2017-04-01-preview
Request Header:
Request Body:
{
"properties": {
"logs": [
{
"category": "AuditLogs",
"enabled": true,
"retentionPolicy": {
"days": 0,
"enabled": false
}
},
{
"category": "SignInLogs",
"enabled": true,
"retentionPolicy": {
"days": 0,
"enabled": false
}
}
],
"metrics": [],
"storageAccountId": "/subscriptions/xxxx/resourceGroups/xxx/providers/Microsoft.Storage/storageAccounts/xxx"
}
}
It works on my side.

I test it with global administrator user, it works correctly for me.
The following is the detail steps:
Create an native azure AD application and grant permission for it.
2.create an global administrator user, please also change the default password.
Note: the user format should be xxxx#xxx.onmicrosoft.com, or you can't use the password way to get the token based on my test
3.Assign the owner role to the subscription
4.Then we could use the following way to get the access token
Post https://login.windows.net/<tenant-id>/oauth2/token
Content-Type: application/x-www-form-urlencoded
grant_type=password
&resource={resource}
&username={username}
&password={password}
&client_id={client-id}
4.Try to operate the diagnosticSettings
put https://management.azure.com/providers/microsoft.aadiam/diagnosticSettings/{name}?api-version=2017-04-01-preview
{"properties":{"logs":[{"category":"AuditLogs","enabled":true,"retentionPolicy":{"days":0,"enabled":false}},{"category":"SignInLogs","enabled":false,"retentionPolicy":{"days":0,"enabled":false}}],"metrics":[],"storageAccountId":"/subscriptions/{subscriptionId}/resourceGroups/{groupname}/providers/Microsoft.Storage/storageAccounts/{accountName}"}}

Related

Create conditional access policy from Graph API

I have few users with 'Application Administrator' role. I don't want those users to manage all applications.
So, I tried to implement conditional access policy to block access. I came to know I can select users with directory roles while creating policy.
In Portal, I'm able to create policy and configure it with no loss. But I want to know if the same is possible using Graph Api or not.
Anyone achieved this from Graph? Please help me with whole steps to follow.
TIA
I tried to reproduce the same in my environment via Graph Explorer and got the below results:
You can make use of below graph query to create conditional access policy:
POST https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies
Content-type: application/json
{
"displayName": "Block access to Application Admins.",
"state": "enabled",
"conditions": {
"clientAppTypes": [
"all"
],
"applications": {
"includeApplications": [
"appID1",
"appID2"
]
},
"users": {
"includeRoles": [
"9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3"//ID of Application Admin role
]
}
},
"grantControls": {
"operator": "OR",
"builtInControls": [
"block"
]
}
}
Response:
To confirm that, I checked in Azure Portal where policy is created successfully like below:
When I opened that policy, the users with Application Administrator role are selected as below:

Azure AD service principal add optional claim value with powershell

I am trying to create GCP workload identity federation with Azure AD service principal but when I am trying to create the initial sts token with GCP I get bad request. I am suspecting that the problem is that my audience currently on jwt token is "https://management.azure.com" where it should be the audience that is set in the GCP WiF configuration. Currently I am getting the Azure AD accesstoken with:
$AzContext = Get-AzContext
$accesstoken = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate(
$AzContext.'Account',
$AzContext.'Environment',
$AzContext.'Tenant'.'Id',
$null,
[Microsoft.Azure.Commands.Common.Authentication.ShowDialog]::Never,
$null,
'https://management.azure.com/'
).AccessToken
But is it possible to extend this command to populate my optional claim? Currently my manifest looks like this:
"optionalClaims": {
"idToken": [
{
"additionalProperties": [],
"essential": false,
"name": "onprem_sid",
"source": null
}
],
"accessToken": [],
"saml2Token": []
},
How I managed to get the proper audience in place without optional claims is that I used the application id with the tenant name:
$AzContext = Get-AzContext
$accesstoken = [Microsoft.Azure.Commands.Common.Authentication.AzureSession]::Instance.AuthenticationFactory.Authenticate(
$AzContext.'Account',
$AzContext.'Environment',
$AzContext.'Tenant'.'Id',
$null,
[Microsoft.Azure.Commands.Common.Authentication.ShowDialog]::Never,
$null,
'https://cfbf35b2-6346-48dc-9ac2-b77e77f90933.mytenant.onmicrosoft.com'
).AccessToken
I also did put that as my application id URL and the audience on GCP configuration and managed to get proper token from GCP.
• To get optional claims in the Access token, you will have to define them in your app manifest since access tokens are always generated using the manifest of the resource, not the client. To configure optional claims,
Go to the Azure portal.
Search for and select Azure Active Directory.
Under Manage, select App registrations.
Select the application you want to configure optional claims for in the list
Then under manage, select manifest option which opens an editor and edit the access token option in it as given below as a sample for reference to get the optional claims configured in the access token. Once finished, save it and the claims will be included in the token for your application: -
The following application manifest entry adds the auth_time, ipaddr, and upn optional claims to ID, access, and SAML tokens.
‘ "optionalClaims": {
"idToken": [
{
"name": "auth_time",
"essential": false
}
],
"accessToken": [
{
"name": "ipaddr",
"essential": false
}
],
"saml2Token": [
{
"name": "upn",
"essential": false
},
{
"name": "extension_ab603c56068041afb2f6832e2a17e237_skypeId",
"source": "user",
"essential": false
}
]
} ‘
So, once you save the manifest with the above said changes and request an access token as usual according to the command stated by you, these mentioned optional claims will be included in the JWT access token.
Please refer this below link for more information: -
https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims#configuring-optional-claims

Azure AD provisioning sends SCIM replace operation when adding user to group

I have user and group provisioning set up for an enterprise application in Azure AD. I have a SCIM endpoint setup in my application to consume the SCIM requests from Azure AD. I added this feature flag to my tenant URL to ensure SCIM compliance: https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/application-provisioning-config-problem-scim-compatibility#flags-to-alter-the-scim-behavior
I have a group assigned to the enterprise application for provisioning to my application. When I add users to that group in Azure AD, I'm seeing two PATCH requests to the Groups/:id SCIM endpoint. The first is an add operation, which I expect because I'm adding this user as a member of the group:
{
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:PatchOp"
],
"Operations": [
{
"op": "add",
"path": "members",
"value": [
{
"value": "directory_user_01F7SGPZHKVGHZMCRNHGJXW1E9"
}
]
}
]
}
The second PATCH request is a replace operation, which is unexpected as I'm not replacing all users in a group with the one member being added:
{
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:PatchOp"
],
"Operations": [
{
"op": "replace",
"path": "members",
"value": [
{
"value": "directory_user_01F7SGPZHKVGHZMCRNHGJXW1E9"
}
]
}
]
}
The SCIM protocol RFC outlines the difference between the add and replace operations in PATCH requests. If users are added as members of a group, there should only be an add operation, not a replace operation. Is there any way to configure Azure so it only sends add operations in this situation? Thanks!

B2C Custom Attributes not showing when created using Graph API directory schema API

Using the extension API documented here:
https://msdn.microsoft.com/en-us/library/azure/ad/graph/howto/azure-ad-graph-api-directory-schema-extensions
in conjuction with the B2C Graph Client sample:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet
I created a custom attribute via the AD Graph API for directory schema extensions using this API:
POST
https://graph.windows.net/contoso.onmicrosoft.com/applications/<applicationObjectId>/extensionProperties?api-version=1.6
{
name: "OrgRoleId",
dataType: "String",
targetObjects: [
"User"
]
}
(Note I changed the API version to 1.6).
The API created custom attributes appear using the B2CGraphClient sample and has the same data as those registered via the Azure portal for B2C.
However, these API created custom attributes don't appear in the Azure portal 'User attributes' blade for the tenant, while those custom attributes created via the Azure portal for the B2C tenant do.
Note that I can successfully read and write these extension values for users (via the Graph API). I just cannot put them into claims because they don't appear on the 'User attributes' blade nor the policy claims blade in the Azure portal, and therefore they are not added as claims to the token.
What I am missing/doing wrong?
Output from B2C.exe Get-extension-attribute <b2c-extensions-app objectId>. *_Test1 appears (portal created), while *_UserRoleId does not (API created):
{
"odata.metadata": "https://graph.windows.net/<tenant_id>/$metadata#directoryObjects/Microsoft.DirectoryServices.ExtensionProperty",
"value": [
{
"odata.type": "Microsoft.DirectoryServices.ExtensionProperty",
"objectType": "ExtensionProperty",
"objectId": "f58bc813-632c-486b-bff1-61695eeab691",
"deletionTimestamp": null,
"appDisplayName": "",
"name": "extension_<object_id>_Test1",
"dataType": "String",
"isSyncedFromOnPremises": false,
"targetObjects": [
"User"
]
},
{
"odata.type": "Microsoft.DirectoryServices.ExtensionProperty",
"objectType": "ExtensionProperty",
"objectId": "5e69b2d9-1ab0-463f-a231-5c188e92b4a1",
"deletionTimestamp": null,
"appDisplayName": "",
"name": "extension_<object_id>_UserRoleId",
"dataType": "String",
"isSyncedFromOnPremises": false,
"targetObjects": [
"User"
]
}
...
When you add an extension attribute through the portal, it is created in the directory and owned by the b2c-extensions-app application and it is also added to a tenant-wide policy. That is what allows you to use them in application policies as you create them.
When you create an extension attribute using Graph API, it is not added to the policy and usually created on an application other than b2c-extensions-app. You can use these properties directly in custom policies, but they will not appear in the portal and cannot be used in the policies created through the portal.
It is a best practice to just create the extension properties through the portal so they are available for all policies. This allows customers to mix and match custom policies with built-in b2c user flows.

How do I use endpointUrl in an inline datasource binding?

I'm writing a custom task to publish documents to the Azure API portal. I want the UI for the task to list out the available API Management services for a selected Subscription and Resource Group. According to this issue, this should technically be possible by specifying the endpointUrl inline with my datasource binding. I've tried to model the endpoint after the datasources in the Azure RM Web Deployment task, but I can't seem to get it working. In my task I am able to select my subscription, select my resource group, but the pickList for my custom data source is always empty. I'm not doing any explicit authentication in my task defintion, so I'm not sure if that's somehow related. Below are the inputs and dataSourceBindings for my task:
"inputs": [
{
"name": "ConnectedServiceName",
"type": "connectedService:AzureRM",
"label": "Azure RM Subscription",
"defaultValue": "",
"required": true,
"helpMarkDown": "Select the Azure Resource Manager subscription for the deployment."
},
{
"name": "ResourceGroupName",
"label": "Resource Group",
"type": "pickList",
"required": true,
"helpMarkDown": "Select resource group which contains the API portal"
},
{
"name": "ApiPortalName",
"type": "pickList",
"label": "API Portals",
"defaultValue": "",
"required": true,
"properties": {
"EditableOptions": "True"
},
"helpMarkDown": "Select the Azure Resource Manager subscription for the deployment."
}
],
"dataSourceBindings": [
{
"target": "ResourceGroupName",
"endpointId": "$(ConnectedServiceName)",
"dataSourceName": "AzureResourceGroups"
},
{
"name": "ApiPortals",
"target": "ApiPortalName",
"endpointId": "$(ConnectedServiceName)",
"endpointUrl": "https://management.azure.com/subscriptions/$(endpoint.subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.ApiManagement/service?api-version=2016-07-07",
"resultSelector": "jsonpath:$.value[*].name",
"parameters": {
"ResourceGroupName": "$(ResourceGroupName)"
}
}
UPDATE
After inspecting the console in Chrome I received an error message indicating that I cannot call URLs that don't start with {{endpoint.url}}. I updated my task with {{endpoint.url}} at the root and I did see it attempt to make the API call I expected:
{
"name": "ApiPortals",
"target": "ApiPortalName",
"endpointId": "$(ConnectedServiceName)",
"endpointUrl": "{{endpoint.url}}/subscriptions/$(endpoint.subscriptionId)/resourceGroups/$(ResourceGroupName)/providers/Microsoft.ApiManagement/service?api-version=2016-07-07",
"resultSelector": "jsonpath:$.value[*].name",
"parameters": {
"ResourceGroupName": "$(ResourceGroupName)"
}
}
The problem now is that for some reason endpoint.url resolves to https://management.core.windows.net for Azure RM endpoint types. Azure RM APIs are hosted at https://management.azure.com. As a result I am receiving a 403 since my endpoint credentials are for an Azure RM Service Principal, not the Azure Classic Management APIs.
I've updated my Github Issue with this information as well. I believe this is a bug and endpoint.url for the Azure RM Service endpoint should resolve to https://management.azure.com. If you look at the data sources that are defined in the Azure RM Service Endpoint, they all reference APIs hosted at https://managemnet.azure.com not https://management.core.windows.net.
Check Custom build task JSON schema, you cannot use "endpointUrl" and "resultSelector" for "dataSourceBindings" in task.json. There are used to define the custom service endpoint in vss-extension.json file. And you also missed the "dataSourceName" for "ApiPortals".
If you want to call the Rest API with URL and use the selector from task.json, you can use "sourceDefinitions" instead of "dataSourceBindings". Refer to my answer in this question for details. However, only basic authentication is supported with "sourceDefinitions" for now which means that this is not applicable to you scenario either.
So you need to create a custom service endpoint to achieve the feature you want for now.

Resources