I'm trying to come up with a combination of Custom Role and PowerShell script that will constrain an AD members capabilities to the following (for a particular web app):
1) Require an interactive login to an AD account
2) Perform a download of a Publish Profile, but only in Filezilla format
The purpose is to provide a "deployer" role with the ability to upload code changes, but not see connection strings, which are visible in Web Deploy publish settings.
I see the necessary level of control in Powershell for downloading only the FileZilla3 FTP Publishing data, and I got that to work, example:
Get-AzureRmWebAppPublishingProfile -Name test-app -ResourceGroupName test_Group -Format FileZilla3 -OutputFile S:\test.xml
I understand the pattern for creating a Custom Role, and for adding actions to it. These look like the actions I might need:
Microsoft.Web/sites/publishxml/Action
microsoft.web/sites/publishxml/read
However, I don't see another level of detail within those actions for constraining the action to only Filezilla3 format.
Question: is there a way to create a Custom Role specification that would allow an AD member to download publish settings, but only in FileZilla3 format?
From the official docs, there is no ways to create a Custom Role you want. For the details, please read here.
Related
I'm using Azure AD app registration principles to deploy resources via Azure Resource Manager to deploy via Pipelines.
During the deployment I need to set some permissions to the deployment user to ensure it has enough permission to - for example - upload files.
As I'm using different principles, and I'm not managing those in the code, I would like to know if there is a way to reference the "current user-principals - ID" during the deployment.
Something like:
deployment().properties.xx
or
environment()
https://learn.microsoft.com/en-us/azure/azure-resource-manager/templates/template-functions-deployment
https://learn.microsoft.com/en-us/azure/templates/microsoft.authorization/roleassignments?tabs=bicep
Otherwise, I would need to inject this information via parameter, I think. I could get that information by script - or there is a variable even present from azure dev ops.
Any ideas, help appreciated. Thanks.
Currently, it's not possible to get the objectId of the user deploying the template... we do have a backlog item for it.
I have an application hosted in Azure PAAS. The connection string for the application is stored under 'Configuration' -> 'Connection strings'
My application has a PowerShell instance. I want to iterate through all the Connection strings present under 'Configuration' -> 'Connection strings'
I have seen the Azure document. As my application itself is the app, can there be a way to skip the details like 'subscriptionId', 'resourceGroupName' and 'name'?
This will help to make the code more generic.
As my application itself is the app, can there be a way to skip the
details like 'subscriptionId', 'resourceGroupName' and 'name'?
AFAIK, Its not possible to acquire the connection strings using Rest API, or PowerShell of an Azure web application without providing Resource group name or subscription.
The MS DOCUMENT you have followed is to list the connection strings which is correct but we need to pass those credentials to achieve the same.
If my understanding is correct as its your own application and if its publicly hosted then anyone will not be able to get the resource group name, application name(If you are using custom domain) or subscription details.
Alternatively, we can use the Az cli by providing the resource group only :-
For more information please refer the below links:-
SO THREAD|Get the list of azure web app settings to be swapped using PowerShell
If you are going to use the REST API calls for your code, then the simple answer is just: No.
I think in all cases the answer is going to be no honestly..
You can't drop those unique IDs, because those are required parameters to retrieve the correct data.
If you want to make the code more generic, then you should write the code to retrieve the values for those parameters. Instead of hardcoding the values.
Your powershell code will always need to authenticate, or use a Managed Identity, and the identity used to authenticate will always have the subscriptionid as value in its object. As for the rest, well i think you get the gist of what im suggesting.
I'm reviewing Azure Automation, but I couldn't find out if it is possible to run a PowerShell script whenever a new user is added to Active Directory? The scenario I'm researching is whenever a new Office365 account is added through admin.microsoft.com then I want to configure some email preferences for this user. I have my PowerShell script tested already (so these preferences should be set correctly), but now I'm trying to find out how exactly this script should be executed right after account is added.
Thanks,
You can inspect the Azure AD Audit logs for new user creation. You can export the Diagnostic Settings (logs) to Azure Monitor (see doc).
The following is an idea but I never tried it myself:
In Azure Monitor -> Logs you can find for example this query:
Modify it according to your needs and create an alert rule. In the alert rule, you can set up an action group that triggers your automation account with the PowerShell script.
I have been given the responsibility for managing an Azure application gateway. The gateway is complex with 16 sites each with different SSL certificates, httplisteners, etc. The previous admin kept NO documentation. The short question is there a way I can use powershell to query and parse the existing configuration to a new script that I could use to rebuild the gateway if something breaks? I dont want to be messing with json and would prefer using powershell cmdlets, (Get-AzureRmApplicationGateway..., Set-AzureRmApplicationGateway, etc).
Any sample scripts would be great.
To load the whole gateway configuration via Powershell use:
Get-AzureRmApplicationGateway -Name MyAppGw -ResourceGroupName MyAppGwRG
Source
You can also edit this XML template file to record all the app gateway settings.
I downloaded AutoScale from
http://blog.maartenballiauw.be/post/2011/03/21/Windows-Azure-and-scaling-how-(NET).aspx
and followed the instructions there.
I added it as reference to my existing azure project. But I am not sure what exactly I should pass as the user defined parameters for the 6 parameters required for auto scale.
I want to only change the instance count of my worker role depending on the number of documents to be processed.
Those parameters are all from the management API and the Silverlight Management UI
There are several more samples/tools for the Management API available - e.g. http://archive.msdn.microsoft.com/azurecmdlets/Wiki/View.aspx?title=Getting%20Started&version=1
There's also a commercial third party service available to assist - see paraleap.com
Maarten's tool has parameters:
Console.WriteLine(" AutoScale.exe <certificatefile> <subscriptionid> <servicename> <rolename> <slot> <instancecount>");
To generate the certificate file, see the instructions from that cmdlet article or see the instructions in http://blogs.msdn.com/b/avkashchauhan/archive/2010/12/30/handling-issue-csmanage-cannot-establish-secure-connection-to-management-core-windows-net.aspx
The subscription ID is available via the silverlight azure management UI
the ServiceName and RoleName are what you choose when you create the service in the UI and when you create the role in code
the Slot is "Production" or "Staging"
the instanceCount is how many instances you want to run