Creating Alert via API in Azure.
Alert does get created but the Event Category field is showing as all instead of Administrative.
Alert i want to create is for Administrative Event Category but it is getting created for all Event Category.
I had used the same code earlier and it was working.
Azure Alert ScreenShot
If i try to update anything via GUI it gives an error: Failed to update alert 'Testing'.The category field is missing in the condition..
Error ScreenShot
PowerShell
Body to create Alert
$Remediate = #" {
"id": "/subscriptions/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/resourceGroups/xxxxxxxxxxxxxxx/providers/microsoft.insights/activityLogAlerts/Testing",
"type": "Microsoft.Insights/ActivityLogAlerts",
"name": "Testing",
"location": "Global",
"kind": null,
"tags": {},
"properties": {
"scopes": ["/subscriptions/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"],
"condition": {
"allOf": [{
"field": "Category",
"equals": "Administrative",
"containsAny": null
}, {
"field": "operationName",
"equals": "Microsoft.Authorization/policyAssignments/write",
"containsAny": null
}]
},
"actions": {
"actionGroups": [{
"actionGroupId": "/subscriptions/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/resourcegroups/xxxxxxxxxxxxxxx/providers/microsoft.insights/actiongroups/TestingAlertGRP",
"webhookProperties": ""
}]
},
"enabled": true,
"description": "Alert created for Testing"
},
"identity": null
}
"#
API
$API = "https://management.azure.com/subscriptions/$SubscriptionID/resourceGroups/$ResourceGroupName/providers/microsoft.insights/activityLogAlerts/$Name`?api-version=2017-04-01"
Invoke-RestMethod -Method Put -Uri $API -Headers #{Authorization = "Bearer $Token"} -Body $Remediate -ContentType 'application/json' | Out-Null
Note: You must specify at least one (Administrative, Security, Service Health, Recommendation, Policy, Autoscale) of the preceding criteria in your alert. You may not create an alert that activates every time an event is created in the activity logs.
For more details, refer “Create activity log alerts (Classic)”.
Alert does get created but the Event Category field is showing as all instead of Administrative.
Not to reproduce this issue, I check the request body, it should be fine.
If i try to update anything via GUI it gives an error: Failed to update alert 'Testing'.The category field is missing in the condition
I have reproduced this issue when the Event category is all(I modify the category to all via the API mentioned below).
If you want to fix the issue, I recommend you to use this API. Just click the Try It in the page and login your account. You could refer to the screenshot and my sample request body.
My sample request body:
{"location":"global","properties":{"scopes":["/subscriptions/xxxxxxx"],"description":"test","condition":{"allOf":[{"field":"category","equals":"Administrative"},{"field":"resourceType","equals":"Microsoft.Web/serverFarms"}]},"actions":{"actionGroups":[{"actionGroupId":"/subscriptions/xxxxxxx/resourcegroups/joywebapp/providers/microsoft.insights/actiongroups/joyactiongroup","webhookProperties":{}}]},"enabled":true}}
Request:
Check in the portal:
Related
I am trying to share linked variables across projects.
I read that is was not possible but I found this API endpoint that may do the trick.
https://learn.microsoft.com/en-us/rest/api/azure/devops/distributedtask/variablegroups/share-variable-group?view=azure-devops-rest-6.0
When I call this API:
PATCH https://dev.azure.com/{organization}/_apis/distributedtask/variablegroups?variableGroupId={variableGroupId}&api-version=6.0-preview.2
with this Body:
{
"variableGroupProjectReferences":[
{
"description":"test1",
"name":"test1",
"projectReference":{
"id":"50f7c113-de21-4e19-b910-b37ebffa984f",
"name":"Customer Services"
}
}]
}
I get this response:
{
"$id": "1",
"innerException": null,
"message": "Value cannot be null.\r\nParameter name: variableGroupProjectReferences",
"typeName": "System.ArgumentNullException, mscorlib",
"typeKey": "ArgumentNullException",
"errorCode": 0,
"eventId": 0
}
Value cannot be null.\r\nParameter name: variableGroupProjectReferences
The request body seems to have issue.
You can refer to the following sample:
[
{
"variableGroupProjectReferences":
{
"projectReference": {
"id": "ProjectID",
"name": "ProjectName"
},
"name": "variablegroupname",
"description": ""
}
}
]
But it will show the error: Sharing of variable group is not allowed.
The cause of this issue is that the variable group property: "isShared": false
You can get the variable group property with the Rest API: Variablegroups - Get
But currently it seems that we cannot change this property. So we couldn't share the variable group.
Refer to this feedback ticket: VariableGroup cannot be shared via REST API.
I suggest that you can report the issue to Developer Community.
I have tried to use the definition update api to try to update the 'Default agent pool for YAML' but no success. I kept receiving '200' response status code but the setting stay the same.
I have also tried to capture the actual request content when perform the update manually via UI, then pretty much copied the same content into the Body of the request but the result stayed the same.
Below is a sample of the request that I'm using:
Invoke-WebRequest -URI "https://dev.azure.com/***/***/_apis/build/definitions/***?api-version=6.1-preview.7" -Method PUT -ContentType "application/json" -Headers #{ Authorization = "Basic ***" } -Body '{***}'
The body is in the JSON format of:
{
...
"queue": {
"id": 882,
"name": "Azure Pipelines",
"pool": {
"id": 17,
"name": "Azure Pipelines",
"isHosted": true
}
},
...
}
Update
As suggested by the Microsoft team, the feature is not supported. I have logged a suggestion for the feature here.
This looks to be enabled now, but through a different set of properties. You can set the default pool through the following property:
process.phases.target.agentSpecification.identifier
The relevant snippet looks like this:
"process": {
"phases": [
{
"name": "NameGoesHere",
"target": {
"agentSpecification": {
"identifier": "windows-latest"
}
}
}
]
}
As fair warning: I found that if I had the wrong revision number in my payload, the API will respond with a 200, but the pool won't change. This was especially noteworthy when I was trying to reset the pool through the UI to prove that the API call worked. Essentially, it's probably a good idea to do a GET, modify that payload, and send that to the PUT without any other actions in between.
I'm trying to approve/deny requests for role activations using the new Azure AD Privileged Identity Management REST API.
I am already able to read all pending role activation requests using the following request:
GET https://graph.microsoft.com/beta/roleManagement/directory/roleAssignmentScheduleRequests
The response looks like this:
{
"#odata.context": "https://graph.microsoft.com/beta/$metadata#roleManagement/directory/roleAssignmentScheduleRequests",
"value": [
{
"id": "40b1dff9-9703-4da8-bf8f-275141347b6e",
"status": "PendingApproval",
"createdDateTime": "2021-06-04T10:47:40.34Z",
"completedDateTime": "2021-06-04T10:47:40.15Z",
"approvalId": "40b1dff9-9703-4da8-bf8f-275141347b6e",
"customData": null,
"action": "SelfActivate",
"principalId": "049bad91-8812-4daa-870e-1edf05f5ced1",
"roleDefinitionId": "9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3",
"directoryScopeId": "/",
"appScopeId": null,
"isValidationOnly": false,
"targetScheduleId": "40b1dff9-9703-4da8-bf8f-275141347b6e",
"justification": "My custom reason",
"createdBy": {
"application": null,
"device": null,
"user": {
"displayName": null,
"id": "049bad91-8812-4daa-870e-1edf05f5ced1"
}
},
"scheduleInfo": {
"startDateTime": null,
"recurrence": null,
"expiration": {
"type": "afterDuration",
"endDateTime": null,
"duration": "PT8H"
}
},
"ticketInfo": {
"ticketNumber": "",
"ticketSystem": ""
}
}
]
}
Which matches the request I can see in the Azure Portal:
Now I am trying to approve the above request using the PATCH operation by providing the returned id:
PATCH https://graph.microsoft.com/beta/roleManagement/directory/roleAssignmentScheduleRequests/40b1dff9-9703-4da8-bf8f-275141347b6e
For the payload, I tried adding Provisioned and Denied:
{
"status": "Denied"
}
But for whatever reason, I keep getting the following Error (Code 404):
{
"error": {
"code": "UnknownError",
"message": "{\"message\":\"No HTTP resource was found that matches the request URI 'https://api.azrbac.mspim.azure.com/api/v3/roleManagement/directory/roleAssignmentScheduleRequests('40b1dff9-9703-4da8-bf8f-275141347b6e')?'.\"}",
"innerError": {
"date": "2021-06-04T11:06:18",
"request-id": "ec668ea0-cf33-4e41-bfb4-19ca4ac683ad",
"client-request-id": "ca765884-79b1-7695-5c72-c5783dd9968c"
}
}
}
Any ideas?
Finally, I was able to find a solution. Here is a complete sample using the PowerShell Graph SDK:
$scopes = #(
"PrivilegedAccess.Read.AzureAD",
"RoleAssignmentSchedule.ReadWrite.Directory",
"PrivilegedAccess.ReadWrite.AzureAD"
)
Connect-MgGraph -Scopes $scopes
[array]$pendingApprovals = Invoke-GraphRequest `
-Method GET `
-Uri '/beta/roleManagement/directory/roleAssignmentScheduleRequests?$filter=(status eq ''PendingApproval'')' |
Select-Object -ExpandProperty value
$approvalSteps = Invoke-GraphRequest `
-Method GET `
-Uri ('/beta/roleManagement/directory/roleAssignmentApprovals/{0}' -f $pendingApprovals[0].approvalId) |
Select-Object -ExpandProperty steps | Where-Object status -eq InProgress
$body = #{
reviewResult = 'Approve'
justification = 'Seems legit'
}
Invoke-GraphRequest `
-Method PATCH `
-Uri ('https://graph.microsoft.com/beta/roleManagement/directory/roleAssignmentApprovals/{0}/steps/{1}' -f $pendingApprovals[0].approvalId, $approvalSteps.id) `
-Body $body
I also wrote a blog article about it:
Approve requests for Azure AD roles in PIM
You are on the right track using roleAssignmentScheduleRequests to get the pending request. Check out the response and in the value array there is an ID. Use that ID in the Update privilegedapproval call. (https://learn.microsoft.com/en-us/graph/api/privilegedapproval-update?view=graph-rest-beta&tabs=http)
PATCH /privilegedApproval/{id}
Example using the IDs you shared:
PATCH https://graph.microsoft.com/beta/privilegedApproval/40b1dff9-9703-4da8-bf8f-275141347b6e
Content-type: application/json
Content-length: 180
{
"approvalState": "approved",
"approverReason": "Martin Brandl approves you!"
}
In the request body for approval state your possible values are: pending, approved, denied, aborted, canceled.
I am trying to setup Azure EventGrid for an Azure Subscription to get notified when a certain tag for a ressource has changed.
This is how I created the EventGrid Subscription:
$includedEventTypes = , 'Microsoft.Resources.ResourceWriteSuccess'
New-AzEventGridSubscription `
-EventSubscriptionName mySubscriptionName `
-ResourceGroupName myResourceGroup `
-Endpoint myEndpoint `
-IncludedEventType $includedEventTypes
Now If I change a tag for example on an Azure Web App, I receive the following event:
{
"subject": "/subscriptions/mySubId/resourceGroups/eventgrid/providers/Microsoft.Web/sites/wd-eventgrid-viewer",
"eventType": "Microsoft.Resources.ResourceWriteSuccess",
"eventTime": "2019-06-03T08:50:47.7469859Z",
"id": "f193df79-6755-42c7-b663-91bc373a80e5",
"data": {
"authorization": {
"scope": "/subscriptions/mySubId/resourceGroups/eventgrid/providers/Microsoft.Web/sites/wd-eventgrid-viewer",
"action": "Microsoft.Web/sites/write",
"evidence": {
"role": "Subscription Admin"
}
},
"claims": {
....
},
"correlationId": "9a1bb49f-9f39-4e98-918c-dfe0655b895a",
"httpRequest": {
"clientRequestId": "8bf9bfdb-6e65-4c55-84f2-3f4e05b340d0",
"clientIpAddress": "......",
"method": "PATCH",
"url": "https://management.azure.com/subscriptions/mySubId/resourceGroups/eventgrid/providers/Microsoft.Web/sites/wd-eventgrid-viewer?api-version=2015-08-01"
},
"resourceProvider": "Microsoft.Web",
"resourceUri": "/subscriptions/mySubId/resourceGroups/eventgrid/providers/Microsoft.Web/sites/wd-eventgrid-viewer",
"operationName": "Microsoft.Web/sites/write",
"status": "Succeeded",
"subscriptionId": "mySubId",
"tenantId": "...."
},
"dataVersion": "2",
"metadataVersion": "1",
"topic": "/subscriptions/mySubId"
}
Unfortunately, I don't see that a tag has changed nor do I see which tag has changed. Is there any way to receive which tag for a resource has changed or do I have to query the tags manually after the event?
Azure Subscription Events are emitted either for Resource Actions, Deletes or Writes as documented.
You are only provided with the resource details which you will have to use to fetch the changes.
As you had thought, you would have to use these details with the Resources API to fetch the tags.
UPDATE: There is a new API to get resource changes which you can use to detect the exact changes made on a resource. Note that this feature is currently in public preview.
The current [Envelopes: listAuditEvents] creates the following verbiage for correction:
"eventFields": [
{
"name": "logTime",
"value": "2018-09-18T19:09:01.3603686Z"
},
{
"name": "Source",
"value": "api"
},
{
"name": "UserName",
"value": "Staging"
},
{
"name": "UserId",
"value": "8c57af14-e46a-4965-ae8b-42bb0c29b706"
},
{
"name": "Action",
"value": "Correction Initiated"
},
{
"name": "Message",
"value": "Staging initiated correction"
},
{
"name": "EnvelopeStatus",
"value": "correct"
},
I would like to modify the Message values. I have gone through Docusigns API but I have not found any indication that this is possible.
Has anyone had the same need? and if so were you able to add custom message verbiage for certain events/actions?
Thanks.
It's not possible for you to configure the contents of the API response for the listAuditEvents operation. However, you could (in your code) include logic to parse the API response and based on certain values in the response, substitute values (for purposes in your app) with the verbiage you prefer.
For example, let's say that you have a page in your app that displays the various events that have occurred for an Envelope, but you don't want to display the verbiage "[UserName] initiated correction" as the text in your UI when a user initiates an envelope correction -- instead you want to display the text "[UserName] changed envelope settings." The logic in your code could do something like this psuedo code shows (where auditEvent represents an object within the API response body for the listAuditEvents operation):
if (auditEvent.ActionInitiated == "Correction Initiated") {
displayMessageInUI(auditEvent.UserName + " changed envelope settings.");
}