I want to create Azure logic app, which runs after every minute. That should look for all the users in a subscription which user id(user name) doesn't ends with "myorg.com", if it find any the user with userid doesn't end with "myorg.com" then delete that user.
I tried looking in the web but i could not found any action which is similar to above. What will be the connector i should use to accomplish above requirement? or let me know if there is any other approach to do this? Could any one please help me on this.
Edit: I want to delete the user from from Subscription.
Thanks in advance.
If you are running this every minute, I believe you want to validate for users that are added to the subscription. If that's the case, I would suggest you to use Event Grid and the Azure Subscription publisher, which can publish an event every time a user is added to the Azure Subscription, then push that event to the Logic App, and let the Logic App check whether the user id has the expected domain and send the corresponding alerts.
Event Grid will allow you to react to events instead of having to poll every minute.
You can find a demo of a very similar scenario here:
https://channel9.msdn.com/Shows/Azure-Friday/Azure-Event-Grid
HTH
Related
How can I view all subscriptions regardless of the 'app registration' that created it?
On our AAD, we have 2 'App Registration', lets call them regAppA & regAppB. We ran into an issue where we used both apps to create subscription for outlook events. This resulted in multiple events firing for a single change which caused issues down the line when handling them.
The problem is if you call :
GET https://graphUrl/subscriptions (with regAppA secret) you will only get the subscriptions created using that App Registration, and likewise with regAppB's secret
To avoid this situation happening again, I would like to run an automated script/program/whatever, that would get all subscriptions created regardless of the App Registration used to create it and flag issues found in the data.
I could do that using https://developer.microsoft.com/en-us/graph/graph-explorer, but I don't know how-to or if you can use delegated authentication programatically. I need this solution to run with no user intervention.
Any help will be much appreciated.
I would like to send a welcome email to the user when the Azure AD admin assigns the user to the application (enterprise or custom). It would be nice to use a custom template to define an access URL and maybe some additional info (how to use, some rules, etc.). I haven't found anything similar in the Azure portal.
Does Azure AD provide such functionality? Or should I build custom implementation (Graph API, EventGrid + Azure Functions, SCIM protocol, etc.)?
From what I understand, at the very base, you want an email to be sent whenever a user is assigned to an enterprise application (or custom - assuming that also falls under same). I assume you do not need to know much about who actually assigned the permissions. Either way, with the query below you should have enough to get going.
As far as I know there's no native support for this in AD (I couldn't find anything at all that's available but I could be wrong) but a workaround for us was to do it using Log Analytics + Azure Logic App. While our use case is slightly different (we use it to monitor and be alerted for logins to a specific account), the same logic might apply to you - I put together a few lines to query log analytics. but I couldn't get the alert part working - Azure could just be sleepy right now.
EDIT: Alert worked the following day. Just needed some time to warm up I guess.
Give it a try:
Make sure Azure AD has diagnostic settings configured to send logs to a Log Workspace
Query the workspace using the following:
AuditLogs
| where TimeGenerated > ago(5m) //Change as required
| where ActivityDisplayName has "Add app role assignment grant to user"
| project Time = TimeGenerated, Activity = ActivityDisplayName, Application=parse_json(TargetResources)[0].displayName, User=parse_json(TargetResources)[1].userPrincipalName
| where Application contains "myapp"
Create an alert from Log Analytics (hopefully you get it working right away - each alert cost USD 1.50/month).
(a) You will need to create an Action Group
(b) Under Action Group, configure your email in the Notifications.
(c) You will need to come back to reconfigure an Action field to the Logic App you will create below.
Create a Logic App and start with an HTTP connector as the trigger to receive the content in JSON format.
Setup a Send an Email (v2) action with all variables and such, or another connector if applicable in your case. Customise the email in HTML
One alternative to using Log Analytics and Alerts could also be to use PowerShell to query AAD logs and then parse the information to Logic App through the HTTP POST Url that shows up when you save the HTTP Connector.
Another alternative to using the HTTP Connector could be to use the O365 connector with trigger When a new email arrives (v3)
Things to consider:
There's at least a 5 minutes delay between the time the event is logged and triggered. This is just the way the alert query works.
You will need to login to Logic App using the mailbox from which you want to send that email. That's something you might want to manage separately - expiring credentials etc.
Hope this gives you some ideas.
I am searching a way to automate some email reporting
I have build a process with a logic app to do that. The problem is when I want to create an API connection to office 365 with another account than mine (for example email.reporting#xxx.com), I cannot because I am log with my personal account, so it always use my account to create the API connection.
I cannot also log to the portal with this other account because it doesn't have any access. What is the best way to do that?
Is it possible to give the access to the logic app to this other account then I can access to it and change the connection?
Or there is a trick that allow to change api connection directly?
Thanks
In my test I could use two different account to send mails, cause you don't show how you add account, maybe you could refer to my below steps.
After I set an action to send mail then I add other action to send mail, choose Change connection, then choose Add new, it will pop up a page you could choose existing account also could Use another account.
Is it possible within Azure devops to send a bespoke notification to a user when a work item is completed.
Example Scenario
Work item are logged in azure devops under project by user 'Y' on behalf of a user 'X'
When this work item is completed is it possible to automate an email to user 'X'. Saying something like your request has been completed.
User 'Y' = Member of development team
User 'X' = End user of system, who has requested feature
Is this possible to achieve or is there a better way to go about this process ?
I think, this is possible but azure devops should detect your X by some properties. I see two ways:
User X may to Follow a work item.
User Y may create some specific tag and you can create a custom notification for that tag:
Or create a custom application that will scan your work items and send notifications.
As you can see my question above, I was wondering if it is possible to retrieve the assigned groups of an Azure Active Directory (AAD) based user via Microsoft GraphAPI.
My situation is, that I have an ASP.NET MVC project with Microsoft Azure enabled. My goal is, that an Azure user can login on my website with it's Azure account.
The idea is, that an azure user is an admin or an user (depending on the azure groups) and depending of this role group, the user can view more or less of my webpage.
For example:
When Peter logs in with his azure account on my webpage, he should only be able to see:
Add new Document
Edit Document
Remove Document
because he is only assigned as "User" in Azure Active Directory.
But when Sabrina logs in with her azure account on my webpage, then she should be able to do the same as Peter, but she also can see:
Manage Products
Add new customer
etc.
because she is been assigned as an admin in Azure Active Directory.
My problem is, that I did not find out how I retrieve the assigned group of an user with Microsoft GraphAPI. The part, which user can see or not after I got the roles is not a big deal.
I already tried this API call:
https://graph.microsoft.com/v1.0/me/
But it seems, that the response of this call does not include the actual assigned group of that user.
Do you think it is possible to retrieve the assigned group of an azure user? Is this even possible? Or do I have to do something else to retrieve these information?
I hope you understand my point and I am also looking forward for any response. Thanks in advance!
Add /memberOf to the URL to receive the groups a user is member of.
https://graph.microsoft.com/v1.0/me/memberOf
Here's a link to the specific graph api - https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/user_getmembergroups
Take a look at this sample application on Github. It does something very similar with a task tracker application, where different users are able to perform different actions based on the group they belong to -
https://github.com/Azure-Samples/active-directory-dotnet-webapp-groupclaims/blob/master/README.md
Also, in cases where a user is a member of too many groups, you get back an overage indicator and have to make a separate call to get all groups. Read about “hasgroups” and “groups:src1” claims here - https://learn.microsoft.com/en-us/azure/active-directory/develop/v1-id-and-access-tokens
According to your system architecture, if some user has too many joined groups, the API https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/user_getmembergroups will return too many groups.
But if the groups with permissions in your system are not too much, you can use this API: https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/user_checkmembergroups to check if the current user is the member of specified groups.
It is not good idea to use this API: https://graph.microsoft.com/v1.0/me/memberOf. Because it returns only the groups that the user is a direct member of, but security group can be member of security group.