I know that to track user sign-ins I need to go to Active Directory -> (under Activity) Sign-ins, and have the necessary "Azure Active Directory Premium 2" subscription.
I am trying to find the equivalent for sign-ins via an access key of a given application created via app registrations.
Where can I see this in the Azure Portal? Bonus question: where is it available in the SDK or API?
From Azure portal,
Go to App registrations -> filter listed application by app Id (access key) or name.
Which lead you to application blade,
Click on Managed application in local directory, which show you sign-ins option for this application
If you want to access your active directory application by API, Office Graph can help.
Please see this document: https://learn.microsoft.com/en-us/azure/active-directory/active-directory-reporting-activity-sign-ins
Do you have a Premium subscription? If you do not, you will not be able to see these logs.
Related
In my current environment in azure we are using azure graphapi mostly, for that we want to know who is doing what like logging of each request, when ever any request via graph api is there is option to see what data they access in azure portal?
Or logs for service principle also when ever any one logs in using service principle we wanted to know what actions they are doing.
I think the log reports in the portal currently could not fully meet your requirements.
Navigate to the Azure Active Directory in the portal -> Enterprise applications -> find the service principal you want -> in Sign-ins, you could check the login information.
In this blade, you can just get the login information, the Resource is Microsoft Graph, but you could not know what actions they are doing via Microsoft Graph.
To check what actions the users are doing in the AAD tenant, navigate to the Azure Active Directory -> Audit logs, you can check the users' actions, but you could not know if they did these things via Microsoft Graph/AAD Graph or not.
For more details, see Sign-in logs and Audit logs.
I created a Azure Active Directory via the Azure portal. Then, I registered an app in it. I can configure it, add permissions and the like via the azure portal. But the same app I created, I don't see on https://apps.dev.microsoft.com/
Shouldn't I be able to see and configure the app I made in AD at that portal, too?
The apps that appear in the Application Registration Portal are the ones where you are explicitly marked as an owner of the application. This is in contrast to the apps that appear in the Azure Portal which are all the applications registered in your tenant, independent of whether or not your are an owner.
If you are a normal user, and you create an application in the Azure Portal, you should see your application appear in a section called "Azure AD only applications"
Here is the owner information for "Email Scraper" from the Azure Portal.
However, if you are a Tenant Administrator and you create an application, you will not be marked as an owner of the application. Implicitly, Tenant Administrators are owners of all objects in the directory, and to reduce the object quota generated by admins, these explicit links are not created.
Here is an example of an app I created where I am the Tenant Administrator:
Therefore, you probably do not see your application in the App Registration Portal because you are not marked as an Owner of the application, probably because you are an Administrator who created the app, or you did not create the app to begin with. You can remedy this by simply adding yourself to the owner list in the Azure Portal.
Let me know if this helps!
Ive created a website in Azure and I want to allow users to login and use the app, but im slightly confused by azure active directory access. I want users to only have acces to the web app, not to the portal. Users will be from within my organisation and from outside it so its vitally important that access is locked down, If a user somehow ends up at the azure portal they must not be able to access it. If I set users up in our active directory, wont they be able to login to the azure portal too ? I want to take advantage of authentication as a service and hand over authentication and multi factor authentication to azure but everytjhing Ive read so far seems to suggest If i use azure active directory, users will be able to acess the Azure portal too, is this correct or am i misinterpreting the information ? Are there any step by step guides available for these sorts of scenarios ?
If i use azure active directory, users will be able to acess the Azure
portal too, is this correct or am i misinterpreting the information ?
No, your users will not have access to Azure Portal (rather Azure Subscription as Azure Portal is an application using which a user manages one or more Azure Subscriptions) unless you grant them permission to access it. In order for your users to have access to Azure Portal, you would need to grant them permissions explicitly to do so. In the new portal, you do it by assigning roles (e.g. Owner, Contributor, Reader etc.) and in the old portal you do it by making them co-administrators.
Unless you do this, when they login into Azure Portal all they will see is a message stating no Azure Subscriptions were found.
I tried to grant delegated permissions to webApi using azure.portal.com.
Two web App/API application was register on azure AD. When i try to use 'Settings->RequiredPermissions->Add->Select an API' i not see my created application in list.
Same problem for old azure portal described on Granting native application access to web application
But new portal not fixed with previous solution.
Could anyone help, please ?
The Azure AD app registration blades in portal.azure.com are currently not creating a servicePrincipal in the tenant when you register your application. This means that the API you create will not show up in the list of apps to select from. More detail in this blog post
I'm working on an application that will allow users to authenticate to Azure Active Directory and then manage resources in their Azure account via Azure Resource Manager API calls.
I've found several walkthroughs on building such an app including this post. However, in the part that discusses authentication with Azure Active Directory, there's a step showing the need to manually retrieve the Azure Active Directory name from the Azure Portal.
The directory name is plugged into app settings (and ultimately authentication calls to the directory) as follows
http://login.microsoftonline.com/{directory_domain_name}/OAuth2/Authorize
Is there any way to programmatically retrieve {directory_domain_name} without requiring users to login and lookup the information in the Azure Portal?
The one answer to this question has a dead link and another pointing to the Graph API, which seems to still require the domain name.
For your particular scenario, look like you want to build an app that will be users from different Azure AD tenants. This scenario is best addressed by building a multi-tenant application.
To make your application multi-tenant, you'll need to go to the Azure Portal and in the Configure tab of your Azure AD application, set the "Application is Mult-Tenant" option to yes.
Once you do this, you can just call
http://login.microsoftonline.com/common/oauth/authorize
http://login.microsoftonline.com/common/oauth/token
And Azure AD will resolve the figure out which tenant to authenticate against based on the the credential that the user types in.
More information on multi-tenant applications:https://azure.microsoft.com/en-us/documentation/articles/guidance-multitenant-identity-authenticate/
Sample multi-tenant application: https://github.com/Azure-Samples/active-directory-dotnet-webapp-multitenant-openidconnect