my organization has around 2000 applications which are required to be configured With Azure AD SSO and for that they need to be registered and allowed access to users on Azure AD.
I know how to do it manually, but is there any way to automate this whole process so that, I can register the application and grant users access they required?
thank you
Dheeraj Kumar
You can automate creation with Microsoft Graph API or Azure AD Graph API (though you should prefer MS Graph when possible).
In this case since you have what is basically a batch scenario in your hands, I feel PowerShell might be a good option.
There is a PowerShell module for administering Azure AD:
https://learn.microsoft.com/en-us/powershell/azure/active-directory/install-adv2?view=azureadps-2.0
https://www.powershellgallery.com/packages/AzureADPreview/2.0.0.127
First you sign in with
Connect-AzureAD
Then we can create an Application:
$app = New-AzureADApplication -DisplayName 'Created from PS' -IdentifierUris #('https://mytenant.onmicrosoft.com/PSTest1')
Then we need to create the service principal, this is normally done by the portal:
$sp = New-AzureADServicePrincipal -AppId $app.AppId -AppRoleAssignmentRequired $true
Note the AppRoleAssignmentRequired parameter.
Setting it to true will require users to be assigned to the app before they can login.
If you don't want that, just leave it out.
Now we can assign users.
You will need a user's ObjectId to assign them to the app.
You can use Get-AzureADUser in various ways to get the users you want to assign.
But the assignment can then be done like this:
New-AzureADUserAppRoleAssignment -Id '00000000-0000-0000-0000-000000000000' -PrincipalId $user.ObjectId -ResourceId $sp.ObjectId -ObjectId $user.ObjectId
If you had specified roles in your app for users, you could use the role's id instead of all zeros.
All zeros translates to "Default access" in the portal.
Related
so the background as follows:
for installation and deployment process we need to modify a customer created App Registration.
but we get not the right Application.ReadWriteAll but we could get Application.ReadWrite.OwnedBy.
I know that if creating an Graph Api Call (excecuted with Postman) as shown below it worked, because Creator is automatically the Owner.
.
HTTP-Post Request:
https://graph.microsoft.com/v1.0/applications
with body:
{
"displayName": "AppRegName"
}
But I need to solution with standard tool like azure portal or powershell and I found no way to assign or remove a service principal as owner to an App Registration.
Is there a way to to do this with powershell?
The authentifiaction with an service principal i dont't know how I can do it?
I think after I can create an App Registration with
$appRegistration = New-AzADApplication -DisplayName "AppRegCreatebyPS"
but I very unexperinced in using powershell.
So how I can tell powershell to use the service principal authentitification for creating App Registrations?
A short extra question:
Can I remove later the owner role for the service principal and how can I do it?
Thanks for all Readers And I hope someone can give me a hint.
You can create App registration, Service Principal for App registration, Add application owner and remove application owner all from PowerShell AzureAD module.
Command to install Azure AD module in PowerShell:
Install-Module AzureAD
You can use the below commands :
#Connect to Azure AD
Connect-AzureAD
#Create Azure AD app Registration
$appRegistration = New-AzureADApplication -DisplayName "AppRegCreatebyPS"
# Create A service Principal for the above app Registration
New-AzureADServicePrincipal -AccountEnabled $true -AppId $appRegistration.AppId -AppRoleAssignmentRequired $true -DisplayName $appRegistration.DisplayName
# get objectid for the service principal
$serviceprincipal= Get-AzureADServicePrincipal -Filter "DisplayName eq 'AppRegCreatebyPS'"
#Get the old app registration for whom you want set owner
$oldappregistration = Get-AzureADApplication -Filter "DisplayName eq 'Postman'"
#add service principal to the application owner of old app registration
Add-AzureADApplicationOwner -ObjectId $oldappregistration.ObjectId -RefObjectId $serviceprincipal.ObjectId
# verify the owner for the old app registration
Get-AzureADApplicationOwner -ObjectId $oldappregistration.ObjectId
#remove the owner for the old app registration
Remove-AzureADApplicationOwner -ObjectId $oldappregistration.ObjectId -OwnerId $serviceprincipal.ObjectId
Reference:
Cmdlts for Azure AD module reference
This can be done like below from bash or windows subsystem linux.
Login to your Azure account
az login
Execute below command
az ad app owner add --id AAAA --owner-object-id AAAA
--id(Application id) , --owner-object-id (Owners object id)
Ref : https://learn.microsoft.com/en-us/cli/azure/ad/app/owner?view=azure-cli-latest
I did see this q/a: Connect-AzAccount without prompt
But when I tried the accepted answer, I get the following error:
[6/12/2020 12:36:20 AM] ERROR: Connect-AzAccount : Username + Password authentication is not supported in PowerShell Core. Please use device code authentication for interactive log in, or Service Principal authentication for script log in.
So I went to example 3 of the Connect-AzAccount documentation which specifies the "Service Principal" authentication method, so I mix the two because the suggested vanilla Get-Credential triggers another interactive session. So here's the script now:
$User = "myemail#gmail.com"
$PWord = ConvertTo-SecureString -String "**********" -AsPlainText -Force
$tenant = "f*********************************"
$Credential = New-Object -TypeName "System.Management.Automation.PSCredential" -ArgumentList $User,$PWord
# $Credential = Get-Credential
Connect-AzAccount -Credential $Credential -Tenant $tenant -ServicePrincipal
which brings my next error: [6/12/2020 12:45:45 AM] ERROR: Connect-AzAccount : AADSTS700016: Application with identifier 'myemail' was not found in the directory 'f*********************************'. This can happen if the application has not been installed by the administrator of the tenant or consented to by any user in the tenant. You may have sent your authentication request to the wrong tenant.
I'm really confused at this point because all I have done at this point in Azure is:
Create a new Azure account
Provision an Azure API Management instance through the UI (which btw, takes like 20 minutes)
Try the above code to connect to Azure inside of a Powershell Azure Function locally.
I think something is wrong with the information I've provided or how I've configured something.
$User is the email I signed up to Azure with.
$PWord is my Azure password
$tenant is the first thing I saw when I opened Azure AD:
What's wrong with how I'm trying to connect to Azure through Powershell Core?
Based on Example 3, it asks for entering your application ID for the username and service principal secret as the password.
So you need to create a service principal at first. And then use its application ID and client secret as the credential.
$User = "{application id}"
$PWord = ConvertTo-SecureString -String "{client secret}" -AsPlainText -Force
I don't like Azure documentation. It gives off a very different vibe from GCP and feels much less beginner friendly.
With that said, they did have some kind of write-up that addresses my issue of creating a service principal and using it to authenticate.
I actually ended up just finding a video (and I never do this) because I wanted to skip past all the technical jargon and just create the darn service principal.
It's not even intuitive - it's like Microsoft could have added a button in AZ AD or IAM that said "Create Service Principal" but no, you have to go to a bunch of other pages that say nothing about service principals. You'll see:
In Azure Portal, navigate to the App Registrations page in Azure Active Directory. What an "app registration" has to do with a service principal, I couldn't tell you. I also couldn't tell you what a service principal is, but I'd imagine it has something to do with service accounts.
Make a New Registration and give it some sort of name to describe what the scope of this service principal will entail. Like normal service account naming conventions. I don't think the account type matters but I chose Multitenant. Redirect URL has nothing to do with service principals, and honestly makes it all the more confusing. I would never associate service accounts with any kind of redirect url, but here we are.
You're going to arrive at a page with Display Name (the name of the service principal you gave it in step 2), Application (client) ID (this is actually your service account username, which is imo non-intuitive), and Object ID (I have no idea what this is but I never needed to use it.
Guess what, you have only created 1/3 of your service account. It doesn't even have a password yet. Within your created app registration, there's a Certificates & Secrets page. On that page, you want to add a new client secret. For my description I just put my service principal "display name". I don't think that was necessary because this client secret is within the scope of the app registration, so even if I named it "poop" I could reasonably assume what it was for. Azure will generate a nuanced client secret and display it, but not warn you that this is the only time you will be able to see the key. Copy it. This is, in normal people talk, your service principal password.
For the last step, you need to get out of dodge, I mean Azure AD. Navigate to your Subscriptions page and click on your active subcription. For some reason IAM is here, so click on that. At this point, your service principal has a username and password, but no actual permissions - you have to configure that manually too. Click Add -> Add Role Assignment. For role, you should do your research but if it's not serious Contributor is probably a safe bet. It has read/write but it doesn't supersede Owner. Make sure you're assigning access to a service principal, and search for its display name. Save.
With all of that done, Connect-AzAccount finally worked.
I am working on a project that provisions users into Azure B2C via Azure Graph API call and we got a requirement to disable the users if they are terminated from company. The Termination Date can be anything (Past/Present/Future). If I know the termination date, Can I disable that particular user from B2C instance using the termination date?
I'm not clear what you mean by "disable":
You can DELETE a B2C principal at any time.
You can also delete a B2C principal at a pre-determined time. For example, by running a script that invokes an Azure Graph API call.
Alternatively, you can retain the principal, but block signin. There are several ways to do this. For example:
MSDN: Disable user sign-ins for an enterprise app in Azure Active
Directory
Powershell script:
# The AppId of the app to be disabled
$appId = "{AppId}"
# Check if a service principal already exists for the app
$servicePrincipal = Get-AzureADServicePrincipal -Filter "appId eq '$appId'"
if ($servicePrincipal) {
# Service principal exists already, disable it
Set-AzureADServicePrincipal -ObjectId $servicePrincipal.ObjectId -AccountEnabled $false
} else {
# Service principal does not yet exist, create it and disable it at the same time
$servicePrincipal = New-AzureADServicePrincipal -AppId $appId -AccountEnabled $false
}
Just to expand #paulms4 answer:
You can disable the user by setting:
"accountEnabled": false,
I have created a new custom AppRole in App Manifest and I want to assign this new AppRole to all the user's of the application. I researched on this and I find several links on how to assign new AppRole to a user using Powershell or Bash, but I need to assign new AppRole to all the users (nearly 1500 users) using a script. Does anyone have any idea how to do this ?
Below are few links I looked into, but it assign role to a single user:
https://learn.microsoft.com/en-us/powershell/module/azuread/new-azureaduserapproleassignment?view=azureadps-2.0
https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/assign-user-or-group-access-portal
You already looked at Azure Portal and the UI available and it isn't very well suited for bulk operations (only one role can be assigned at a time, users have to be selected one by one and there isn't a way to bulk select users based on some criteria etc.)
Following options might help you:
Assign a group to role instead of individual users
This requires a premium version of Azure AD. It's much more convenient not just for first time assignment but for managing overall.
Scripting/API options (PowerShell, CLI, Azure AD Graph API, Microsoft Graph API)
Idea will be to loop through all users (or desired subset of users based on some criteria) and assign the appropriate app role to them.
Here's a sample script for PowerShell.
Connect-AzureAD -TenantId <Your Tenant Id>
$app_name = "RolesWebApp"
$app_role_name = "Writer"
# Get the service principal for the app and app role
$sp = Get-AzureADServicePrincipal -Filter "displayName eq '$app_name'"
$appRole = $sp.AppRoles | Where-Object { $_.DisplayName -eq $app_role_name }
$users = Get-AzureADUser -Top 10
foreach ($user in $users)
{
# Assign the user to the app role
New-AzureADUserAppRoleAssignment -ObjectId $user.ObjectId -PrincipalId
$user.ObjectId -ResourceId $sp.ObjectId -Id $appRole.Id
}
Take a look at this SO thread where we discussed something very similar and has more details on each of the individual options.
Special note on Microsoft Graph API:
Even though for most scenarios it will be recommended to work with Microsoft Graph API instead of Azure AD Graph API. This particular functionality is only available in beta endpoint. So it would not be advisable to use it for any production code. Working with appRoleAssignments
1: Is anyone aware of a tool that can manage the assignment of Roles for Azure AD Users (the appRoles defined in the manifest) for Enterprise Applications in Azure AD?
I am talking about how to Assign Roles (app specific) to existing Azure AD Users. It’s a very slow process using the Azure Portal for this.
Of course, we could create this tool, but would be nice if such a tool already exists. What are large organizations with many Azure AD Enterprise Apps using today?
2: Is it really best practice to manually edit the manifest file in the portal? Would make more sense to have the file (the AppRoles section) in git along the application code.
Is anyone aware of a tool that can manage Roles for Azure AD Users
AFAIK, there isn't any specific tool available to manage Application roles.
Overall, you should be able to use following options for add/edit/update options related to application roles and assigning permissions to existing AD Users:
NOTE: Also know in case you are dealing with a large number of users, you could consider assigning security groups to app roles instead of doing it for individual users. It's an option worth considering, although it requires an Azure AD premium license. (Update - Also see comment from Philippe Signoret at the end of this answer about assigning groups to app roles, delegating management of the assigned groups and self-service group management)
Azure Portal by editing application manifest json (you're aware of this already)
PowerShell -
I've added a script for this one at the end. You can do this while creating a new app using New-AzureADApplication or for an existing application using Set-AzureADApplication.
For assigning these roles to existing users, you can use New-AzureADUserAppRoleAssignment as I have shown below with the updated script.
Azure AD Graph API -
You can work with AppRole Type and Application entity for managing app roles themselves. Documentation here
You can work with AppRoleAssignment Entity for assigning these roles to existing Azure AD users etc. Documentation here
Microsoft Graph API -
Documentation here - Please notice this is available only in beta version - so it's not yet good for production applications.
Look here for working with App Role Assignments
For your production applications, you could read application roles from a json file (part of source control like git etc.) and feed that into one of the programmatic options like PowerShell or Azure AD Graph API.
Here is the PowerShell script. Also take a look at these SO Post where we discussed something similar but only in scope of PowerShell.
SO Post 1
SO Post 2 (This question discusses parsing json file and updating Application manifest using PowerShell)
Connect-AzureAD -TenantId <Tenant GUID>
# Create an application role of given name and description
Function CreateAppRole([string] $Name, [string] $Description)
{
$appRole = New-Object Microsoft.Open.AzureAD.Model.AppRole
$appRole.AllowedMemberTypes = New-Object System.Collections.Generic.List[string]
$appRole.AllowedMemberTypes.Add("User");
$appRole.DisplayName = $Name
$appRole.Id = New-Guid
$appRole.IsEnabled = $true
$appRole.Description = $Description
$appRole.Value = $Name;
return $appRole
}
# ObjectId for application from App Registrations in your AzureAD
$appObjectId = "<Your Application Object Id>"
$app = Get-AzureADApplication -ObjectId $appObjectId
$appRoles = $app.AppRoles
Write-Host "App Roles before addition of new role.."
Write-Host $appRoles
$newRole = CreateAppRole -Name "MyNewApplicationRole" -Description "This is my new Application Role"
$appRoles.Add($newRole)
Set-AzureADApplication -ObjectId $app.ObjectId -AppRoles $appRoles
Once you are done with above script to add AppRole, then assigning roles to a user is pretty simple and a direct command is available. Here's a sample script for that -
# Assign the values to the variables
$username = "<You user's UPN>"
$app_name = "<Your App's display name>"
$app_role_name = "<App role display name>"
# Get the user to assign, and the service principal for the app to assign to
$user = Get-AzureADUser -ObjectId "$username"
$sp = Get-AzureADServicePrincipal -Filter "displayName eq '$app_name'"
$appRole = $sp.AppRoles | Where-Object { $_.DisplayName -eq $app_role_name }
# Assign the user to the app role
New-AzureADUserAppRoleAssignment -ObjectId $user.ObjectId -PrincipalId
$user.ObjectId -ResourceId $sp.ObjectId -Id $appRole.Id
Late response but possibly better late than never, Terraform has support for this:
https://www.terraform.io/docs/providers/azuread/r/application.html