Is it possible to sync users from cloud Azure Active Directory to on premise AD? On premise is a bit wrong here because it is actually a virtual network in Azure with a Windows Server virtual machine AD. I started with Azure AD and therefore all users are there but I would like to sync them to this virtual machine AD in a virtual network in Azure. I tried Azure AD Connect but this works to sync form on premise to Azure AD. How can I do it the other way around?
Is it possible to sync users from cloud Azure Active Directory to on
premise AD?
For now, it is not possible.
Here the feedback about it, maybe you can vote up it, that feedback will be monitored and reviewed by the Microsoft engineering teams.
As a workaround, we can use powershell to export Azure AD users' information to local file, then use that file to create users in on premise AD.
Here a similar case about you, please refer to it.
Hope this helps.
I have written a custom algorithm to do the process and it works for me so far so well.
I would state the approach that I have followed. This process will get executed after user logs in through Single Sign On.
Step-by-step process to be followed once the user is validated with AD.
Fetch User Manager Chain for the user with Indian Region Filter
through Graph API
https://graph.microsoft.com/v1.0/users/${usermail}?$expand=manager($levels=max;
Convert User Chain Nested Objects to Array of Users
Loop user array in reverse
For every traversal, check if the user present (match with Object ID)
If User Present in Database,
a. Compare user data with OIDC :id:
b. On Variance, call update() to keep data in sync with AD information
User not Present in DB,
a. Call insert() to insert the user data to the database
Note:
I am calling this process every time a user logs in and it is able to insert any new users or update the data in the database if it doesn't match with AAD. This would be an efficient approach if the management chain is around 10. I couldn't find a way to do this thing anywhere else so came up with this process.
Related
I want to set up logic app, which is going to monitor rss feed and create task in azure devops based on data from feed and some conditions. That's the easy part. I want to make this set up more or less secure and want to prevent API connector reuse. So, when I login to Azure DevOps using logic app using connector, API Connection is being created and I can reuse it with any other logic app. How do I prevent this this reuse behaviour? Is it possible to limit connector use somehow, so it can be used with 1 logic app only? The resource group is in subscription which can be accessed by some users already, so limitng access to resource group with logic app is not an option.
Unfortunately, there is no way to make the API connection restricted to only one logic app. The other possible way would be if you have different user having access to different resource groups, one per user, and set RBAC so only the user have access to it and they are not reusing it. But still that user can also reuse the connection if they want
In azure, there are multiple services like audit logs, azure access advisor but none of them provides exactly the information I need. How to get any of the below information for azure users:
Last services accessed list by the user. (which services are accessed by the user in past and which services are still unused but he has the permission to access them).
Detailed last services accessed data(what services are accessed by which azure user and when was it last accessed).
PS: by access, I mean any type of access: Be it read operation or write operation or update operation or any other operation specific to the service.
In AWS there is this thing:
https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_access-advisor.html.
can anyone help if there is something similar to this is present in azure as well?
I hired a contractor to work on a web service that uses DocumentDB to store our data. I need the contract to be able to login to Azure and access DocumentDB, but I do not want him playing with major things like users and my subscription. I also do not want him scaling anything up or down.
How do I add him as a user and let him access DocumentDB?
If he needs to manage the docdb resource in the Azure portal, you can give him reader or contributor rights on the invididual resource or on the resource group that contains the documentdb resource. By making him contributor (in case he needs to change things), you ensure that he cannot change any user permissions. Readers obviously cannot change anything.
If you require more complex permissions, you could consider using another built in role or even creating a custom role.
In case he just needs to write an application that accesses the DocDB contents, all you have to give him is a connection string and no portal access at all.
I have a security question related to Azure that I could really do with some guidance on the art of what is possible.
I would like to know if it is possible to restrict what services can be called (i.e what storage account endpoints can be used to write data to) from PaaS services such as service fabric or web apps (ASE). i.e. if I have a web app that writes to storage and someone maliciously altered the code to write to a third party storage account on Azure; is this something I could mitigate in advance by saying this application (i.e. this web app or this SF cluster) can only talk to a particular set of storage accounts or a particular database. So that even if the code was changed to talk to another storage account, it wouldnt be able to. I.e can I explicitly define as part of an environment what storage items an application can talk to; Is this something that is possible?
Azure Storage Accounts have Access Keys and Shared Access Keys that are used to authenticate REST calls to read / write data to them. Your app will be able to perform read / write operations against the Azure Storage Account that it has an access key and connection string for that it uses to connect to it with.
It's not possible to set any kind of firewall rule on an Azure App Service app to prevent it from communicating with certain internet or Azure endpoints. You can set NSG firewall rules with App Service Environment, but you still can only either open or close access; not restrict on certain DNS names or IP Addresses.
Perhaps you should look for a mitigation to this threat in the way applications are deployed, connection strings are managed and code is deployed:
Use Azure Role Based Access control to limit access to the resource in Azure, so unauthorized persons cannot modify deployments
Use a secure way of managing your source code. Remember it is not on the PaaS service, because that only holds the binaries.
Use SAS tokens for application access to storage accounts, not the full access keys. For example, a SAS key could be given write access, not read or list access to a storage account.
If, as a developer, you don't trust the person managing the application deployment, you could even consider signing your application parameters/connection strings. That only protects against tampering though, not against extraction of the connection string.
Is it possible to mange an azure account within code? Like
var ac = new AzureAccount(name, password);
ac.CreateStorageAccount(name);
ac.CreateCoAdmin(name);
...
I already know about the Azure cmdlets, but that doesn't help.
You'll need to look at the Service Management API. There is an operation that allows you to create a storage account for example (comes with a C# example): Create Storage Account.
Adding a co-admin on the other hand won't be that simple. I believe there's support in the Service Management API to manage co-admins. If this is really important to you you can try to look at how the portal does it. You'll see that it executes 2 requests to add a co-admin to a subscription:
Call https://manage.windowsazure.com/Users/GetPrincipalId with the email address of the new admin. This will return a "LiveID" (like 00053ACD9A5B316C).
Call https://manage.windowsazure.com/Users/AddCoAdministrator with the email address, the LiveId, and information about the subscription to add the user.
This isn't documented and before even calling these services you'll need to manage authentication first.
Windows Azure accounts are created when user provide their personal information along with a financial source (i.e. Credit Card) which can pay the balance incurred by the services used by the specified user. Once you are logged into your account you can add more administration. This process is managed upto certain degree of control directly by the Windows Azure team and there is no API to automate these functionality for various reasons.
However once you have got a new Subscription to Windows Azure, you certainly can use REST API to exactly create new services (i.e Cloud Service, VM, Storage etc) which are available within your Subscription. To make it happen just create a new reference dll (or class) and add all the REST API to in and then use that reference (or class) to exactly call they way you want.