In trying to access RateCard info in the Government Cloud, Region usgovvirgia, and working from example on github: https://github.com/Azure-Samples/billing-dotnet-usage-api.
GitHub Sample throws Unhandled exception: AADSTS65005 (see links below)
This error is mentioned there but in reworking the referenced sections of the procedure I haven't found a way to correct this and strongly suspect the problem is due to differences in US Gov Cloud. (See image below for App settings in the Portal).
My RegisteredApp:
RateCardHM, appId/clientID: XXXXXXXX-4ba0-47a3-811e-ca0b0b74118a ->
Required Permissions-> (Delegated -- NoApplicationPermissionsAvailable)
Access Azure Service Management as organization users (preview)
RequiresAdmin: No {"AADSTS65005: Invalid resource. The client has
requested access to a resource which is not listed in the requested
permissions in the client's application registration. Client app ID:
XXXXXXXX-XXXX-47a3-811e-ca0b0b74118a. Resource value from request:
https://management.usgovcloudapi.net/. Resource app ID:
40a69793-8fe6-4db1-9591-dbc5c57b17d8. List of valid resources from app
registration: 797f4846-ba00-4fd7-ba43-dac1f8f63013,
00000002-0000-0000-c000-000000000000. Trace ID:
6c1f3716-12ca-489e-b183-99cb6f730300 Correlation ID:
57dbf637-8e01-42f2-873c-4723f1814254 Timestamp: 2018-03-14 18:43:33Z"}
Since there probably isn't a "2-letter ISO code" for usgovvirginia, what should be used?
https://msdn.microsoft.com/en-us/library/azure/mt219004.aspx Indicates:
•Set {RegionInfo} to the 2 letter ISO code where the offer was purchased.
Reconcile with usgovvirginia Region.
<appSettings>
<add key="ADALServiceURL" value="https://login.microsoftonline.us"/>
<add key="ADALRedirectURL" value="http://localhost"/>
<add key="ARMBillingServiceURL" value="https://management.usgovcloudapi.net"/>
<add key="TenantDomain" value="XXXXX.onmicrosoft.com"/>
<add key="SubscriptionID" value="XXXXXXXX-1293-4060-a2ed-0da3db612bcc"/>
<add key="ClientId" value="XXXXXXXX-4ba0-47a3-811e-ca0b0b74118a"/>
<add key="RegionInfo" value="usgovvirginia"/> <!-- WHAT to use here? -->
</appSettings>
I would prefer to get access with PowerShell but getting the C# sample app to work would likely be sufficient and certainly a good start.
UPDATE FOLLOWS (more info):
After logging in with PowerShell AzureRM (as myself) "Locations" for Microsoft.Commerce and RateCard API are empty:
(Get-AzureRmResourceProvider -ListAvailable | ? ProviderNamespace -eq Microsoft.Commerce)
# Outputs with LOCATION 'empty':
ProviderNamespace : Microsoft.Commerce
RegistrationState : Registered
ResourceTypes : {UsageAggregates, RateCard, operations}
Locations : {}
(Get-AzureRmResourceProvider -ListAvailable | ? ProviderNamespace -eq Microsoft.Commerce).ResourceTypes | ? ResourceTypeName -eq RateCard
# Outputs with LOCATION 'empty' also:
ResourceTypeName : RateCard
Locations : {}
ApiVersions : {2016-08-31-preview, 2015-06-01-preview, 2015-05-15}
Possibly this means US Gov Cloud doesn't offer these APIs in any region?
This following image shows the alert where the App has been added as a Reader:
First, you need to make sure Billing API is actually supported on Government Subscription. I cannot seem to find an official reference over the Internet about the supportability. It'd be much better to ask about that here https://azure.microsoft.com/en-us/global-infrastructure/government/contact/
If it is supported, normally you need to add your client app you registered to the Government subscription.
Under Access Control (IAM) blade, click Add. Select Reader under Role (in case you just need to get information without any change). Under Select, you can look up your client app name (the one has client ID associated), you can also copy the client ID and paste to this field.
With out appropriate permission, your registered client app can't read to your Government resource to retrieve billing info over REST API.
P/S: There is also a role named Billing Reader if you would like to explicitly control access.
Microsoft Support has now attested that accessing the RateCard API is not available in an Enterprise Account (nor in a CSP account).
https://learn.microsoft.com/en-us/azure/billing/billing-usage-rate-card-overview#azure-resource-ratecard-api-preview
Azure Resource RateCard API (Preview)
Use the Azure Resource RateCard API to get the list of available
Azure resources and estimated pricing information for each. The API
includes: Azure Role-based Access Control - Configure your access
policies on the Azure portal or through Azure PowerShell cmdlets to
specify which users or applications can get access to the RateCard
data. Callers must use standard Azure Active Directory tokens for
authentication. Add the caller to either the Reader, Owner, or
Contributor role to get access to the usage data for a particular
Azure subscription.
Support for Pay-as-you-go, MSDN, Monetary commitment, and Monetary
credit offers (EA and CSP not supported) - This API provides Azure
offer-level rate information. The caller of this API must pass in the
offer information to get resource details and rates. We're currently
unable to provide EA rates because EA offers have customized rates
per enrollment.
Thanks to everyone who tried to help.
Related
I am trying to customize id token in Azure AD ..
I did the following steps :
1-Registered Azure AD application
2-Post extension:
https ://graph.microsoft.com/v1.0/applications/Object ID/extensionProperties
Payload : {"name":"test","dataType":"string","targetObjects":["User"]}
3-Create claim Mapping Policy
https ://graph.microsoft.com/v1.0/policies/claimsMappingPolicies
Payload
{"definition":[{"ClaimsMappingPolicy":{"Version":1,"IncludeBasicClaimSet":"true","ClaimsSchema": [{"Source":"user","ExtensionID":"extension_Application (client)ID_test","JwtClaimType":"test"}]}}],"displayName":"test","isOrganizationDefault":true}
4-Post service principal
https: // graph.microsoft.com/v1.0/servicePrincipals/Object ID of the Managed application /claimsMappingPolicies/$ref
Payload : {"#odata.id":"https: //graph.microsoft.com/v1.0/policies/claimsMappingPolicies/(The policy Id I got from step 4"}
5- I patched a user
https: // graph.microsoft.com/v1.0/users/usreID
{"extension_Application (client)ID_test":"test"}
6- I edited the Mainifest
See Mainifest
6- I tired to get the ID token for the user I patched in step 5
https://login.microsoftonline.com/**tenant Id**/oauth2/v2.0/token
with headers(client_id,client_secret,scope:https://graph.microsoft.com/.default,usernam,password)
7- I decoded the token , I don't see "test" as part of the token
Not sure what I am missing here to customize the token
Screenshot to show that I am missing token configuration in the blade
Missing token configuration in the blade
Screenshot to show that I can't find permission : Directory.AccessAsUser.All
missing API permission
Once the extension claim setup is done, it can be used to store and retrieve data via graph as extension properties may not passed in id tokens, but can be retrieve by querying the user profile from the Graph. or The application can make use of graph client to pass the extension claims which are not taken from available optional claims from azure ad.
Please make sure to have the Directory.AccessAsUser.All ,Directory.Read.All,openId permissions granted.
Also please check with optional claims set in manifest .
Then check in token configuration, if it is valid claim.
References :
Emitting claims with data from directory schema extension attributes created for an application using Graph
azure-ad-custom-attributes-and-optional-claims-from-an-asp-dot-net-application
Edit:update 13/4/2022
Like you said in comments:
Like the Most obvious difference now ( Token configuration is not
available and api permssion for Directory.AccessAsUser.All is not
there)
I tried to check in which way i cannot be able to see those features in Overview blade of AAD portal.
I had all those features as i was using organizational Azure AD premium 2 licensed tenant.
But when i tried to create another tenant with same account and switched tenant to work on it and created an app registration. App registration blade doesn't have the token configuration and api permissions like Directory.AccessAsUser.All as you mentioned.
Then i realized its license is azure ad free account.
So from my point of view please try to utilize the pay as you go account or which the organization had been subscribed to premium license which would give a better experience .
Also you can check the ongoing issue here
Q&A missing-features-in-my-azure-ad-tenant.
active-directory-optionalclaims-example
I am trying to use the following git repo in order to connect to azure ams, upload a video and stream it:
https://github.com/Azure-Samples/media-services-v3-node-tutorials/blob/main/AMSv3Samples/StreamFilesSample/index.ts
For some reason I am keep getting the following error:
The client 'XXX' with object id 'XXX' does not have authorization to perform action 'Microsoft.Media/mediaServices/transforms/write' over scope '/subscriptions/XXX/resourceGroups/TEST-APP/providers/Microsoft.Media/mediaServices/TESTAMP/transforms/ContentAwareEncoding' or the scope is invalid. If access was recently granted, please refresh your credentials
The AD user is owner but I understand it is a permission issue.
I searched all over the web for hours what permission do I need to grant and where but could not find any solution
The error get thrown here:
let encodingTransform = await mediaServicesClient.transforms.createOrUpdate(resourceGroup, accountName, encodingTransformName, {
name: encodingTransformName,
outputs: [
{
preset: adaptiveStreamingTransform
}
]
});
of course, I have updated the .env file to the correct data of my azure account.
Can anyone point out what am I missing and how to grant this permission?
Thanks!
The error message is referring to your Service Principal that is being used to authenticate against the AMS SDK.
Double check that you entered the GUID values for the service principal ID and Key, and make sure you did not use the friendly name in there.
AADCLIENTID="00000000-0000-0000-0000-000000000000"
AADSECRET="00000000-0000-0000-0000-000000000000"
Also, double check in IAM Access control in the portal that the service principal exists under the Role Assignments for your Media Services account and has Contributor or Owner permission Role first.
If you are in an Enterprise that locks down AAD access - you may need to work with your AAD owner/admin to make these changes and grant the service principal the right roles for your account. That's a bit outside of Media Services, and is just general Azure AAD application creation rights, and role assignments.
If you are still hitting issues, I would file a support ticket and also ask your AAD administrator to assign the role permisssion to your service principal.
As an aside, we are also working on updated Node.js SDK samples for the upcoming (soon!) release of the 10.0.0 Javascript SDK.
See the beta samples here - https://github.com/Azure-Samples/media-services-v3-node-tutorials/tree/10.0.0-beta.1
I need a starting point to solve the following problem:
Assume there is a model with different entities (e.g. school classes) and different roles that are connected to entities.
Now I want to check in my Azure Function if Bob has a role on this entity which entitles him to rate a student from the school class.
I think of a claim of the form:
TEACHER : [
"class 2b"
]
before.
Which Azure Resources do I need to map such a thing?
I already use Azure AZ for the ID token and my API is implemented in an Azure Function.
I would like to call Azure AD to get an access token which contains those roles and resources of my domain.
I'm afraid that this form is not supported by Azure AD.
The supported form should be "{claim name}": "{claim value}".
If you accept this form, you can refer to my previous answer.
What you need to modify is:
When you create the extensionProperty, you should name the extensionProperty as "TEACHER".
Post https://graph.microsoft.com/v1.0/applications/{object id of the Azure AD application}/extensionProperties
{"name":"TEACHER","dataType":"string","targetObjects":["User"]}
And update the extension property for your account:
Patch https://graph.microsoft.com/v1.0/me
{"extension_6d8190fbf1fe4bc38a5a145520221989_TEACHER":"class 2b"}
Then you can get the custom claim as "TEACHER": "class 2b".
When I try to link a variable group to key vault in VSTS, every time I select my endpoint, it tells me:
"Specified Azure endpoint needs to have "Get, List" secret management permissions on the selected key vault. Click "Authorize" to enable VSTS to set these permissions or manage secret permissions in Azure portal."
It makes no sense. That specific endpoint has Get and List for secrets, keys, certificates. The endpoint is using the correct Service Principal Client ID- I know because I pulled its corresponding app registration up in Azure by searching with that ID. And the app registration is specifically listed in the key vault's Access policies, with the correct permissions.
Trying to click "Authorize" in VSTS just give me
"Resource not found for the segment 'DirectoryDataService.getServicePrincipalsByAppIds'. For troubleshooting refer to https://go.microsoft.com/fwlink/?linkid=835898"
and the endpoint is broken until I re-verify it.
I'm kind of at my wit's end here- everything is set exactly as https://learn.microsoft.com/en-us/vsts/build-release/concepts/library/variable-groups?view=vsts says it should be.
Edit: Turns out the Azure tried to add the app reg as a person instead of an app when I listed it in the ARM template by object ID (app ID most definitely does not work there). So now I just need to figure out how to add it as an application in the ARM template...
Edit Edit: Soooo... the Object ID the Azure Portal shows for an App Registration? That's not the Object ID the ARM template wants. It wants the... I'm not sure what you'd call it. In Powershell, you use it with -Object ID, but when you list the properties, it's under "Id". Whatever. To get it, you run
Get-AzureRmADServicePrincipal -SearchString "[your-app-reg-name]"
And it shows up under Id. That's what you want to use as an object ID in your ARM template.
According to the error Resource not found for the segment 'DirectoryDataService.getServicePrincipalsByAppIds, the issue seems more related to Azure side.
To access azure-keyvault you need four things :
- clientId = "<client id of your application registed on Azure AD>";
- domain = "<your talnet id>";
- secret = "<client key of your application registed on Azure AD>";
- subscription = "<your subscription id>";
Then these will combine ApplicationTokenCredentials, finally Authorize to KeyVaultClient . Suggest you take a look at this question: Azure keyvault client 1.0.0 initiate client
Besides also double check/confirm the specific endpoint has Get and List for secrets, keys, certificates.
I have a client with a Azure subscription sitting in a US GOV data center. This subscription is under an EA (not pay-as-you-go).
Attempting to use the standard billing APIs (ratecard and usage) fails with a 'Subscription not found' error. I.e. running the following:
https://management.azure.com/subscriptions/[subscription id here]/providers/Microsoft.Commerce/RateCard?api-version=2015-06-01-preview&$filter=OfferDurableId eq 'MS-AZR-USGOV-0017P' and Currency eq 'USD' and Locale eq 'en-US' and RegionInfo eq 'US'
fails with:
{
"error": {
"code": "SubscriptionNotFound",
"message": "The subscription '[subscription id here]' could not be found."
}
}
I've found very little information on the rate card and usage APIs with EA accounts and even less information on these APIs for accounts running in a US GOV Azure region. Does anyone know if this is supposed to work?
I don't have any experience with the Gov environment, but otherwise my experience is that Resource Usage API also works for EA, whereas the RateCard does not.
I would suggest you to start out with the powershell cmdlets for an easy start
* Get-AzureRmUsage
https://learn.microsoft.com/en-us/powershell/resourcemanager/azurerm.insights/v2.3.0/get-azurermusage
Be sure that you have powershell running correctly towards the Government environment first.
If you want to roll your own client remember to use the correct endpoints as described in "Azure Government developer guide"
https://learn.microsoft.com/en-us/azure/azure-government-developer-guide
Brgds Brian
For EA offer IDs, you need to use the following API:
https://consumption.azure.com/v2/enrollments/(enrollment_id)/pricesheet
You will need to provide EA API Key (different than bearer token from other APIs):
curl -X GET https://consumption.azure.com/v2/enrollments/(enrollment_id)/pricesheet -H 'authorization: Bearer (api_key)'
Note that the API bearer token needs to be created in the EA Portal under the User Account. More detail can be found here: https://learn.microsoft.com/en-us/azure/billing/billing-enterprise-api
Also note that the user must have appropriate privileges otherwise the API will reject your request.