I'm struggeling to find a way how one can add/create a key for the app in Azure AD using CLI?
What I mean by the key is authentication token with the expiry time under AD->App Name->Settings->Keys.
All of the documentation I have found so far is for adding everything but the key as if Microsoft again decided that it's better to CLICK like a monkey rather then use CLI or API.
Is this possible, can you create the key through CLI?
For a new Azure AD app, you could specify a key with Azure Cli 2.0. For example.
az ad app create --display-name "test" --homepage "http://localhost" --identifier-uris "https://localhost" --password "123adfaesdf"
You could use az ad app update to modify expiry time.
However, currently, Azure Cli does not support add a new key for an existing app. You also could refer to this similar question.
Related
I have created a docker container and generated final artifact of my azure function app code. Azure Cli is already installed in the container. Is it possible to deploy to Azure using Azure Cli and pass the credentials along?
I tried the following command (example credentials):
az functionapp deployment user set --user-name "MY_USER" --password "MY_PASS" --subscription "MY_SUBSCRIPTION"
But it results in the following error:
Subscription 'MY_SUBSCRIPTION' not recognized. ValidationError: Please run 'az login' to setup account.
If I login (which requires entering a pass code to a browser), then the command above seems to be working.
This is going to be part of CI/CD and manual login is not a solution. Any ideas?
You would need to use a service principle to authenticate. But since you mentioned you are using Jenkins, fortunately there are rich set of plugins available for different Azure resources which can handle the authentication for you if you setup in your Jenkins dashboard. For example, in this case you are using az cli for which you can install https://plugins.jenkins.io/azure-cli/
Yes, you need to be authenticated. Here you have several authentication options: Sign in with Azure CLI
Authenticating with a service principal is the best way to write secure scripts or programs
Sign in with a service principal
I am using Terraform cloud and I don't want to use permanent keys in it. So, is there any to create a temporary keys in Azure Cloud(like we can create in AWS).
When you are authenticating to Azure Cloud via Azure service principal, by default, the Az CLI command will get a password for this service principal with a one-year expiration date.
az ad sp create-for-rbac --role="Contributor" --scopes="/subscriptions/<subscription_id>"
from your comments, in fact you want to get this password to expire in a short time. You can use az ad app credential reset to append or overwrite an application's password or certificate credentials.
For example, reset the application password with the following Az CLI commands.
az ad app credential reset --id <appId> --password <sp_password> --end-date 2020-08-13T11:59:59+00:00
For more information, you could read the Relationship between application objects and service principals
By creating a ServicePrincipal in AzureAD you're also able to assign a LifetimePolicy (tokenLifetimePolicies). This way you're able to have an "end of life" for the token.
Here's also a short how to on creating a new ServicePrincipal.
Alternatevily you could use this new preview feature: Configurable token lifetimes in Microsoft identity platform (Preview).
As it is a preview feature you're not supposed to use it in production environments.
I am trying to make a program that does secret rotation for Azure resources. One of the secrets I want to rotate is a Service principal password. I was wondering if I have the ability to programmatically do the following:
Make a new password for an existing service principal
Delete a password for an existing service principal
I haven't been able to find anything in the docs for the C# sdk, the REST API, the cli, or Powershell. Any help would be appreciated. Thanks!
That's relatively simple stuff that can be achieved with Azure CLI. Make sure you have Azure CLI 2.0 installed. To manage SP's use: az ad sp (check what it does with az ad sp --help).
To manage credentials use: az ad sp credential (it has delete/list/reset commands available). Using this CLI commands you should be able to achieve the desired effect.
Theres this little utility on Github, that rotates it through an azure function. C# code with Managed Identity
https://github.com/3mcloud/azure-keyvault-rotator
https://abschmidt.medium.com/rotating-service-principal-secrets-automatically-in-azure-key-vault-c4f04a84c9af
Try the powershell command below.
Create new password: New-AzureADApplicationPasswordCredential
Delete a password: Remove-AzureADApplicationPasswordCredential
Powershell and CLI:
az ad sp credential reset --name <objectid>
I'm creating and app registration with azure cli using
az ad app create ...
function.
In the manifest of app registration there is a field:signInAudience
which i want to set to: AzureADandPersonalMicrosoftAccount
Calling
az ad app update --id [[APP_ID]] --set signInAudience=AzureADandPersonalMicrosoftAccount
returns
Property 'signInAudience' not found on root. Send it as an additional property .
Updates to converged applications are not allowed in this version.
How can I change it?
You can update the app with --available-to-other-tenants
az ad app update --id xxxx --available-to-other-tenants
This will set signInAudience property in manifest to either AzureADMultipleOrgs or AzureADMyOrg.
Check az ad app update -h for more help or Microsoft Docs
It's possible with version 2.37.0 and above, with the new --sign-in-audience parameter:
az ad app create --display-name "My test app" --sign-in-audience AzureADandPersonalMicrosoftAccount
From the app create documentation:
--sign-in-audience
Specifies the Microsoft accounts that are supported for the current application.
accepted values: AzureADMultipleOrgs, AzureADMyOrg, AzureADandPersonalMicrosoftAccount, PersonalMicrosoftAccount
You can try updating it using the App registrations (Preview) in the Azure Portal. Find your app and navigate to the Manifest using the left-hand navigation. Locate the signInAudience property and set it to AzureADandPersonalMicrosoftAccount. Then save your changes.
I want to run a template on Microsoft Azure using ansible script. For that I have to set the client_id, secret and tenant_id. I am not sure where can I find it on Microsoft Azure?
Well, for that you have to create an Azure AD Application and use that as an Identity. Here's how you do it: https://azure.microsoft.com/en-us/documentation/articles/resource-group-create-service-principal-portal/
I see no point I
in typing all of the article here.
So the clientID is the ID of an application you can look up on the portal. Secret is what you create (that is visible only when you create it, after that you can't look it up). And the tenantID is the tenantID of your Azure AD
please be sure what client_id orother things you want.
If you asking about get in connection with Azure account then it provides 2 things:
Azure Publish setting file and your subscription id.
So you can check for subscription_id (under settings on Azure portal)
HTH