I'm looking to manage certain settings of Azure via Azure Powershell from C#. I need to manage subscriptions for many many customers programmatically.
I want to ensure that anytime I open a PowerShell session to deal with particular customer's subscription, nothing of that session is left over in registry, certificate store, etc.
I have management certificates available to me as encrypted byte arrays. I can save them on the hard drive if needed.
I am also happy to call Powershell cmdlets not thru Powershell session but directly thru referencing objects in the .DLL
I would prefre to avoid the use of Management API directly in certain scenarios which is why I'd like to do so via Powershell
Is this possible? If so, how do I avoid using the certificate store? Ideally, I would prefer to just have a way to call into the cmdlet from C# without going thru Powershell session
You should start using Azure Active Directory credentials instead of X.509 certificates. Both the Azure Service Management (ASM) and Azure Resource Manager (ARM) mode of Azure PowerShell supports AAD while certificate authentication can only be used for ASM. Using AAD credentials means you NEVER need to use certificates of X.509 certificates, and be subject to the management difficulties they impose. You would need to be added as a co-admin to your clients subscriptions for ASM support (and the production portal) and provided an appropriate role for ARM support (and the preview portal). However, your customers could restrict your ARM and preview portal access with RBAC.
PowerShell has one cmdlet called clear-azureprofile ... And it clears all connections ... If you really want to be sure you better also clear the IE cookies and start a new PoSh session after both actions (so best to do it at the end of each session)... I agree with Neil btw: Stay clear from the certs... Aim for AAD
BUT ... Why don't you take a look at the management libraries(MAML? It's the basis for all you don't need to call REST and you can avoid PowerShell (that also uses MAML.) it's downloadable as nuget package
Find it here http://www.nuget.org/packages/Microsoft.WindowsAzure.Management.Libraries
And find info on it here http://azure.microsoft.com/en-us/updates/management-libraries-for-net-release-announcement/ and here http://www.bradygaster.com/post/getting-started-with-the-windows-azure-management-libraries
Hope this helps!
Only automated way is with a AAD account for the subscription. Be aware, the token expires in 12 hours. See June's fantastic blog post.
http://www.sapien.com/blog/2014/10/23/saving-passwords-for-add-azureaccount/
Related
We will be building a couple of non-interactive scripts and console applications which will be invoking the Azure DevOps REST API to do various tasks. These apps and scripts will be executed via a job scheduler. What authentication scheme would be the correct one to use for this scenario? It seems like a PAT would work, however, I really don't want the jobs to be tied to a specific user identity and Azure DevOps does not support service principles. Is the correct approach to establish a "fake" Azure Active Directory user and use that user as the owner of the PATs? Is there something else that I am missing here?
Looking at the Authentication Guide, it seems like all of the mechanisms referenced result in some form of interactivity.
Also, we have Conditional Access Policies being enforced in our Azure DevOps organization. One of those policies is the requirement for MFA. If we use a PAT, how will that work? According to this link, it sounds like access may be blocked.
Personal access tokens (PATs) are used for personal authentication. They are alternate passwords that you can use to authenticate into Azure DevOps.
Really don't want the jobs to be tied to a specific user identity and Azure DevOps does not support service principles.
Yes, as you have pointed out. It doesn’t support to create a PAT token with a service account in Azure DevOps Service.
That would be ok to use the public fake MFA account to login Azure DevOps Service. And then use that account to generate PAT token. When request API, others simply use that generated PAT token to authenticate.
With CAP enabled the doc is clear. For Web flows, CAP is honored 100%. That means in most of the situations, Rest API will not be affected.
The limitation is third-party client flow. Some actually due to configuration of third-party. There's nothing we can do in Azure DevOps. You have to follow the policy mentioned in that link. If users do not meet IP range, it will be blocked.
I have a requirement to automate renewal of all the soon to be expiring azure resources PIM role but it seems there is no PowerShell module available at this moment for the PIM.
I also tried exploring rest api option but it appears that there is no rest end point available but I found graph api endpoints which seems to be supporting this feature but as per Microsoft documentation it doesn't support access via service principal so not sure how to proceed further on this.
Did anyone try this before, any suggestion?
Does the Key Vault offer any benefit (security or otherwise) now that an app service can use Managed Identity to authenticate with other Azure resources? (E.g. azure storage and sql)
Is there any reason to use Managed Identity to access Key Vault and get a key for Storage, for example, now that an app service can directly use Managed Identity to talk to Storage?
You should always use Managed Service Identity where available, however they are not ubiquitous across all Azure. The list of supported services is maintained here. Keep in mind that the calling service needs to support authenticating with it's Managed Service Identity and the called service needs to be able to authenticate and authorise using Azure Active Directory.
When you have a service that does not directly support AD authentication (e.g. CosmosDB), then you still need to store and manage keys and KeyVault is still the right place to do this. This also applies to some 3rd party services like Salesforce, AWS, GCP, etc where "federation" may not be in place. You may also have additional sensitive config that you do not want to store in plain text.
Keep in mind that function appsettings can now directly reference KeyVault, saving the overhead of writing code and config to manage this yourself. See this link.
I would also say, that usage of managed identity should be preferred whenever possible. The major benefit I see is getting rid of credentials you have to manage. You outsource the authentication challenge to Microsoft here, and I would say it works very well.
One less credentials you need to protect, refresh, revoke etc.
I also believe that this goes well in the spirit of Infrastructure as a code, where you define you concern yourself with authorisation and leave secure authentication on the provider.
I know how to add a co-administrator via the portal, but need a way to add it via PowerShell.
I need this method as I have lost access to the login id, but have the publish setting file so can administrator my virtual machines.
Unfortunately you can't. Azure PowerShell Cmdlets are essentially wrapper over Azure Service Management API and currently the API does not expose any method to add co-admins programmatically.
Azure have rolled out Roll Based Access Control which will allow you to automate the adding of new admins to your Azure Subscription. Intro here: https://azure.microsoft.com/en-us/documentation/articles/role-based-access-control-configure/
You would add a new user as an Owner at the Subscription scope. These operations are available using both PowerShell and REST
I know it is possible to add co-administrators to my subscription but I can't find any way to add a user space. I mean something that would allow users to see only their own storage and services created within the subscription.
I'm not worried about usage quotas but just would like to separate my users into distinct areas, so they don't interfere with each other.
Is there any way to do/achieve that?
Cheers,
Jacek
Currently in a subscription it is not possible to do so in Windows Azure. One possible solution would be to create separate subscription for each user and make them co-administrator on that subscription so that they will only see that subscription. This will obviously add more management headaches for you.
Again, not a fool-proof solution but when we were developing Azure Management Studio at Cerebrata (Disclosure - I was Founder of Cerebrata though now I'm not associated with it), we came up with something called Profiles. Basically what you do is put some resources (like storage accounts, cloud services etc.) and grant permissions on these resources in a profile and save that profile. You can then distribute this profile file to your user. When they run Azure Management Studio, they can load this profile file and will only see the things you included in that profile file. Again it is very specific to the tool only, is not as comprehensive as it does not include everything that Windows Azure offers and as and when you change storage credentials etc., you would need to regenerate that profile file.
No that is not possible.
The Co-Admins have complete control for the services in the account (non billing) as a whole and all the Services (Storage, Virtual Machine, Websites etc) are equally accessible to every administrator and co-administrator.