Is it possible to mange an azure account within code? Like
var ac = new AzureAccount(name, password);
ac.CreateStorageAccount(name);
ac.CreateCoAdmin(name);
...
I already know about the Azure cmdlets, but that doesn't help.
You'll need to look at the Service Management API. There is an operation that allows you to create a storage account for example (comes with a C# example): Create Storage Account.
Adding a co-admin on the other hand won't be that simple. I believe there's support in the Service Management API to manage co-admins. If this is really important to you you can try to look at how the portal does it. You'll see that it executes 2 requests to add a co-admin to a subscription:
Call https://manage.windowsazure.com/Users/GetPrincipalId with the email address of the new admin. This will return a "LiveID" (like 00053ACD9A5B316C).
Call https://manage.windowsazure.com/Users/AddCoAdministrator with the email address, the LiveId, and information about the subscription to add the user.
This isn't documented and before even calling these services you'll need to manage authentication first.
Windows Azure accounts are created when user provide their personal information along with a financial source (i.e. Credit Card) which can pay the balance incurred by the services used by the specified user. Once you are logged into your account you can add more administration. This process is managed upto certain degree of control directly by the Windows Azure team and there is no API to automate these functionality for various reasons.
However once you have got a new Subscription to Windows Azure, you certainly can use REST API to exactly create new services (i.e Cloud Service, VM, Storage etc) which are available within your Subscription. To make it happen just create a new reference dll (or class) and add all the REST API to in and then use that reference (or class) to exactly call they way you want.
Related
We have a CSP subscription through a partner, and the whole experience is rubbish. Costing / billing APIs not available, can't use our Office 365 Azure AD, can't use SendGrid, can't see the cost of resources in the portal, loads of features missing. It's rubbish.
We're moving away and want to transfer a substantial number of SQL Azure servers (with many pools and databases) and Storage Accounts (with lots of items) to another, new PAYG subscription, which uses our O365 Azure AD.
#AzureSupport on Twitter pointed me to - https://learn.microsoft.com/en-us/azure/azure-resource-manager/resource-group-move-resources
But this says, "The source and destination subscriptions must exist within the same Azure Active Directory tenant."
It suggests two ways forward:
https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-how-subscriptions-associated-directory
But... The "Change Directory" option is not present for CSP accounts (lo and behold! another missing feature)
https://learn.microsoft.com/en-us/azure/billing/billing-subscription-transfer
But.. Heading to https://account.windowsazure.com/Subscriptions as instructed gives me a 500 error, with "We are sorry, but we could not complete that operation.".
Also.. Of course, the CSP (Ingram) do not offer any of these kinds of options on their sub management portal.
#AzureSupport then recommended I post here.
Can anyone advise / help please? Would be very much appreciated, thank you.
You are currently blocked, as there is not a good workflow to migrate from CSP to Pay-as-you-go, as the below User Voice entry suggests others are looking for the same. Please up vote and comment on this.
Change subscription from CSP to pay-as-you-go
As for getting switched back to PAYG, I suggest exporting your data and importing in to new services that have been set-up under your desired account set-up. If you need the instance names, these will need to be deleted before the data can be imported into the newly created service with the existing instance names, in cases where instances names can be reused after deletion of the particular service.
There is currently no supported means to migrate a subscription away from CSP once migrated, from my investigation.
Use Azure Data Migration Service to migrate from source to target. This though, will not allow you to keep the same instance names, as both the source and target will need to exist at the same time.
I'm fairly new to Azure. I have a personal website in the cloud and played around with some stuff, but that's it. Since I have my first client project coming up in which I will use certain Azure functionality, I was wondering on how to deal with billing.
I will of course put all the resources needed for the client under a new resource group, but the thing I'm wondering about is which subscription to link that resource group to.
Option 1 :
I link it to my own subscription. Least interesting as I would have to send the client an invoice every month charging him the costs that I made through my subscription for his project.
Option 2 :
I add a new subscription under my Azure account, using the client's credit card. This is the most interesting for me as I can see all resources under my Azure account and the client gets billed automatically. But you have to convince the client to give you their credit card information so you can create the subscription.
Option 3 :
The client makes his own Azure account, with a subscription under that account using his credit card. This is less interesting for me as I have to manage 2 Azure accounts. But it's more interesting for the client as they can create their own account and don't have to give me their credit card details.
What's the typical way to go about this? Are there other options that I'm missing? Thanks!
This is a poor question over all (for Stack Overflow at least). But common sense says:
they give you access to their subscription(s)
you create resources in your subscriptions, bill them.
Is it possible to sync users from cloud Azure Active Directory to on premise AD? On premise is a bit wrong here because it is actually a virtual network in Azure with a Windows Server virtual machine AD. I started with Azure AD and therefore all users are there but I would like to sync them to this virtual machine AD in a virtual network in Azure. I tried Azure AD Connect but this works to sync form on premise to Azure AD. How can I do it the other way around?
Is it possible to sync users from cloud Azure Active Directory to on
premise AD?
For now, it is not possible.
Here the feedback about it, maybe you can vote up it, that feedback will be monitored and reviewed by the Microsoft engineering teams.
As a workaround, we can use powershell to export Azure AD users' information to local file, then use that file to create users in on premise AD.
Here a similar case about you, please refer to it.
Hope this helps.
I have written a custom algorithm to do the process and it works for me so far so well.
I would state the approach that I have followed. This process will get executed after user logs in through Single Sign On.
Step-by-step process to be followed once the user is validated with AD.
Fetch User Manager Chain for the user with Indian Region Filter
through Graph API
https://graph.microsoft.com/v1.0/users/${usermail}?$expand=manager($levels=max;
Convert User Chain Nested Objects to Array of Users
Loop user array in reverse
For every traversal, check if the user present (match with Object ID)
If User Present in Database,
a. Compare user data with OIDC :id:
b. On Variance, call update() to keep data in sync with AD information
User not Present in DB,
a. Call insert() to insert the user data to the database
Note:
I am calling this process every time a user logs in and it is able to insert any new users or update the data in the database if it doesn't match with AAD. This would be an efficient approach if the management chain is around 10. I couldn't find a way to do this thing anywhere else so came up with this process.
I have a security question related to Azure that I could really do with some guidance on the art of what is possible.
I would like to know if it is possible to restrict what services can be called (i.e what storage account endpoints can be used to write data to) from PaaS services such as service fabric or web apps (ASE). i.e. if I have a web app that writes to storage and someone maliciously altered the code to write to a third party storage account on Azure; is this something I could mitigate in advance by saying this application (i.e. this web app or this SF cluster) can only talk to a particular set of storage accounts or a particular database. So that even if the code was changed to talk to another storage account, it wouldnt be able to. I.e can I explicitly define as part of an environment what storage items an application can talk to; Is this something that is possible?
Azure Storage Accounts have Access Keys and Shared Access Keys that are used to authenticate REST calls to read / write data to them. Your app will be able to perform read / write operations against the Azure Storage Account that it has an access key and connection string for that it uses to connect to it with.
It's not possible to set any kind of firewall rule on an Azure App Service app to prevent it from communicating with certain internet or Azure endpoints. You can set NSG firewall rules with App Service Environment, but you still can only either open or close access; not restrict on certain DNS names or IP Addresses.
Perhaps you should look for a mitigation to this threat in the way applications are deployed, connection strings are managed and code is deployed:
Use Azure Role Based Access control to limit access to the resource in Azure, so unauthorized persons cannot modify deployments
Use a secure way of managing your source code. Remember it is not on the PaaS service, because that only holds the binaries.
Use SAS tokens for application access to storage accounts, not the full access keys. For example, a SAS key could be given write access, not read or list access to a storage account.
If, as a developer, you don't trust the person managing the application deployment, you could even consider signing your application parameters/connection strings. That only protects against tampering though, not against extraction of the connection string.
So I have a mobile app that uses AWS's IAM infrastructure that effectively allows me to provide temporary access tokens to anonymous mobile devices, so that they can run queries against AWS services directly from the mobile device.
Does anyone know if Windows Azure has a drop in replacement for this sort of thing too? I've read about Windows Azure Access Control but all examples seem to focus on allowing authentication via the likes of Facebook, Twitter or Windows Live etc. In my case, I don't want the mobile user to have to "log-in" anywhere, I just want them to be able to access Azure services such as table storage, without having to go via my server.
Thanks!
You do have the ability to create Signed Access Signatures for all three Windows Azure Storage services (BLOBs, Queues and Tables) as well as for Windows Azure Service Bus Brokered Messages (Queues, Topics & Subscriptions). These SAS urls are temporary and you can create them ad-hoc with expiration times. After that time expires the device would have to request a new one, likely from your server. This reduce the load as they aren't coming back all the time, but you do still have to run something that will gen these SAS uris for the devices. You can generate SAS manually against the REST API direct, or you can use one of the SDKs to generate them for you (which also hit the REST API).
Note that when you create a SAS you have the option of doing so as a Policy, or adhoc. A policy allows you to revoke a SAS at a later time, but you can only have so many of these defined at a time (likely too big of a restriction for a mobile scenario if you are doing by device). The adhoc approach allows you pretty much as many as you need (I think), but you don't have the ability to revoke it, it just has to expire.
Another option is to look at Windows Azure Mobile Services. This service runs on servers managed by Microsoft and you can use it to get at just about anything you want. You'd want to look at the "Custom API" feature. Also, make sure you understand the pricing model of mobile services (or really, that stands for any option you decide to go with).
It's called managed identities in Azure