So I have an identity(azure AD email id) that has access to multiple subscriptions in the azure portal. when I create a service principal using that identity, it binds it to only 1 subscription and i am not able to use that service principal to access resources in other subscriptions. Do I have to create a Service principal for each subscription?
I use this Service principal in a devops pipeline. I want to access resources across multiple subscriptions. But because this Service principal is associated to only 1 subscription, I am not able to do that.
Should I create a Service principal for each subscription? I dont want to do that. Is there some other solution to this problem?
You can achieve this by adding role assignment to that service principal to each of the subscriptions.
Go to Azure portal, and pick each of the subscription resources. Pick the Access Control (IAM) tab, and click on "Add role assignments". Here you get the option to pick the role you can assign (for example: contributor) and in "assign access to" you pick the service principal you created that needs access to this subscription. Once you save, that service principal will have contributor access to that subscription. Repeat for each of the other subscriptions.
Related
How to give access to my team mate on IBM Cloud account on the resources, Domain Registration Service and Internet Services resource?
The admin wants add privileges. But when he looks the list, can not find the Domain Registration and internet services. The users are already in the IBM Cloud account.
There are a couple of ways to accomplish that with IBM Cloud IAM (Identity and Access Management), including granting the permissions directly to the users in questions or creating an access group with the privileges first and adding the users to that group (best practice).
DNS Services has the listed roles including Administrator
Cloud Internet Services has a Manager service role
So your admin would
create an access group
add the privileges for DNS Services and CIS to it as policies
would need to make sure that privileges on the resource group to see the service instances are added
add the users to the access group.
Thereafter, you should have access.
I want to create ticket in our system when somebody sends email to support#mydomain.com. I'm using GmailAPI to read new messages from that gmail account.
Currently I'm using service account and domain wide delegation (DWD) for authentication.
The problem is that with DWD I can access all user accounts from my organization and this is what I want to avoid.
Is it possible configure service account this way, so that it has access to only one user account? Or can I generate and use private key for single user account instead of service account with DWD?
Context
I have a client app, represented through an Azure Active Directory app that needs to send a HTTP request to a HTTP trigger Azure Function on behalf of the user that is logged in to the client app. To achieve that I followed https://learn.microsoft.com/en-us/azure/app-service/configure-authentication-provider-aad. Doing so I am successfully able to execute the function on behalf of the user.
Goal
From this triggered Azure Function on behalf of the user I want now to achieve that I can interact with another Azure Service (let's say an Azure Storage Account) on behalf of the user. The user can do on this Storage Account what is allowed by the roles the user has on the Storage Account.
Problem
I don't get it working. I tried the approaches described in How to impersonate logged in user to manage other Azure service and https://blog.brooksjc.com/2020/06/21/accessing-graph-api-with-an-azure-function-through-impersonation/ And in this context I also don't get it working for Azure Data Factory respective Graph as described in the posts. For instance, when I call .auth/me I just get an empty array.
Question
Given this context how can I achieve my goal of interacting with the Storage Account on behalf of the user via the Azure Function that has been triggered on behalf of the user?
Thanks
EDIT
I am aware of the OAuth 2.0 On-Behalf-Of flow (see https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-on-behalf-of-flow) and this one works (i.e., I am able to authenticate the user, retrieve another token and use this one to interact with the Storage Account on the users behalf). What I would like to achieve is similar to the posts shared above that the user authenticates against the app and by doing so already a token is made available for the interaction with the Storage Account, so that I don't have to make the additional request to https://login.microsoftonline.com/{{tenant_id}}/oauth2/v2.0/token to get that token using e.g. client credentials. And this is not about specific code (e.g. C#) but about the general set up. Is this possible?
I am trying to access the IBM Domino Access Services 9.0.1, which is REST based service for accessing all calendar items.
Lets say for getting calendar items for a user , i have to pass credentials of that particular user.
I don't think it is feasible to store the user credentials in the client side and pass the same while accessing those service instead will create one service account in domino server and access the service using the same service account.
Any idea how to configure in the domino side or how can i achieve accessing the calendar service without passing the credentials of the user.
Looking for similar to what we have are having like Exchange impersonation.
Thanks
Anil
It depends on what kind of application you are building. If each Notes calendar owner logs in to your application directly, it is possible to store the user credentials on the client side. Of course, your application would be responsible for securely managing the credentials. On the other hand, your application might require access to each calendar without directly involving the calendar owner. This can be the case for server-side applications.
Your question doesn't specify, so I'll assume yours is the second situation. In that case, you could create a user identity for your application and then add that identity to the Access Control List (ACL) for each mail file. There are two ways to modify the ACL: 1) You can change the design of the master template and let the design propagate to individual mail files, or 2) You can ask each user to delegate access to your application's identity.
The bottom line is the Domino calendar service acts on behalf of the authenticated web user. If that's the calendar owner, the calendar service will have full access to the calendar. If the web user is some other identity, access will be limited to the rights granted in the ACL. For more information about the ACL see this tutorial.
Let's say I have SharePoint Online subscription, hence I can manage own *.onmicrosoft.com domain and users/groups connected with it.
As far as I understand, the storage behind SPO where users and groups reside is an Azure AD.
I had a thought that the only way to manage these users/groups remotely is using PowerShell module for Microsoft Online. And now I wounder whether Azure Graph API can be used for purposes of retrieving users and group members from the SPO? I have no Azure subscription, is there a way to utilize Azure Graph API without Azure subscription, having only SPO subscription?
Ok, turns out it is possible. Briefly steps are the following:
Create a service principal that will serve as 'contact point' with your external application (here is a good start point); I've used symmetric key authorization;
Add a newly created service principal to the 'Company Administrator' role;
Look at the azurecoder's article and check out his comprehensive example of using Graph API: https://github.com/azurecoder/azure-activedirectory; this code correctly deals with authentication parameters, like constructing proper service realm.
After that I was able to grab users, groups and users membership information for SPO instance without creating a Azure AD subscription.