Subscription-scope authorization for Azure Resource Manager API user - api

Trying to put together an Azure ARM integration, where my code uses the Azure API to retrieve the full list of VMs in the entire subscription.
Went successfully through all the (many!) steps here to get an API user ready with all relevant IDs needed for authentication.
Using the same set of instructions, we were also able to grant this user the Reader role, for listing VMs in specific groups (we did this through the Azure UI). However, we have been unsuccessful in implementing the instructions here for setting up Reader role for this user to the entire subscription (through the CLI).
Running this:
azure role assignment create --objectId app-oid --roleName Reader --scope /subscriptions/subscription-id
Or this:
azure role assignment create --objectId app-oid --roleName Reader --subscription subscription-id --scope /subscriptions/subscription-id
Yields this:
Principals of type Application cannot validly be used in role assignments.
So currently we have no way of programmatically browsing the full set of VMs without adding a specific authorization for each Resource Group.
Does anybody know of a way that actually works to assign this permission at the subscription level?

Found the answer in the comment area of the link in the question body:
In the new portal, edit the subscription and add the role, just like you would do with a resource group. Still curious as to why the CLI doesn't support this.

The steps to use the Azure CLI to create and authorize a service principal are documents here: https://azure.microsoft.com/en-us/documentation/articles/resource-group-authenticate-service-principal-cli/

Instead of using --objectId app-oid try using -ServicePrincipalName <appId>
https://github.com/Azure/azure-powershell/issues/4776

Had the same error for role assignment with terraform
Principals of type Application cannot validly be used in role assignments.
But as described here, using the Object Id that is displayed on the overview page of the app registration in the Azure portal resulting the above error.
The solution is to get the Object Id from azure cli:
az ad sp show --id [Application (client) Id] -o json | grep objectId
# and then using this objectId assign your role
az role assignment create --role contributor —-assignee-object-id [object id] —-resource-group [MyResourceGroup]

Related

Get-AzRoleAssignment: Exception of type 'Microsoft.Rest.Azure.CloudException' was thrown

We have lighthouse configured and I am trying to extract azure aks RBAC permissions information for a managing subscription from a managed tenant:
Get-AzRoleAssignment -scope "/subscriptions/0000000-0000-0000-00000000000000/resourcegroups/testrg/providers/Microsoft.ContainerService/managedClusters/testakscluster
Can we extract role assignments for a managing tenant's subscription while logged in a managed tenant cloud shell?
Thanks for your help
When using the Get-AzRoleAssignment command, it will call the Azure AD Graph - getObjectsByObjectIds meanwhile to validate the objects in Azure AD.
To solve the issue, make sure your user account logged in the cloud shell has permission to call the API, if your user account type is member, it will has the permission by default. So I suppose your user account is a guest, if so, there are two ways.
1.Navigate to the Azure Active Directory in the portal -> User settings -> click Manage external collaboration settings -> select the first option like below.
2.Navigate to the Azure Active Directory in the portal -> Roles and administrators -> search for Directory readers -> click it -> Add assignments -> add your user account as a Directory readers role.
Just select any of the options above, then the command will work fine.
For anyone coming to this thread after some searching: I had the same issue with this call across multiple versions of the AZ.Resources module: 2.5.0, 4.1.0 an 5.6.0. All my rights where setup correctly, both for an SPN and a user, both got the same error.
Changing the call to use the Azure CLI and that just works 😠.
az role assignment list -g [resource group name]

How can I download a list of Bigquery users?

Is there a way to download the list of BigQuery users to audit?
There is no export option in BQ's IAM page for members.
You can use Searching Cloud IAM policies option, which allows you to use a custom query language to search Cloud Identity and Access Management (Cloud IAM) policies within a project, folder or organization. Before using, we have to enable the Cloud Asset API for your project and grant the cloudasset.assets.searchAllIamPolicies permission to the user account or service account that is making the request.
Following command will show you the users who are granted with BigQuery roles on the specified project:
gcloud beta asset search-all-iam-policies --scope=projects/<PROJECT_ID> --query="policy : bigquery" | egrep "role:|user:"
Moreover, you can save the result of a query to the file by adding > <FILENAME>.txt at the end of above command. To gain more knowledge about this command, please, refer to the official documentation.
I hope you find the above pieces of information useful.

How to configure Azure AD SSO programmatically for gallery-based application?

I need to configure Azure Active Directory SSO for Tableau Server gallery app as it is under MS documentation link programmatically. Are there useful powershell cmdlets / rest apis?
I create application from gallery using graph api from Step 1 on MS docs.
To get available templates:
GET https://graph.microsoft.com/beta/applicationTemplates
To create template app:
POST https://graph.microsoft.com/beta/applicationTemplates/{id}/instantiate
Now I need to configure SAML SSO from code and assign users. Is there an easy way to do that? I tried Set-AzureADApplication but it didn't do the job for me. The enterprise application is still not set.
Maybe it's not supported yet? I believe there can be some workaround. I would be grateful for any help.
Are there useful powershell cmdlets / rest apis?
Yes, but per my test, we need to do that into two parts.
1.Set the Sign-on URL, to do this, we need to call Microsoft Graph - Update serviceprincipal.
In the Graph Explorer, use the request below.
PATCH https://graph.microsoft.com/beta/servicePrincipals/<object-id of the service principal>
{
"loginUrl": "https://azure.signtest.link"
}
Note: In the request above, you need to use the object-id of the service principal(Enterprise application), not the AD App(App registeration). You can find it in the Azure AD in the portal -> Enterprise Application -> find your Tableau Server -> get the Object ID like below.
2.Set the Identifier and Reply URL, we could do this via Powershell Set-AzureADApplication.
Sample:
$Identifiers = #(
"http://www.tableau.com/products/server",
"https://azure.idtest.link"
)
$ReplyUrls = #(
"https://azure.rptest.link/wg/saml/SSO/index.html"
)
Set-AzureADApplication -ObjectId <object-id of the AD App> -IdentifierUris $Identifiers -ReplyUrls $ReplyUrls
For the object-id of the AD App, navigate to the Azure AD in the portal -> App registrations -> find your Tableau Server. After running the command, the settings will map to the enterprise application.
Check the result in the portal:
Update:
Not sure if it is a bug, if I create a new app without setting the Identifier and Reply URL manually in the portal, then just use the powershell above to set them, they will not map to the portal.
But if we check the service principal(enterprise application) directly via Microsoft Graph, we can see the powershell actually affected the service principal.
If we configure the settings manually in the portal first, then use the powershell to update them with other values, it works.
And it looks there is no way to set the Default Reply URL via powrshell or API, if we set the Reply URL which is different from the one set manually in the portal, it will have a prompt like below.
But if we look into it, actually the Default option is checked.
Update2:
Eventually, I find the trick, it is not a bug, we just need to set the preferredSingleSignOnMode for the service principal first via Microsoft Graph, then we won't need to configure that in the portal manually.
Sample:
PATCH https://graph.microsoft.com/beta/servicePrincipals/<object-id of the service principal>
{
"preferredSingleSignOnMode":"saml",
"loginUrl": "https://azure.signtest.link"
}

Create User via API in Azure AD

GOAL: Create users in Azure Active Directory using our Global Admin account from an API.
PROBLEM: Every single way I try, I get "unauthorized".
WHAT I'VE TRIED:
I've been focusing mostly on this: https://graph.microsoft.com/v1.0/invitations
I've tried as outlined here
the "Authorization Bearer {token}" is problematic -- I can't seem to properly retrieve tokens, using any of the built URLs recommended (ie, combining ClientID & TenantID in the URL.)
I've tried the relevant portions of this, including creating the app, setting permissions on the app, trying both Web API and Native. I'm able to get a code back, but using it always comes back with Unauthorized.
As an aside, I am using Nintex to run this web service, as it is part of my workflow. Typically, web services don't give me issues. So, this sucks.
I'm missing something, here. Any thoughts or direction?
UPDATE: Removed the word "method" - bad choice of phrasing.
If you want to use Microsoft Graph explorer to create user as the global admin, you could use POST https://graph.microsoft.com/v1.0/users, and the required permission is:
Permissions
For the details, you could read Create user.
Global admin runs as a user by default. To grant access to Active Directory, you need to elevate permissions in the portal.
I'm not convinced you have the permissions to create the user, and that's why I think you're getting the error.
Also, try and avoid using Global Admin. Create a Service Principal and provide more granular permissions.

How to create programmatically an AWS Console enabled user

I'm trying to add programmatically a "working" AWS account via API.
Actually I'm performing this operations:
Authentication
CreateUser (login)
CreateLoginProfile (password)
When I go on "AWS" console I get an error an if I look to the Accounts linked to the Organization I can't find my new account.
But if I go on https://console.aws.amazon.com/iam/home#/home the user is there.
Do I'm missing something? Is there any difference between USER and ACCOUNT?
Of course USER and ACCOUNT are different. An account contains users and other resources (S3 bucket, EC2 instance).
If you want to create new AWS account, you need to use Organizations API.
See:
create-account in the AWS CLI
CreateAccount documentation