I am trying to evaluate and implement a way to automatically renew PATs owned by the service account our ADO is running under, like a scheduled task or something that runs on the previous day before the expiration date, and sends the PAT in an email to an AD group.
In short, some automatic way to renew PAT and notify a set of users with the new PAT OR automatically update the expiration date when it is due for expiry
I am aware of the REST API that uses Azure AD tokens (https://learn.microsoft.com/en-us/azure/devops/organizations/accounts/manage-personal-access-tokens-via-api?view=azure-devops#authenticate-with-azure-active-directory-azure-ad-tokens) but the service account does not have an account in the Azure portal and I want to avoid using an employee's token.
I am curious to know what the best practices are and how you have designed it out in your org. Thank you very much for the help!
Related
TL;DR What access rights do I need to have to be able to use the notification API to create a subscription on behalf of a user?
I'm trying to subscribe a user to a new DevOps work item I'm creating in a PowerAutomate flow. But, when the flow tries to do that, I get an unauthorized response.
https://learn.microsoft.com/en-us/rest/api/azure/devops/notification/subscriptions/create?view=azure-devops-rest-5.1#definitions
Example of step in PowerAutomate
I have an application that I integrated SSO using Azure AD identify provider. There is an option in Azure AD to delete user. So, the requirement is to sign out from my website when user is deleted in Azure AD. We store SAML token when user is successfully authenticated. Is there any way to check if user is exists or not using SAML token?.
Unfortunately, this is not possible by using SAML Token as of now.
Microsoft recently introduced Continuous Access Evaluation (CAE) for this purpose but the initial implementation of it focuses on Exchange, Teams, and SharePoint Online.
Continuous access evaluation enable services to subscribe to critical events in Azure AD so that those events can be evaluated and enforced near real time. Some examples of these events are:
User Account is deleted or disabled
Password for a user is changed or reset
Multi-factor authentication is enabled for the user
Administrator explicitly revokes all refresh tokens for a user
High user risk detected by Azure AD Identity Protection
I wonder how I can revoke a PAT token in Azure DevOps which I know only the actual token value of.
The GUI lets me remove my own tokens as long as I know their name, and via API it seems to be possible to remove tokens if their identifier is known only (https://learn.microsoft.com/en-us/rest/api/azure/devops/tokenadmin/revocations/revoke%20authorizations?view=azure-devops-rest-5.1).
If only the token value is known, I would neither know the user it belongs to, nor its id.
I wonder how I can revoke a PAT token in Azure DevOps which I know only the actual token value of.
Azure DevOps doesn't support revoking PAT simply by its value.
With a value alone, Azure Devops has no way to determine which PAT the value belongs to. The name-and-value pairs can only be seen when creating PATs.
In Azure Devops, we can revoke PAT via web portal or REST API. And if you want to revoke a PAT by REST API, you need to know its "authorizationId".
If you have questions about how to get "authorizationId". Click this question for detailed information.
Note that when you use REST API to revoke PAT, you need to use OAuth2 authentication. Click this document for detailed information and methods.
Is it possible to create a public OAuth Client id that never expires in Smartsheet using their simple developer account they provide?
They provide trial accounts, but my concern is what happens with the OAuth client when the account expires? Will the client expire to?
Developer accounts are fully featured and can participate in the OAuth flow.
The account would need to remain active for the client id to continue working. Trial accounts are just that - trials, so naturally you wouldn't want to setup anything permanent with an account you don't intend to keep.
You might be confusing client ids (essentially an identifier for your app) with access tokens? The client id would remain the same for the life of your app. Access tokens would need to be refreshed periodically. See the documentation for details.
If I add authentication in Azure Mobile Service with Google as the provider, I go and create an app, get the app_id and secret and plug it in. Great, now users can authenticate with google and get a user token. Now they are considered an "authenticated user" wrt the table permissions.
However, I don't want to authorize everyone with a google account access to my API. Is it possible to limit this to a list of known users? Must I check every request for specific user ids?
Perhaps social login is not the best choice here and I should use something else like Azure AD?
We added custom authentication provider to wams and synchronize the social account with "our" user-account that is stored in the database. For protected web api methods a user account needs to be activated first. You have to check manually whether an account is activated/ high privileged or not and return the result or unauthorized status code.
I decided to use Azure Active Directory to solve this problem. This way, I can create users in Azure AD but not have to manage users myself in the back end. With this choice I am still able to chose the only authenticated users permission level without having to check on every rest endpoint that the authentication users is one of the ones I want to grant access to.