Run Azure devops pipeline as a azure AD user user - azure-devops

I would like to run frontend end to end test from an azure devops pipeline, the website requires login using azure ad.
Unfortunately it is not easy to automate the login (sometimes involves sending code via email).
I tried using oauth and jwt tokens, but for some reason my app authentication does not recognize it when deployed to azure website.
What is the best way to have access to login protected website from azure pipeline?
Thanks

I think using an orgnization wide AD account is not secure, especially you're in a public cloud, that's why Azure provides a life-time limited project scope account. If you really want to use AD account, save its credentials in Azure Key Vault, then during the pipeline time, retrieve the credentials by the default project scope token, then you can do anything you want with the credentials.

I don't have a lot of experience regarding this, but I've done something similair using a Service Principal or Managed Identity.

I tried using oauth and jwt tokens, but for some reason my app authentication does not recognize
After a while I actually figured out that there was an identity provider configured, and there was kind of double authentication configured. After removing the jwt token started working perfectly.
In any case thanks a lot for your answers!

Related

Create a release pipeline in Azure DevOps which uploads a file to LCS, with a non admin user that doesn't have MFA

I'm trying to create a release pipeline in DevOps, that releases packages to LCS. The normal Dynamics 365 FO way of working. The issue is, I don't have an admin account without MFA that can be used to do this. Which roles or general setup, should I set on the AAD user, to be able to create the release? Currently I'm getting the AADSTS7000218 error.
I created a user that doesn't have MFA and I expect to add certain roles to be able to use this user for creating releases in DevOps.
In Azure DevOps, to create release pipeline you need "Edit release pipeline" permission set to Allow. And you need to be at least a Basic user.
And as per the document, AADSTS7000218 means The request body must contain the following parameter: 'client_assertion' or 'client_secret'. When authenticating to Azure AD to get an access token, the client application is not providing its “password” (in the form of either a client secret or a client assertion) as expected by Azure AD’s token endpoint.
You could try navigating to Azure Active Directory->App Registration and find Authentication in your application. And set "Allow public client flows" to "Yes" in Azure portal.
Here's another ticket has the similar issue, hope it can help.

Azure DevOps Server register an application

I have an Azure DevOps server on-premises and I have written a small application that simply queries its API to get information from the Azure server. There is no authentication at the user level, since the application only displays information and does not POST/PUT/DELETE.
To query the API, I have used my PAT (personal access token), but this is not ideal. I have read that on the cloud version of Azure, you can just register the application to do it, but I have not found the same functionality for the on-premises version.
Am I missing something? Is the only alternative creating a technical user on the LDAP and get a PAT for it?
Is the only alternative creating a technical user on the LDAP and get
a PAT for it?
Yes, you are right.
Authorize access to REST APIs with OAuth 2.0
So 'App auth' is only supported in Azure DevOps Services (VSTS), not supported in Azure DevOps server (TFS).

How do you use MSAL to connect to Azure DevOps from vanilla JS in browser, with no-backend or AD tenant

If I use a Personal Access Token, I can access all Azure DevOps REST APIS by including the PAT in the header. This works great from NodeJS, PowerShell and curl, but I want to do the same thing from JS running in a web-browser, without any server-side code. Just purely from the JS in the browser.
Now, I could prompt the user to enter their PAT and store it in local storage, but I'd rather not do that. Instead, I'd like to prompt the user to log in and get a token that way. Microsoft has the MSAL library to do that, and they have sample code on how to do this from JavaScript in the browser. Unfortunately, for some reason, they require that you also create an Azure AD Tenant along with a client ID. I don't want to use Azure cloud for anything. I just want my users to access an existing company Azure DevOps server. As I said I can already access these resources using a PAT that the user has to create from the portal themselves. I want to avoid that step and have them log in to get a token. Seems simple enough. Am I missing something?
Why is a tenant even needed for this?
From the doc: https://github.com/AzureAD/microsoft-authentication-library-for-java/wiki
Before using MSAL4J you will have to register your applications with
Azure AD.
In conclusion, to use MSAL to connect to Azure DevOps from vanilla JS in browser, you need to register your App with Azure AD first to acquire the client ID for authorization.

Granting service accounts access to AzureDevOps

I'm wondering what is the correct way to grant service accounts access to AzureDevOps. Ex: access to source code, API's, etc.
Since "Basic Authentication" was deactivated, I've been using personal access tokens but it seems awkward to login using a service account, generating the PAT, and so on. Also, since they are limited in time, we have to ensure renewal schedules/reminders for each connexions.
I am on the wrong track? Is there a more "natural" way to do it? Is SSH more adapted for this?
I've found this guide which helps but I can't find how (for example) granting a third-party application access to a project's repository.
https://learn.microsoft.com/en-us/azure/devops/integrate/get-started/authentication/authentication-guidance?view=azure-devops
PS: Service Connections and Service Hooks are not what I'm looking for.
What you are looking for probably is OAuth 2.0 Client Credentials Flow for Azure DevOps. Unfortunately Client Credentials Flow is not yet supported on Azure DevOps. See this thread Client Credentials Flow for Azure DevOps.
But, You can check out OAuth 2.0 auth code flow,which is now supported on Azure Devops. Please check out this detailed tutorial Authorize access to REST APIs with OAuth 2.0. This is an example to implement OAuth 2.0 auth code flow.
There are also Codes samples provided in above web link you mentioned in the question. You can checkout these samples to learn their authentication mechanism, and choose one that suits you most.

How to use Windows credentials to auto login Azure Active Directory managed applications instead of Single Sign-On

After implementing the integration of Azure Active Directory and some other could applications like Salesforce, and syncing On-Premise Active Directory data by using Azure AD Connect, now I could auto login Salesforce and other cloud apps with Single Sign-On by using the credentials I used for desktop logon, but I still need to key in the credentials once when accessing Azure Applications page (Azure Portal).
Is there any configuration in Azure I can change to support auto-login by using the Windows credentials, so that once I log into my encrypted machine, I could auto login the Azure Applications page (the Azure portal) without key in password again? If Azure does not support no sign-on, what's the best way to do some development to support no sign-on?
Any post or suggestion will be appreciated!
You can always try to authorize users using Graph API. Maybe this will be helpfully: https://github.com/devkimchi/Graph-API-App-Only-Web-API-Sample
I had a similar issue when using ADFS for federated identity and the following article helped, not sure if it applies to Azure AD Connect but it might give you some useful info.
https://support.microsoft.com/en-us/kb/2535227
Thanks thedev and dawidr for your reply.
Finally I found a solution which might achieve the No Sign-On. AAD supports federation authentication, so just try to integrate the ADFS and AAD by using Azure AD Connect to implement the federation identify with On-Premise AD, then no more password key-in when accessing the Azure Applications. I don't have a proxy server with public IP so it's just a solution in my mind without verification.