Does Azure SDK 4 .NET support Azure gov? - azure-sdk-.net

Try to get Subscription's operations within Azure Gov, but the default api endpoint for Azure ManagementClient is the global one: https://management.azure.com/,
After I specified the endpoint of azure gov ( https://management.usgovcloudapi.net/) to the ManagementClient's constructor method
e.g var managementClient = new ManagementClient(credentials, new Uri("https://management.usgovcloudapi.net/")
it returns api version missing.. and after I put a api-version as a suffix to the uri, it returns no subscription id found..
any one know it works with azure gov as well?
please anyone or any help.

Does Azure SDK 4 .NET support Azure gov?
Yes, we could use the following SdkContext.AzureCredentialsFactory to choose the Azure environment. The following is the demo code, you could refer to.
var tenantId = "tenant Id";
var secretKey = "secret Key ";
var clientId = "Application Id";
var subscriptionId = "subscription Id";
credentials = SdkContext.AzureCredentialsFactory.FromServicePrincipal(clientId, secretKey, tenantId,AzureEnvironment.AzureUSGovernment);
var resourceManagementClient = new ResourceManagementClient(credentials)
{
SubscriptionId = subscriptionId
};

Related

C# .NET Framework 4.7.2 in VS 2019 - keep out my clientID and client secret / gitignore / Key Vault

I am a new to #C, therefore excuse my question, which will be probably very easy to you. I am trying to get my clientID, clientSecret and tenantID out of the main source control, but I am not sure at all how to do that. I have seen some methods for .NET Core with Connected Services in Visual Studio, but this is not really available for .NET Framework 4.7.2. I am not confident in setting the config file neither. I have created a resource group on Azure Portal, but I am not sure how to get this key vault working.
The code below represents a working code acquiring a token, the issue I have is to hide those hardcoded strings.
Many thanks for your answer
private static string GetToken()
{
string clientID = "xxxad43f-c825-491f-9130-8cc4da1d1111";
string clientSecret = "dRbIT5Wn4#u=55L#fLnYRNuDYrFD#111";
string tenantID = "4ae48b41-0137-4599-8661-fc641fe77111";
var app = ConfidentialClientApplicationBuilder
.Create(clientID)
.WithClientSecret(clientSecret)
.WithAuthority(new Uri($"https://login.microsoftonline.com/{tenantID}/oauth2/v2.0/token"))
.Build();
var ApiID = "api://dddd-api";
var scopes = new[] { ApiID + "/.default" };
var result = app.AcquireTokenForClient(scopes).ExecuteAsync().Result;
if (result == null)
throw new Exception("Could not acquire token");
return result.AccessToken;
}
You can set the value as environment variables and use Environment.GetEnvironmentVariable("<variable name>") to get them.
string clientID = Environment.GetEnvironmentVariable("AZURE_CLIENT_ID");
string clientSecret = Environment.GetEnvironmentVariable("AZURE_CLIENT_SECRET");
string tenantID = Environment.GetEnvironmentVariable("AZURE_TENANT_ID");

Error protecting file using MIP SDK in service/daemon application

can someone help me with the following issue?
Scenario. I have a Windows Service running on an Azure VM. Service receives files, modifies them in some way (let's assume that it adds custom properties to Word files) and uses MIP SDK to protect them with template ID.
Issue. IFileHandler.SetProtection(string)+CommitAsync(...) fails with the following exception:
One or more errors occurred. ServiceDiscoveryHelper::GetServiceDetails - Cannot compute domain: license domains, identity, and cloud endpoint base URL are all empty, correlationId:[9add32ba-0cb7-4d31-b9d8-0000b7c694a4]
Other info
RemoveProtection()+CommitAsync(...) work fine.
I registered application in Azure Active Directory tenant.
Generated secret: <CLIENT_SECRET>.
Granted the following permissions
https://api.mipwebservice.com/InformationProtectionPolicy.Read.All
https://psor.o365syncservice.com/UnifiedPolicy.Tenant.Read
https://aadrm.com/Content.SuperUser
https://aadrm.com/Content.Writer
https://aadrm.com/Content.DelegatedWriter
https://aadrm.com/Content.DelegatedReader
IAuthDelegate implementation
uses ADAL to get access token using client_credentials authentication flow, because there is no interacting user (my app is service).
I do not whether I have to use identity parameter in client_credentials flow.
Main Code Snippet
MIP.Initialize(MipComponent.File);
var appInfo = new ApplicationInfo{
ApplicationId = ConfigurationManager.AppSettings["AppPrincipalId"],
ApplicationName = "App name",
ApplicationVersion = "1.0.0",
};
var authDelegate = new AuthDelegateImplementation(appInfo);
var fileProfileSettings = new FileProfileSettings("mip_data", false,
authDelegate, new ConsentDelegateImplementation(), appInfo, LogLevel.Trace);
var fileProfile = MIP.LoadFileProfileAsync(fileProfileSettings).Result;
var engineSettings = new FileEngineSettings("engine-id", "", "en-US"){
Identity = new Identity($"{appInfo.ApplicationId}#<TENANT-NAME>"){
DelegatedEmail = "<OWNER>#<TENANT-NAME>",
},
};
var fileEngine = fileProfile.AddEngineAsync(engineSettings).Result;
var fileHandler = fileEngine.CreateFileHandlerAsync("c:\\sample.docx", "0", true).Result;
fileHandler.SetProtection(new ProtectionDescriptor("<TEMPLATE-ID>"));
var success = fileHandler.CommitAsync("c:\\encrypted.docx").Result;
AuthDelegateImplementation
public string AcquireToken(Identity identity, string authority, string resource)
var authContext = new AuthenticationContext(authority + "/" + "<TENANT_ID>");
var clientCredential = new ClientCredential("<CLENT_ID>", "<CLIENT_SECRET>");
var res = await authContext.AcquireTokenAsync(resource, clientCredential);
return res.AccessToken;
}
ConsentDelegateImplementation
public class ConsentDelegateImplementation : IConsentDelegate {
public Consent GetUserConsent(string url) {
return Consent.Accept;
}
}
It seams that after testing MIP's local persistent state (see FileProfileSettings.Path property when UseInMemoryStorage is flase) was corrupted. After removing "mip_data" folder issue disappeared.

Is there a way to access azure key vault without using AD authentication?

I want to access the secrets in my azure key vault using my azure credentials without using Azure AD App authentication. Is there a possible way?
Thanks
You will need the serviceprincipal name to decry-pt the key. Hence the answer is unfortunately NO.
We can do it using Azure PowerShell script in C# code. For this we would require only the name of the keyvault, name of secret and Azure credentials of the user who wants to access it.
static void Main(string[] args)
{
Program program = new Program();
string scriptText = "Login-AzureRmAccount";
string result = program.RunScript(scriptText);
Console.WriteLine(result);
Console.ReadLine();
}
private string RunScript(string scriptText)
{
Runspace runspace = RunspaceFactory.CreateRunspace();
runspace.Open();
Pipeline pipeline = runspace.CreatePipeline();
pipeline.Commands.AddScript(scriptText);
pipeline.Commands.AddScript("$secret = Get-AzureKeyVaultSecret -VaultName '[Name_of_keyVault]' -Name '[Name_of_secret]'");
pipeline.Commands.AddScript("Write $secret.SecretValueText");
Collection<PSObject> results = pipeline.Invoke();
runspace.Close();
StringBuilder stringBuilder = new StringBuilder();
foreach (PSObject obj in results)
{
stringBuilder.AppendLine(obj.ToString());
}
return stringBuilder.ToString();
}
Actually, i wanted to access key vault without AD application authentication. This was the only way i could think of.

How do I create an AlertsClient from an Azure Active Directory secret? [duplicate]

My company is looking into reporting on Azure. We only want our customers to give us read only credentials for us to use. I did some research and it looks like Azure Active Directory does just that. So I'm looking to authenticate using a read only Azure Directory Application.
To get me started I was following this blog on using the Management API via Azure Active Directory.
https://msdn.microsoft.com/en-us/library/azure/dn722415.aspx
Aside from the approach show being very unfriendly, it doesn't work =(
I get this error after logging in as a global administrator:
"AADSTS90014: The request body must contain the following parameter: 'client_secret or client_assertion'."
Did some research and found this style of authentication was for native app and NOT web apps (despite what the blog post saying other wise..). So I made a tweak. My GetAuthorizationHeader now looks like this:
private static string GetAuthorizationHeader()
{
AuthenticationResult result = null;
var context = new AuthenticationContext("https://login.windows.net/" + ConfigurationManager.AppSettings["tenantId"]);
string clientId = ConfigurationManager.AppSettings["clientId"];
string clientSecret = ConfigurationManager.AppSettings["clientSecret"];
ClientCredential clientCred = new ClientCredential(clientId, clientSecret);
var thread = new Thread(() =>
{
result = context.AcquireToken(
"https://management.core.windows.net/",
clientCred);
});
thread.SetApartmentState(ApartmentState.STA);
thread.Name = "AquireTokenThread";
thread.Start();
thread.Join();
if (result == null)
{
throw new InvalidOperationException("Failed to obtain the JWT token");
}
string token = result.AccessToken;
return token;
}
I am able to get the Access Token (yay). But now when I try to use this with the Azure Management library client I get this error:
"ForbiddenError: The server failed to authenticate the request. Verify that the certificate is valid and is associated with this subscription."
I double checked my permissions in my application. It looked good. I tried giving full access to everything to see if that would have made a difference.
I double checked my tenantId, clientId, and subscriptionId, all looked good.
I made sure the subscription I'm using is pointed to the AD my application is in.
I tried making a new secret key.
My guess is this is the issue:
However in this UI I am unable to select any values for that property. I'm unsure if this is the result of a bug or an unfinished feature.
Am I missing something here?
Thanks
Here's my full code for reference:
class Program
{
static void Main(string[] args)
{
var token = GetAuthorizationHeader();
var credential = new TokenCloudCredentials(ConfigurationManager.AppSettings["subscriptionId"], token);
using (var computeClient = new ComputeManagementClient(credential))
{
var images = computeClient.VirtualMachineOSImages.List();
}
}
private static string GetAuthorizationHeader()
{
AuthenticationResult result = null;
var context = new AuthenticationContext("https://login.windows.net/" + ConfigurationManager.AppSettings["tenantId"]);
string clientId = ConfigurationManager.AppSettings["clientId"];
string clientSecret = ConfigurationManager.AppSettings["clientSecret"];
ClientCredential clientCred = new ClientCredential(clientId, clientSecret);
var thread = new Thread(() =>
{
result = context.AcquireToken(
"https://management.core.windows.net/",
clientCred);
});
thread.SetApartmentState(ApartmentState.STA);
thread.Name = "AquireTokenThread";
thread.Start();
thread.Join();
if (result == null)
{
throw new InvalidOperationException("Failed to obtain the JWT token");
}
string token = result.AccessToken;
return token;
}
}
EDIT:
Progress has been made. As I discussed with Gaurav, I needed to ditch the Azure Management Library because as of right now it does not seem to support Azure Resource Manager (ARM) API! So instead I did raw web requests. And it works as intended. If I remove role access off my AD Application I get access denied. When I have it I get back data.
One thing I'm not sure about is making it so my application is auto-adding to new resources.
Also, Is there a way to list Resource Groups that are accessible for my AD Application?
New code:
class Program
{
static void Main(string[] args)
{
var token = GetAuthorizationHeader();
string subscriptionId = ConfigurationManager.AppSettings["subscriptionId"];
string resourceGroupName = ConfigurationManager.AppSettings["resourceGroupName"];
var uriListMachines = string.Format("https://management.azure.com/subscriptions/{0}/resourceGroups/{1}/providers/Microsoft.Compute/virtualmachines?api-version=2015-05-01-preview", subscriptionId, resourceGroupName);
var t = WebRequest.Create(uriListMachines);
t.ContentType = "application/json";
t.Headers.Add("Authorization", "Bearer " + token);
var response = (HttpWebResponse)t.GetResponse();
string result = "";
using (var reader = new StreamReader(response.GetResponseStream()))
{
result = reader.ReadToEnd();
}
//Original Attempt:
//var credential = new TokenCloudCredentials(ConfigurationManager.AppSettings["subscriptionId"], token);
//using (var client = CloudContext.Clients.CreateComputeManagementClient(credential))
//{
// var images = client.VirtualMachineVMImages.List();
//}
}
private static string GetAuthorizationHeader()
{
AuthenticationResult result = null;
var context = new AuthenticationContext("https://login.windows.net/" + ConfigurationManager.AppSettings["tenantId"]);
string clientId = ConfigurationManager.AppSettings["clientId"];
string clientSecret = ConfigurationManager.AppSettings["clientSecret"];
ClientCredential clientCred = new ClientCredential(clientId, clientSecret);
var thread = new Thread(() =>
{
result = context.AcquireToken(
"https://management.core.windows.net/",
clientCred);
});
thread.SetApartmentState(ApartmentState.STA);
thread.Name = "AquireTokenThread";
thread.Start();
thread.Join();
if (result == null)
{
throw new InvalidOperationException("Failed to obtain the JWT token");
}
string token = result.AccessToken;
return token;
}
}
EDIT EDIT:
I figured out my hung up. Resources created in the OLD portal will get it's own distinct resource group.
From what I can tell you can not add a resource made in the old portal existing resource group (boooo). Resources created in the new portal will be able to assign the resource to an existing group (aka one that gives a role access to my AD Application).
This is such a mess! But at least I know what is going on now.
I believe you're on the right track as to why you're running into this problem.
Here's what's happening:
Essentially permission to execute Service Management API is a delegated permission and not an application permission. In other words, the API is executed in context of the user for which the token is acquired. Now you are getting this token for your application (specified by client id/secret). However your application doesn't have access to your Azure Subscription because the user record created for this application in your Azure AD is of type Service Principal. Since this Service Principal doesn't have access to your Azure Subscription, you're getting this Forbidden Error (I must say that the error is misleading because you're not using certificate at all).
There are a few things you could do:
Switch to Azure Resource Manager (ARM) API - ARM API is the next generation of Service Management API (SM API) and Azure is moving towards this direction only. It exclusively works off of Azure AD token. If possible, make use of that to manage your Azure resources (though you need to keep in mind that as of today not all Azure resources can be managed through ARM API). They way you do it is take your Service Principal and assign it to a particular role using new Azure Portal. Please see this link for more details on this: https://azure.microsoft.com/en-in/documentation/articles/resource-group-create-service-principal-portal/.
Use X509 Certificate - You can always use X509 Certificate based authorization to authorize your SM API requests. Please see this link for more details on that: https://msdn.microsoft.com/en-us/library/azure/ee460782.aspx#bk_cert. The downside of this approach is that the application (or whosoever has access to this certificate) will get full access to your Azure Subscription and can do everything there (including deleting resources).
Acquire token for a user instead of an application - This is another approach you can take. Essentially ask your users to login into Azure AD through your console application and acquire token for that user. Again, please keep in mind that this user must be a Co-Admin in your Azure Subscription and will have full access to your Azure Subscription as with SM API there's no concept of Role-based access control.

ADAL - ClientAssertionCertificate

We can successfully acquire a token using the following code:
var certificate = Certificate.Load("Client.pfx", "notasecret");
var authenticationContext = new AuthenticationContext(authority);
var clientAssertionCertificate = new ClientAssertionCertificate(clientId, certificate);
return await authenticationContext.AcquireTokenAsync(resource, clientAssertionCertificate);
The token doesnt seem to contain any information that we can use to identity the client. In our use case we have lots of daemon service clients that communicate to a API. We need to have some unique identified available on the server.
I also tried creating our own JWT token and added some public claims, such as name. However after requesting client assertion type using the following code fragment
var content = new FormUrlEncodedContent(new Dictionary<string, string>
{
{ "clientid", clientId },
{ "resource", resource },
{ "client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer" },
{ "grant_type", "client_credentials" },
{ "client_assertion", jwt }
});
var httpClient = new HttpClient
{
BaseAddress = new Uri("https://login.windows.net/{guid}/")
};
var response = await httpClient.PostAsync("oauth2/token", content);
The return token had none of my custom information.
Question: Is there a way to pass custom claims using ClientAssertionCertificate flow? where the token returned has additional information.
There is currently no way of adding custom claims in tokens issued for applications.
The token you receive should contain the claims appid (which identifies the client_id of the application who requested the token) and tid (which indicates which azure AD tenant the app is operating on). Those two should be enough for you to identify the calling application. Now, if rather than the application you want to identify the process (as in, instance of application X running on server A and instance of application X running on server B) then I don't believe we have anything in Azure AD today that would help you to tell the two apart - for Azure AD if they have the same client_id and secret, they are the same application.