I couldn't find it anywhere but was wondering if there is a rest api way that allows to programatically register an application (besides the documented ones (powershell,CLI and by portal). I have an app that needs to access to azure monitor to retrieve some metrics and didn't want the clients to have to register the app by themselves. So it would be something like this:
https://learn.microsoft.com/en-us/azure/monitoring-and-diagnostics/monitoring-rest-api-walkthrough
but that I could use in javascript for example.
Thanks!
The reason that the PowerShell sample in the above document works is because Azure PowerShell is registered as an Active Directory application already. At some point, your application will have to be added manually by the customer, since Active Directory APIs can't be executed by a user role.
Take a look at New Azure AD application doesn't work until updated through management portal for the steps necessary to create an application via the Azure AD graph API.
Related
When I create a service principal it also creates an App in Active Directory.
az ad sp create-for-rbac --role="Contributor" --scopes="/subscriptions/123456a1-a1b2-1234-12ab-12a3b4cdef67"
If I go to the Azure Portal - Active Directory - App registrations it shows all the applications registered.
I have managed to find the service principal I use for terraform by matching the terraform client_id with the Azure "Application (client) ID". It also had a human readable display name (although not the best since I still had to look via client id!)
However, there are several others where the display name is just "project_subscription".
They look like they must have been generated automatically when setting up a pipeline registering a web app in the portal or something.
I can't tell if they are actually used or if they were just created for experimenting and are then left over.
How do I know what they are for and if they are still used or not?
Is it possible to search Azure for the id or anything?
Is it possible to add a description to these to identify what they are used for beyond just the display name?
e.g. I only identified the terraform one by matching up the id with my code
App registration can be used for many scenarios, the app registrations in your AAD tenant should be created by different users. There is no such thing as a description of them.
To see if they are used, it needs to combine the context, as in AAD, there are different usages for them. For example, there are no sign-in logs of the AD App's corresponding service principal, but you cannot make sure if it was used as a client app. For the details, you may need to check the Audit logs.
For more details about AD App(App Registration) and service principal, you could check this doc - https://learn.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals
First, I'm using Spring, Jetty, Retrofit.
When I use calendarView in local, they return the successful values successfully.
But, When others connect to my local server and call this api, it always returns me 403-AccessDenied error.
(additionally, When they call another ms api, they return the successful values.)
I think I have set all the recommended permissions in Graph api.
But this could be my illusion.
In order for someone else to call api from my local server, what should I do?
Or Am I missing anything on this matter?
These are my permissions.
"openid",
"offline_access",
"profile",
"User.ReadWrite",
"Mail.ReadWrite",
"Calendars.ReadWrite",
"User.ReadBasic.All",
"BookingsAppointment.ReadWrite.All"
This is my azure info.
And I'm using this calendar view api
https://learn.microsoft.com/en-us/graph/api/calendar-list-calendarview?view=graph-rest-1.0&tabs=http
And Using This URL in my code(in this case, I'm using batch request)
GET | "/users/"+getAddress()+"/calendarView?startDateTime="+getStartTime()+"&endDateTime="+getEndTime()
Based on your description, other users are trying to access the calendarView of the user "{Room}".
In this case, you need 2 more configurations.
User "{Room}" gives mailbox permissions "Full Access" to other users
in Office 365. See Use the EAC to assign permissions to individual
mailboxes. (you should be able to find the room under
Resources. And the process can take up to hours for the changes to propagate through the system and be in effect.)
Add one more delegated permission: Calendars.ReadWrite.Shared into
the app registed in Azure AD.
Trying to setup a bunch of logic apps with supporting Azure functions etc. concept is to utilize ML/Azure functions/Logic apps etc. to setup an automated mailing system.
Everything is deployed using ADO/Git with CD/CI pipelines, but we have a problem with the Office365 connector that needs authorisation after creation. For now, we have followed this article that creates a windows form for authentication.
This works fine, but we want to do this at scale and thus are looking for a silent approach, any ideas or links would be appreciated?
PS. Use does not require MFA
At the moment, the Office365 API authorisation works with the OAuth 2.0 Authorisation Code Grant Type, which means, you can only get the authorisation code by getting the user owning the mailbox (or having access to the shared mailbox) to sign in to get the code. This behaviour of the API is by design. Thus, there is no way to fully automate this.
If you don't need different accounts for different Logic Apps, you can create those API connections with PowerShell (still requiring the user to login in) for each environment and then use the already provisioned API in our CD pipeline.
I created a new AAD user without any special permissions (no admin, just a user). Now, when I login using the Connect-MSOLService cmdlet and retrieve all users using Get-MSOLUser I can see every user within that directory.
Why and am I able to change that?
Background: I want to use a single AAD instance for multiple SAAS applications and want to prevent that a user can browse all users.
Actually, there is a way to disable user browsing in an AAD using the Set-MsolCompanySettings from the MSOnline module:
Set-MsolCompanySettings -UsersPermissionToReadOtherUsersEnabled $false
In Azure AD, Users and groups are created in a flat structure without OU and GPO. You can't restrict the user's permission to a specific scope. The user can view all the user information in Azure AD.
To isolate the users from different scopes, you can create multiple directories for Azure AD, and configure the SaaS applications as multi-tenant application for AAD.
You can refer to the article below for more details about Azure AD Directory role.
https://learn.microsoft.com/en-us/azure/active-directory/active-directory-assign-admin-roles
If you connect to an Active Directory you usually want to read some data. As such if you're authorized to do that you can easily access information that is available and particularly "sensitive" (e.g. you can't read private keys of user objects easily). If you look at the history of Active Directory and it's typical usage within companies, it's likely that only single tenant (company) using it at a given time. As such there were even less reason to restrict the access.
If you want to have multiple tenants use the same AD you will have to figure out a scheme that works for you and setup the proper permissions yourself.
Helpful articles for this could be:
Build a multi-tenant SaaS web application using Azure AD & OpenID Connect
Question: Creating a multi-tenant AD environment
I have an existing application with a few thousand users using SqlAzureMembershipProvider for authentication.
I am interested in creating an Azure Active Directory for the application and migrating the existing membership profiles into it.
Is it technically possible to export/import the membership profiles?
The only approach I can think of is creating a PowerShell script that gets user details from the app one by one and creates a new user for each of those in the new AD.
Yes it is possible but there are no tools to do this.
For AD e.g. there is DirSync.
Probably easiest to use the Graph API - refer: Azure AD Graph API - samples Microsoft Azure Active Directory Samples and Documentation.
As you say, you will have to cycle through the users one by one. The password is going to be a problem. You may have to give each user a dummy password to start.