Get Azure subscription details of client - powershell

I want to get details of Azure Subscription of my client. But I do not want to ask for special permission from client.
What I need is the bare minimum things from my client so that I can login from powershell or rest api and read status of runbook jobs.
If i login from admin account of the subscription than I can easily get those details. But you understand it is not possible to have admin account credential of my client.
Please suggest some workaround.

What you need to do is create a user in Azure Active Directory and grant that user specific rights using either the Azure Portal or PowerShell\Cli\SDK.
Say read all, or read properties of desired automation account. If you would want like a super minumim, you would need to create a custom role first.
https://azure.microsoft.com/en-us/documentation/articles/role-based-access-control-custom-roles/

If your client placed specific resources within a Resource Group, they may grant you permissions on just that Resource Group (including read-only permissions). This would allow you to have access to needed resources, without having access to other areas of their subscription.

Related

Create a release pipeline in Azure DevOps which uploads a file to LCS, with a non admin user that doesn't have MFA

I'm trying to create a release pipeline in DevOps, that releases packages to LCS. The normal Dynamics 365 FO way of working. The issue is, I don't have an admin account without MFA that can be used to do this. Which roles or general setup, should I set on the AAD user, to be able to create the release? Currently I'm getting the AADSTS7000218 error.
I created a user that doesn't have MFA and I expect to add certain roles to be able to use this user for creating releases in DevOps.
In Azure DevOps, to create release pipeline you need "Edit release pipeline" permission set to Allow. And you need to be at least a Basic user.
And as per the document, AADSTS7000218 means The request body must contain the following parameter: 'client_assertion' or 'client_secret'. When authenticating to Azure AD to get an access token, the client application is not providing its “password” (in the form of either a client secret or a client assertion) as expected by Azure AD’s token endpoint.
You could try navigating to Azure Active Directory->App Registration and find Authentication in your application. And set "Allow public client flows" to "Yes" in Azure portal.
Here's another ticket has the similar issue, hope it can help.

Granting Azure function console access without publish web site permission

I wish to grant users in a given AD group access to the Development Tools > Console function of the Production environment. I believe this is Kudu permission granted by assigning the Microsoft.Web/sites/publish/Action.
Is this possible without granting a member of the group the ability to publish web sites?
It is not possible to granting a member of the group the ability to publish web sites.
From the microsoft document it stated clear that you required microsoft.web/sites/publish/action resource provider operation.
Ones with Kudu access are ones owning the site - regardless if
read-only or not. To expand, they can deploy any codes (good or
malicious) to and able to read any secret settings of the site (eg.
KeyVault, SQL and Storage credentials, Private Certificates, etc.).
Hence for Azure, only those with Contributor / Owner access (to be
exact, with microsoft.web/sites/publish/action or, for slot,
microsoft.web/sites/slots/publish/action) can access to Kudu (SCM).
Refer this document for more information.

Azure Devpos Server 2019 : How to correctly manage user role

I'am recently installed Azure DevOps Server 2019 in on-premises server.
However, i'am so confused : How i can set the security and the user permission in the server, such as : Deny user to view author project in the same collection , create custom group not in the azure devops default groups ...
I ask for idea to implement that
Thank you
According to Azure DevOps permission setting, most groups and almost all permissions, Deny trumps Allow. If a user belongs to two groups, and one of them has a specific permission set to Deny, that user will not be able to perform tasks that require that permission even if they belong to a group that has that permission set to Allow.
Deny user to view author project in the same collection.
Assume you were talking about team project. In your scenario, the simplest way is not add that user to your team project. People without team project collection admin permission will not be able to see those projects which they are not added in.
If you already add users in the team project and want the user not be able to see some info such as repo/build/work items in the project .
You need to evidently deny those users for viewing some project repositories/builds/ work items.
As how to create group, you could directly click New Group in the right top corner of the page from Project Settings-- Permission
More details about how are permissions and groups defined, suggest you go through our official doc here-- About permissions and groups
Besides, you could also manage user permission with the help of command line. The tfssecurity command line tool allows us to manage permissions for Azure DevOps groups and users. We could use it in a PowerShell script to grant access to projects that already exists.

Call Microsoft Graph API - App only unauthorized error

I am trying to make request to the Graph API using a service with no UI. I downloaded the following sample code and followed the instructions: https://blog.kloud.com.au/2015/12/14/implementing-application-with-o365-graph-api-in-app-only-mode/
I successfully get an Access Token, but when using it to make a request to get organization information (required Read Directory Data access), I get 403 Unauthorized.
I have registered my app in Azure AD (where I am a co-administrator).
I have specified Microsoft Graph in the 'permissions to other applications' section, and given Read Directory Data access.
Interestingly there is a note below saying 'You are authorized to select only delegated permissions which have personal scope'. Even though I clearly did. Why? I suspect this is the source of my problem.
Likewise I have checked my demo app against these instructions: https://graph.microsoft.io/en-us/docs/authorization/app_only, but it makes no mention of what role in Azure you need to have.
in this SO post's answer, there is mention of still needing to Consent. I haven't found any documentation about this.
You are authorized to select only delegated permissions which have personal scope
This issue is caused that the app is created by none admin and when they visit the portal then will see this message.
To grant the app-only permission to the application, we need to be the administrator of the tenant. It is different with the co-administrator. To user the Client Credential flow, I suggest that you contact the admin of the tenant to create an application for you. And if you were just for testing purpose, you can create a free tenant and register the application yourself.
Update
We need the assign the Global administrator director role as figure below to make the application works for the client credential flow:

How do I get the subscriptions of an Azure account via PowerShell when I am logged into Windows using a different account?

When I execute Get-AzureAccount, I see the Azure account of the domain account I am logged into Windows with. So, when I run Get-AzureSubscriptions, I see the associated subscriptions. I want to get the subscriptions associated with a different account (one with which I cannot login into Windows) but I cannot figure out how this is done. Of course, Add-AzureAccount would seem to be the way to go but despite reading the TechNet help page on it, I don't see how another account can be added.
Thanks!
-Rohan.
Azure subscriptions are stored in "C:\Users\%username%\appdata\Roaming\Windows Azure Powershell" (or "%AppData%\Windows Azure Powershell) per user. The contents of that dir is an xml file containing the user's subscriptions. Each subscription is linked to a certificate that needs to reside in the same user's cert store in order to connect.
Anyways, using
Get-AzureSubscription -SubscriptionDataFile <path to the other user's xml file>
you should be able to read those subscriptions, if you have access to his/her profile folder (which would require local admin permissions on a normal system).