How to authorize clients in non-default directory to KeyVault - powershell

I created a KeyVault in my Azure subscription and a client application in one of my Azure AD directories. However, the client application is not registered in the default directory of the subscription.
When I run the following PowerShell cmdlet, it tries to look up the service principal in the default directory of the subscription and fails to find it.
PS > Set-AzureKeyVaultAccessPolicy -VaultName <vaultname>
-ServicePrincipalName <principal guid> -PermissionsToSecrets Get
I found an article describing how to change the default directory for a subscription in the management portal, but was wondering how to do the same using PowerShell.
The 'Select-AzureSubscription' cmdlet does not seem to support changing the default directory.
Nor does the 'Set-AzureKeyVaultAccessPolicy' support a parameter to indicate in which directory it should look.

Key Vault can only authorize applications (clients) registered in the directory associated with the Azure subscription, and the only way (currently) to change the 'home' directory associated with a subscription is through the Azure management portal.

I would imagine this is as designed behaviour, and can't imagine how / why it would change.
An Azure subscription has an Azure Active Directory attached to it, this is the directory it will use to authenticate against whenever someone tries to access resources.
While you can create trusts to other Active Directories simply creating an new AAD does not automatically enable that domain to be trusted by Azure.
Key Vault is designed to only be accessible to authenticated users, it is designed to provide secure data to those users. Since there is no authentication mechanism between the multiple directories you have created, there is no mechanism for Key Vault to determine who those directories belong to.
Key Vault needs to resolve a service principle through the Active Directory attached to the subscription it is running under (whether that is directly through that directory, or through another domain that it trusts). Anything else would create additional attack vectors and considerably weaken the product.

Related

Granting Azure function console access without publish web site permission

I wish to grant users in a given AD group access to the Development Tools > Console function of the Production environment. I believe this is Kudu permission granted by assigning the Microsoft.Web/sites/publish/Action.
Is this possible without granting a member of the group the ability to publish web sites?
It is not possible to granting a member of the group the ability to publish web sites.
From the microsoft document it stated clear that you required microsoft.web/sites/publish/action resource provider operation.
Ones with Kudu access are ones owning the site - regardless if
read-only or not. To expand, they can deploy any codes (good or
malicious) to and able to read any secret settings of the site (eg.
KeyVault, SQL and Storage credentials, Private Certificates, etc.).
Hence for Azure, only those with Contributor / Owner access (to be
exact, with microsoft.web/sites/publish/action or, for slot,
microsoft.web/sites/slots/publish/action) can access to Kudu (SCM).
Refer this document for more information.

Is it possible to configure api permission to Azure Active Directory app using powershell

I have manually registered App in Azure Active Directory. To this App, I need to configure Microsoft Graph, Azure Key vault API's and set permissions to that.
Is it possible to configure API's and set permission to AAD app using powershell.
If possible , please provide me some info on how to achieve this
It is indeed possible through Powershell.
This article explains how to create an Azure AD App in Powershell.
The rights for the app is done through a Service Principal which can be set through Powershell as well.
You can also access and manipulate the Key Vault through Powershell.

Get Azure subscription details of client

I want to get details of Azure Subscription of my client. But I do not want to ask for special permission from client.
What I need is the bare minimum things from my client so that I can login from powershell or rest api and read status of runbook jobs.
If i login from admin account of the subscription than I can easily get those details. But you understand it is not possible to have admin account credential of my client.
Please suggest some workaround.
What you need to do is create a user in Azure Active Directory and grant that user specific rights using either the Azure Portal or PowerShell\Cli\SDK.
Say read all, or read properties of desired automation account. If you would want like a super minumim, you would need to create a custom role first.
https://azure.microsoft.com/en-us/documentation/articles/role-based-access-control-custom-roles/
If your client placed specific resources within a Resource Group, they may grant you permissions on just that Resource Group (including read-only permissions). This would allow you to have access to needed resources, without having access to other areas of their subscription.

Moving a resource from an active directory to another within the same subscription

I have an Azure resource group under an Active Directory AC1 which I would like to move to another active directory AC2 within the same subscription. How can I achieve this using UI or powershell (or any other means)? To make thing easier I can forget all about the resource group itself and just for the sake of argument lets say I have a resource R1 in AC1 which I would like to move to AC2 within the same subscription.
How can I do this without recreating the resource in the destination directory?
So, given the way information is presented in Azure Portal one is led to believe that an Azure Subscription contains one or more Azure ADs which is not correct. From https://azure.microsoft.com/en-in/documentation/articles/active-directory-how-subscriptions-associated-directory/:
Every Azure subscription has a trust relationship with an Azure AD
instance. This means that it trusts that directory to authenticate
users, services, and devices. Multiple subscriptions can trust the
same directory, but a subscription trusts only one directory.
So to answer your question, you can move resources from one Azure Subscription to another provided both Subscriptions use same Azure AD as trust store. There's no automated way of moving resources from one Azure Subscription which trusts one Azure AD to a different Azure Subscription which trusts a different Azure AD.

How do I get the subscriptions of an Azure account via PowerShell when I am logged into Windows using a different account?

When I execute Get-AzureAccount, I see the Azure account of the domain account I am logged into Windows with. So, when I run Get-AzureSubscriptions, I see the associated subscriptions. I want to get the subscriptions associated with a different account (one with which I cannot login into Windows) but I cannot figure out how this is done. Of course, Add-AzureAccount would seem to be the way to go but despite reading the TechNet help page on it, I don't see how another account can be added.
Thanks!
-Rohan.
Azure subscriptions are stored in "C:\Users\%username%\appdata\Roaming\Windows Azure Powershell" (or "%AppData%\Windows Azure Powershell) per user. The contents of that dir is an xml file containing the user's subscriptions. Each subscription is linked to a certificate that needs to reside in the same user's cert store in order to connect.
Anyways, using
Get-AzureSubscription -SubscriptionDataFile <path to the other user's xml file>
you should be able to read those subscriptions, if you have access to his/her profile folder (which would require local admin permissions on a normal system).