Using Azure AD Privileged Identity Management with Active Directory roles (such as domain admin)

I just put my Azure AD Group Writeback Script on Github, and figured it was time to do something I know many have requested from Microsoft to deliver, but that is still missing; Using Azure AD Privileged Identity Management to control access to Active Directory built-in groups such as Domain Admin, Schema Admin and Enterprise Admin.

Continue reading “Using Azure AD Privileged Identity Management with Active Directory roles (such as domain admin)”

Azure AD – Consenting to an application with script (using Graph)

Some times I need to consent to an application using a script, rather than having an administrator consenting to an application in the Azure Portal. This is perfectly possible, but the documentation does not really scream “here is how to do it” and “I am tagged with the correct meta data so you can actually find me”.

Continue reading “Azure AD – Consenting to an application with script (using Graph)”

Working with the Azure REST API using LogicApps

The Azure REST API can be used to create most (or all?) types of resources in Azure, and can be useful when Terraform or ARM is too complex for your scenario or other reasons. I have now had the need to create KeyVaults from LogicApps, as a part of storing customer break glass account information. This is how I did it.

Continue reading “Working with the Azure REST API using LogicApps”

Managing Azure AD Connected Organizations through Graph

Summer is soon finished, and my blogging will restart. This time, I am checking out the newly documented endpoint for managing connected organizations, used by Azure AD Entitlement Management for having different workflows depending on the relationship to the external organization. This could be:

  • Having an external or internal sponsor approve requests, such as an account manager being able to approve access to their customers
  • Having an external sponsor reviewing who of their users should still have access to your systems, through the access review feature
  • Having certain access packages only being visible to your connected organizations
Continue reading “Managing Azure AD Connected Organizations through Graph”

Authenticating to Azure AD as an application using certificate based client credential grant

The documentation on how to authenticate to Azure AD using a client credentials grant and certificate is decent, but it leaves a few open questions, I have experienced. Here is a quick guide on how to actually do this, properly detailed, with a simple Azure Function as an example using KeyVault.

Continue reading “Authenticating to Azure AD as an application using certificate based client credential grant”

Testing out the new API Connectors feature of Azure AD External Identities

External Identities just got a hell of a lot closer to B2C, with the API Connectors feature, allowing external API calls to happen before user creation and after signing in with an identity provider. As in my last post about the new External Identities feature, this post will be me exploring the new feature, simply blogging about my experience with it, and which awesome and not so awesome stuff I find.

Continue reading “Testing out the new API Connectors feature of Azure AD External Identities”

ARM – Getting the service principal objectid for a Logic App using managed identity

This will be my shortest blog post ever. Here is a way to get the service principal of the managed identity for a Logic App, deployed using ARM. This is everything you need to i.e. add an access policy to keyvault:

    "outputs": {
        "principalId": {
            "type": "string",
            "value": "[reference(concat(resourceId('Microsoft.Logic/workflows', parameters('name')), '/providers/Microsoft.ManagedIdentity/Identities/default'), '2018-11-30').principalId]"
        },
        "tenantId": {
            "type": "string",
            "value": "[reference(concat(resourceId('Microsoft.Logic/workflows', parameters('name')), '/providers/Microsoft.ManagedIdentity/Identities/default'), '2018-11-30').tenantId]"
        }
    }

The ‘name’ variable is the name of the LogicApp, logically enough 😉