Accessing the backend Azure AD APIs behind portal.azure.com

There are many features that are currently “UI only” with Azure AD, managed through the Azure Portal. However, some times it can be useful to being able to access these things through scripts, such as for auditing or whatever.

Behind the Azure Portal, there are several APIs that are public facing, but undocumented and not meant for being used directly. Follow this guide with caution, as there is things that can go wrong if you start posting or patching to these APIs.

Continue reading “Accessing the backend Azure AD APIs behind portal.azure.com”

Terraform – Specifying parameters to azurerm_resource_group_template_deployment

Here is a quick example on how to provide parameters to azurerm_resource_group_template_deployment, as the documentation is currently very poor.

Here is a quick main.tf:

variable "location" {
  default     = "westeurope"
  type        = string
  description = "The Azure location where all resources in this example should be created"
}

provider "azurerm" {
    features {} 
}

data "azurerm_client_config" "current" {}
data "azurerm_subscription" "current" {}

resource "azurerm_resource_group" "rg" {
    name     = "testResourceGroup1"
    location = var.location
}


resource "azurerm_resource_group_template_deployment" "example" {
    name                = "testLogicApp1"
    resource_group_name = azurerm_resource_group.rg.name
    deployment_mode     = "Complete"
    template_content    = file("logicapp.json")

    parameters_content =  jsonencode({
        azure_location                    = {value = azurerm_resource_group.rg.location}
        name                              = {value = "testLogicApp1"}
        azure_function_code               = {value = "testtesttest"}
    })
}

As you can see, the parameters_content is converted from a Terraform object to JSON using jsonencode, and all values must be provided like you would define parameters using az deployment, with “value=xx”.

And this is my ARM template for the LogicApp:

{
    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
    "contentVersion": "1.0.0.0",
    "parameters": {
        "azure_location": {
            "defaultValue": "westeurope",
            "type": "string"
        },
        "name": {
            "type": "String"
        },
        "azure_function_code": {
            "type": "String"
        }
    },
    "variables": {
    },
    "outputs": {
        "principalId": {
            "type": "string",
            "value": "[reference(concat(resourceId('Microsoft.Logic/workflows', parameters('name')), '/providers/Microsoft.ManagedIdentity/Identities/default'), '2018-11-30').principalId]"
        },
        "tenantid": {
            "type": "string",
            "value": "[reference(concat(resourceId('Microsoft.Logic/workflows', parameters('name')), '/providers/Microsoft.ManagedIdentity/Identities/default'), '2018-11-30').tenantid]"
        },
        "resourceId": {
            "type": "string",
            "value": "[resourceId('Microsoft.Logic/workflows', parameters('name'))]"
        }
    },
    "resources": [
        {
            "type": "Microsoft.Logic/workflows",
            "apiVersion": "2017-07-01",
            "name": "[parameters('name')]",
            "location": "[parameters('azure_location')]",
            "identity": {
                "type": "SystemAssigned"
            },
            "dependsOn": [
            ],
            "resources": [],
            "properties": {
                "state": "Enabled",
                "definition": {
                    "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
                    "contentVersion": "1.0.0.0",
                    "parameters": {
                        "azurefunctioncode": {
                            "defaultValue": "[parameters('azure_function_code')]",
                            "type": "String"
                        }
                    },
                    "triggers": {
                        "Recurrence": {
                            "recurrence": {
                                "frequency": "Day",
                                "interval": 1,
                                "schedule": {
                                    "hours": [
                                        "2"
                                    ],
                                    "minutes": [
                                        5
                                    ]
                                }
                            },
                            "type": "Recurrence"
                        }
                    },
                    "actions": {
                        
                    },
                    "outputs": {}
                }
            }
        }
    ]
}

A look behind the Azure AD “Permission classifications” preview

For a long time, Azure AD has been criticized for having a too liberal approach to user consents by default, with users being able to delegate things like “Mail.ReadWrite” allowing apps to send and receive emails, as well as reading any existing emails, and “User.ReadBasic.All” allowing your users to consent to third party applications reading ALL of your users basic profiles. Combine this with the “offline_access” scope, where the 3rd party apps can essentially retain access after the user has logged out of the app, this soon becomes a bit of a nightmare.

Continue reading “A look behind the Azure AD “Permission classifications” preview”

Using Azure AD Privileged Identity Management with Active Directory roles (such as domain admin)

I just put my Azure AD Group Writeback Script on Github, and figured it was time to do something I know many have requested from Microsoft to deliver, but that is still missing; Using Azure AD Privileged Identity Management to control access to Active Directory built-in groups such as Domain Admin, Schema Admin and Enterprise Admin.

Continue reading “Using Azure AD Privileged Identity Management with Active Directory roles (such as domain admin)”

Azure AD – Consenting to an application with script (using Graph)

Some times I need to consent to an application using a script, rather than having an administrator consenting to an application in the Azure Portal. This is perfectly possible, but the documentation does not really scream “here is how to do it” and “I am tagged with the correct meta data so you can actually find me”.

Continue reading “Azure AD – Consenting to an application with script (using Graph)”

Working with the Azure REST API using LogicApps

The Azure REST API can be used to create most (or all?) types of resources in Azure, and can be useful when Terraform or ARM is too complex for your scenario or other reasons. I have now had the need to create KeyVaults from LogicApps, as a part of storing customer break glass account information. This is how I did it.

Continue reading “Working with the Azure REST API using LogicApps”