I have a web application that currently runs on Azure under my own Azure subscription. I'd like to transfer this to another party so that they can run the web application under their subscription. How can I do this?
Can I:
Give them some sort of package that they can publish (ideally I'd like to avoid giving them the actual source code), or
get connection details from them so that I can publish directly from Visual Studio to their subscription (said connection details would have to not give me full control over their subscription)?
Note that the web application consists of a website, an Azure SQL database, and a Blob container.
The best method would be for them to provide you the publish profile that they can download from the Azure web application dashboard.
This provides you a file you can import into your project that will publish to that Azure subscription. The information contained in the publish settings file is a unique userId and password to that web application only (you can open the file with Notepad and read its contents).
If you need to interact with the database directly, you will need the SQL username and password as well as they would need to open the SQL Azure firewall to allow your IP address to connect to it.
Interacting with the blob container could be done using the Blob APIs (or some of the various GUI tools out there) and a key with the proper read/write accesses attached to it.
Azure now has the Resource Manager API (ARM). One of the features: Resource Groups. A resource group serves as a bounding box for a set of resources (web apps, VMs, etc.). You can grant permissions on a resource group, allowing someone external to your subscription/organization to work within that resource group. With owner permission, they'd be able to create new resources within that group, and never be able to see anything beyond the resource group.
Related
How do third party mailapps like samsung email and many others get access to exchange data without being registred as a application in the azure ad?
Every guide about exchange authentification (OAuth) i found online had the requirement to register your application in the azure active directory before it can be used to read mails etc. But if that's the case, how do widespreaded mailapps like samsung deal with this problem? They are never listed as an registerted application, yet they have full access on your mails, calendar etc. In real-time too.
I try to solve this with an app that is written in c# using the .net framework. I dont know if that is already a problem in that regard.
How do third party mailapps like samsung email and many others get
access to exchange data without being registered as a application in
the azure ad?
Samsung have their own Azure Application registration that must be consented to its generally done once by the tenant admin.
There is a good reason for the consent framework to allow both control of what applications can access data but also to allow for the correct auditing of the access. If you want to know what App registration a particular mail client is using just look at the Azure Signin logs. Another recent case was around this Apple's mail app see https://practical365.com/microsoft-auto-update-apple-mail-app-profiles/
I've tried to use GCPs Secret Manager in a Winforms C# app I'm creating but I need credentials.json to access the Secret Manager in the first place. This is fine for development but not in production. Perhaps I shouldn't be using a secret manager at all.
Currently I have a local C# winforms app, the user (a customer not admin) using the app locally can select files from the Windows filesystem and upload these files to Google Cloud Storage bucket. I don't have a server at all but if I should I'm not sure what sort of logic should be inside it.
From the comments I think the server should be the middle man that the user logs into, user gets a token and then the user can upload files to gcloud storage bucket via the server using the token. That way I never really give the user a credentials.json file in the first place.
For this architecture I thought I should use a Service Account because the server would be making the gcloud storage bucket upload calls on behalf of an authenticated user but then i see from John Hanley that User Credentials are assumed to start in an insecure environment and I'd want to have the info of "what user did what" in the audit logs.
In my development build I'm storing credentials.json outside of my project directory and pointing to it using environment variables. This works but this answer suggests I encrypt it using Google KMS and decrypt in the application.
In the comments I see that this is not really secure because the Service Account credentials could be exposed.
As per this answer dlls can be decompiled to equivalent C# code, so anybody would be able to see what I've used to decrypt the key.
So now I want to know what architecture should I be using in production and how to make it secure?
I'm thinking of making a GAE instance that stores user information in a database, gives authenticated users a token and uses this token when making calls to upload to gcloud storage bucket. Is this sufficient for a production app?
So I think I'm mainly supposed to use Secret Manager with Service accounts and one of GCPs engines (GAE or GCE) by using the Application Default Credentials instead (please correct me if I'm wrong).
No, you should use a custom service account with the permissions you need when running your workload. You should not store service account credentials in Secret Manager.
I need to programmatically create an app in Azure AD and programmatically assign it permissions for Graph APIs. Somehow I am unable to find any good info on this. Please let me know if there is any good example of this.
I am able to create a basic app but not sure how to assign permissions to it.
I have a few basic queries:
Can we create an app and assign permissions at the same time? Or we need to first create app and then assign permissions?
How can I get a repository of all the possible permissions? Is there any way I can get a readable form of permissions and also its GUID representation?
Any C# example of this would be much appreciated.
PFB answer to your queries :
Can we create an app and assign permissions at the same time? Or we need to first create app and then assign permissions?
--> Yes you can create an app and assign permissions are the same time.
How can I get a repository of all the possible permissions? Is there any way I can get a readable form of permissions and also its GUID representation?
--> Here is the link for all the possible permissions :https://learn.microsoft.com/en-us/graph/permissions-reference
You can use Microsoft Graph explorer to execute queries and get the GUID representation.
Here is the link : https://developer.microsoft.com/en-us/graph/graph-explorer
You must first register an application in the Azure portal (or you must have an application first), and then grant the application permission or delegate permission to call MS graph api to create other applications, here is a detailed explanation Description.
Next, you can create other applications based on this application using C# code + MS graph api, and grant permissions to other applications (this is a separate operation, of course, you can also create an application and assign permissions at the same time).
At first you have to register your application in the Azure Active Directory.
Go to Azure Portal and navigate to the Azure AD -> App Registrations and create a new App.
In the Apps administration view, go to API-Permissions and click on "Add a permission". Now you can see all the available permissions you can grant to you application.
For some permissions (indicated by an orange warning sign) you have to grant admin consent afterwards.
After you have done those steps and you configured the redirect URLs (also in the Azure portal), you can access the data you have permissions from your application.
Note: You will also have to implement an authorization flow to make use of Microsoft Graph. You can find additional information here Microsoft Graph Authentication
Does Azure support a programmatic way of registering an application via the users Microsoft account (Using Azure Active Directory)?
Example 1
I am unable to find anything through the Microsoft docs. Everything related to this indicate a manual application registration has to be done, then manually entered. However, I want my application to support multiple tenants without having to manually input all the information into environment variables.
I would like my application to register itself after a user has signed into their Microsoft account and allow access to my application (similar to Github integration). With that registration, it can then pull down the users tenant information and generate a key for itself.
Edit: I have found some other answers on StackOverflow that mentions using GraphAPI after obtaining a bearer token from Microsoft
Is this still the best way of doing this?
I created a program and deployed it into the Windows Azure Portal but now I want to change the account that it is associated with but it won't let me. Is this possible and if it is could someone point out how to do it because I can't find a way so far. I created a web service that held data that is consumed by a client and I want to change the associated Windows Azure Account but it keeps trying to publish the service onto the account I used to begin with instead of the new one, even when I sign into my new windows azure account. Using VS to publish the service to the portal
Thanks.