My question is simple: is it possible to list all subscriptions a user has access to, using an API?
My goal is to create an application where the user gets a list of his subscriptions and can select a subscription to view all his deployed applications.
Is this possible?
Thanks
Currently it is not possible to do so as no public API is available. What you could possibly do is ask your users to provide you with publish profile file (if they can do that). You could then parse the profile file, get the subscription ids and management certs and use them in Service Management REST API.
Actually it is available but not documented yet. If you carefully look at open source Powershell Cmdlets and the Management Library Clients (which are both under Azure account on GitHub) you will see that it is being used. :-)
I believe it only works with OAuth/AD authentication to the Azure REST API, not certificate based authentication (but I might be wrong).
The request looks like this:
GET https://management.core.windows.net/subscriptions
On authenticating to Azure with OAuth, check out my blog post:
https://ahmetalpbalkan.com/blog/azure-rest-api-with-oauth2/
Related
I have quite a stupid question, but the environment I am working in forced me to use this solution.
We have a WebAPI providing data to an angular frontend.
For authentication we use an Azure AD B2C Tenant.
User sign into frontend and start to receive Data from the API as normal as it should be.
But: The users have to get different data regarding Groups in the Azure AD. So e.g. UserA is in GroupB and has to get other data than UserX who is in GroupY.
So within the api I need to verify that the Users are in the groups for the data they are requesting.
Normaly I would use Microsoft.Graph to communicate with Azure from the API. But as this is a special network I need to go through a proxiy using different User-Agents. This is all working fine when I call my Code from an executable.
But when I call the same Methods within the API I get a timeout and no Data from Azure. I tested the same routines with other APIs and there is no timeout.
I already checked the request Headers to verify that there is no mixed up information or anything, but everything looks like as it should be.
Has anyone had similar Problems, or has a solution regarding the User-Agent when creating the Request Token for API?
Thank you!
Cheers!
Case closed. The proxy denied the request and caused the timeout when called by the api. Don't ask my why. The same code and build is running on the deployed environement with no issues. Who would have thought that there would be the day when I say "But it wasn't working on my machine..."
Cheers!
Is it possible to pull work items from the DevOps API without needing a user to be logged in to get an access token every time?
I am trying to create a back-end service that pulls work items from the API every so often to generate a report. Can I just generate a one-time access key to use with that back-end service?
I've looked around the documentation, but it seemed like it all requires either a PAT or Azure Active Directory authorization/authentication.
Here's the docs for the API: Link
you can do something like this https://learn.microsoft.com/en-us/azure/devops/organizations/settings/manage-authorizations?toc=%2Fazure%2Fdevops%2Forganizations%2Ftoc.json&bc=%2Fazure%2Fdevops%2Forganizations%2Fbreadcrumb%2Ftoc.json&view=azure-devops
and
https://learn.microsoft.com/en-us/azure/devops/integrate/get-started/authentication/oauth?view=azure-devops
Basically authorize applications to use devops based on your credentials using oauth. similar to an app registration.
Thats the only way I can see without PAT and manual login each time.
Instead of your personal account, you could create a fake AAD user then add it to your Azure DevOps Service.
Use that account to create a Personal Access Token. Similar to Build Service account to pull source code/work items. This should be a easy way to track everything.
But the limitation here is also obvious: this needs involvement of IT department, and also causes additional costs, since every user is billed.
Allow personal access tokens that do not expire is not supported right now. There is a related user voice.
As an alternatively way you could use OAuth just as alphaz18 suggested. Details please refer-- Authorize access to REST APIs with OAuth 2.0
I create a unified group using the graph api through a queue-triggered azure function (C#). When created, I want to tag some information on custom attributes and do other exchange-related stuff like hide from GAL. How is this best done?
I have tried using yet another queue-triggered function in order to connect to exchange online with powershell, although I have a hard time getting the credentials right having only clientid, secret and certificate thumbprint in the functions configuration. To run exchange online commandlets it seems like you have to go with actual user credentials (username, password).
I have also explored the possibilities of doing this kind of settings directly from the graph API but it seems limited in this case.
I got this working by using an Azure Automation runbook triggered by a webhook.
So after creating the unified group through graph api, a http-call is made to trigger the runbook. The runbook is then utilizing Exchange powershell module to alter group settings.
Is there a way to mimic powershell's Get-AzureADUser to read AD properties on given users without having to register the C# console app I am trying to build with Azure?
I know you can run powershell in C# but I am wondering if there is a different route I can take to achieve the same thing WITHOUT registering the app?
Short Answer: No. You will need to register an application with Azure AD to be able to authenticate.
Longer Answer:
AFAIK all of the OAuth 2.0 grants for authentication supported by Azure AD will require some information about the client (i.e. registered application) that is being used to make the authentication call. This would be true whether you use ADAL Libraries or directly hit the relevant token/authorization endpoints.
You may already know but it's worth mentioning that the simplest and recommended way to do authentication/query user data with right privileges will be to register your application with Azure AD.
In fact default setup for Azure AD, is such that it promotes the use case of developers being able to register applications and consent to applications on their own behalf. Read here.. Who has permission to add applications to my Azure AD instance? and at the end it mentions that Microsoft itself uses the same configuration internally.
Full Disclosure: I know that some very knowledgeable people (Microsoft MVP's, Microsoft Azure AD team members) follow the azure-active-directory tag. So even though I think this is the right answer, your question is such that it would make sense to wait for more answers/comments to see if there is anything else possible.
Possible workaround if it suits your scenario:
In case you don't want to register your application just because you don't have permissions to a specific Azure Active Directory tenant, there may be a workaround possible.
You would still need to register your application but with a different Azure AD tenant or with Azure AD B2C, and then make your application as a multi-tenant. See this SO post for more details.
I'm building a .net backend for my Azure Mobile Service.
I would like to execute code whenever someone authenticates with one of the default providers (i.e. Microsoft, Google, Facebook etc.).
Some examples of what I would like to do during authentication:
Associate their MS/Google/FB Account ID with my own user accounts
Add claims to the ServiceUser
To sum it up: is there any way to hook into the server side execution of MobileService.LoginAsync(provider) in a .net backend?
Yes, you should look at the custom authentication feature of Mobile Services, which should be flexible enough for your use case: https://azure.microsoft.com/en-us/documentation/articles/mobile-services-dotnet-backend-get-started-custom-authentication/
You might also be interested in the new AAD B2C offering, which has a lot of features that might fit your scenario: https://azure.microsoft.com/en-us/documentation/services/active-directory-b2c/