I need to create a CLI tool that should list all applications from an Azure AD tenant, applications designated for a specific user.
The user should provide username and password to the cli, no browser interaction is possible. The user has MFA activated and can use the phone to approve MFA. After an access token is obtained the cli will use MS Graph to list the Azure AD applications.
Can someone please suggest a starting point? What auth flow is appropriate? Some examples or documentation is welcome?
You need to create the custom commands which custom commands are now generally available. Read more here.
The Azure Command-Line Interface (CLI) is a cross-platform command-line tool that can be installed locally on Windows computers. You can use the Azure CLI for Windows to connect to Azure and execute administrative commands on Azure resources. The Azure CLI for Windows can also be used from a browser through the Azure Cloud Shell or run from inside a Docker container. Here is the documentation you can follow.
Related
I work in a team that uses Azure Service Fabric and I want to connect to an Azure SQL database using my Azure AD account instead of using a SQL username/password when running locally.
Service Fabric runs locally on a cluster and runs as the NT Authority\Network Service user. I believe that it's possible to change the user that it runs under, but when I tried it seemed to remove the ability to use Visual Studio to debug the app. It also required having the password in the config which is not ideal.
I'm trying to login to Azure AD with the AzureCli and the az login command and can do this easily with my local user azuread\chester.
A comment on github suggests that I should be able to run a powershell prompt as the network service and use az login to login with my account. When I tried this it failed with a generic error:
Does anyone know if it's possible to login to AzureAD with the NT Authority\Network Service user?
I know it's possible to use an Azure App Registration as a principal, but this method still involves a password and i'm trying to avoid passwords.
It is perfectly possible but, since it's a non-interactive account, the optimal choice is to login as an application. This, however, implies high level permissions so careful attention must be paid when consenting them. Also, it's possible to login as a user using the ROPC flow, however this one is not recommended due security and technical limitations.
Regarding az cli take a look at Sign in with a service principal.
I know how to publish a serverless application using aws visual studio toolkit.
It's just you login into aws explorer with user's access key & Secret access key. and then right click on the solution and publish to AWS lambda. It's so simple.
But what about if i have my user has a different assume role that further has access to all the AWS resources and can publish.
So i know how to publish it using assume role via aws CLI by creating a profile let's say "powerdevrole" and whenever we type any command deploy then we use "--profile powerdevrole" in the end with MFA access enabled.
So my question is how to publish the same using aws toolkit if we have an assume role and MFA enabled on that??
Also i have tried to get the cached keys and then used that into aws explorer to publish my project but it's not working for me.
Please help me out.
Thanks,
Vinod Bhatt
I have mutifactor authentication setup for web console logins (using google authenticator).
But I can still open VS with the AWS toolkit, it automatically pulls my creds, and I have access to all my AWS services. It also doesn't seem to time out.
I want VS to prompt me for a google authenticator code before it can connect to AWS.
Is this possible?
I'd hate to have MFA for web console logins totally subverted by VS (which may become the tool of choice).
For IAM users, MFA only affects console login. It does not affect the IAM access keys used for that user.
Since Visual Studio uses access keys, it will not prompt you for the MFA device code.
I'm working on deployment of multiple VMs' on Azure platform. I'm having problem authenticating without web interactive Login. I'm going through authentication using service-principal. However as soon as i try to run a 'azure vm list' for instance, I get a message: The server failed to authenticate.
P.S. I could create VM using interactive login. However this way does not work for the automated deployment. I'm the owner, admin of the Trial azure subscription.
I am guessing, you are using ASM instead of ARM. Unfortunately, for Azure CLI, service principal only work for ARM. See this issue in GitHub.
Luckily, there is an alternative for this. you can use azure account download or click https://manage.windowsazure.com/publishsettings to download a publish settings profile. And then, use azure account import <the file name> to login.
Notice that similar to service principal, publish settings profile only work for ASM. Microsoft Azure encourages you to use ARM instead of ASM, hence I suggest you to switch to ARM. Service Principal is Role-Based Access Control. That provides extra security. And, ASM is retiring, which means new service will only available in ARM.
I am trying to connect to authenticate to our Azure platform dynamically to run the following commands
azure vm show
azure vm restart
azure vm start
azure vm stop
To run these commands It seems I have to authenticate manually via a browser using Azure's dynamically generated code, returned from the execution of the Azure login command.
Is there a way to authenticate dynamically without manual intervention? We would ideally like to do this via a BASH script if possible.
Note: We don't need to do this with AD accounts.
According to the official doc, and according to the experience, there are two ways to do that - using azure login (auth using dialogue, not the dynamic as you describe that), and using publish settings file which you may use for management without need to login in the browser.
azure account download
azure account import <path to your .publishsettings file>