/// <summary>
/// Ensures the group Exists
/// </summary>
/// <param name="groupName"></param>
private async Task <string> EnsureAzureADGroupExists(string groupName)
{
string groupId;
var client = RestClient
.Configure()
.WithEnvironment(AzureEnvironment.AzureGlobalCloud)
.WithLogLevel(HttpLoggingDelegatingHandler.Level.None)
.WithCredentials(_authenticationHelper.GetAzureCrendentials())
.Build();
GraphRbacManager graphRbacManager = new GraphRbacManager(client, _appSettings.TenantId);
IActiveDirectoryGroup group = await graphRbacManager.Groups.GetByNameAsync(groupName);
if (group == null)
{
GroupCreateParameters parameters = new GroupCreateParameters()
{
DisplayName = groupName, MailNickname = groupName
};
ADGroupInner groupInner = await graphRbacManager.Groups.Inner.CreateAsync(parameters);
groupId = groupInner.ObjectId;
}
else
{
groupId = group.Id;
}
return(groupId);
}
public static MyGroup Create(IActiveDirectoryGroup aad)
{
return(new MyGroup
{
MailNickname = aad.Inner.MailNickname,
Name = aad.Name
});
}
public ICustomActivityResult Execute()
{
var auth = GetAuthenticated();
IActiveDirectoryGroup adGroup = null;
Guid groupId = Guid.Empty;
if (Guid.TryParse(groupName, out groupId))
{
adGroup = auth.ActiveDirectoryGroups.List().Where(x => x.Id == groupName).FirstOrDefault();
}
else
{
adGroup = auth.ActiveDirectoryGroups.List().Where(x => x.Name.ToLower() == groupName.ToLower()).FirstOrDefault();
}
if (adGroup == null)
{
throw new Exception(string.Format("Group with name '{0}' not found", groupName));
}
if (memberTypeId == "user" && !string.IsNullOrEmpty(userEmail))
{
var users = auth.ActiveDirectoryUsers.List();
var user = auth.ActiveDirectoryUsers.List().Where(u => u.UserPrincipalName.ToLower() == userEmail.ToLower()).FirstOrDefault();
if (user != null && !string.IsNullOrEmpty(user.UserPrincipalName))
{
AddMemeber(adGroup, user);
}
else
{
throw new Exception(string.Format("User with email '{0}' not found", userEmail));
}
}
else if (memberTypeId == "role" && !string.IsNullOrEmpty(roleId))
{
var sp = auth.ServicePrincipals.List().Where(r => r.Id == roleId).FirstOrDefault();
if (sp != null)
{
AddMemeber(adGroup, sp);
}
else
{
throw new Exception(string.Format("Role with Id '{0}' not found", roleId));
}
}
else
{
throw new Exception("You need to provide either a server role or a user");
}
return(this.GenerateActivityResult(GetActivityResult));
}
private void AddMemeber(IActiveDirectoryGroup adGroup, IActiveDirectoryObject obj)
{
var adGroupMembers = adGroup.ListMembers();
var member = adGroupMembers.Where(m => m.Id == obj.Id).FirstOrDefault();
if (member == null)
{
adGroup.Update().WithMember(obj.Id).Apply();
}
else
{
throw new Exception("Member already exist in this group");
}
}
public void CanCRUDGroup()
{
using (var context = FluentMockContext.Start(GetType().FullName))
{
IGraphRbacManager manager = TestHelper.CreateGraphRbacManager();
var userName = SdkContext.RandomResourceName("user", 16);
var spName = SdkContext.RandomResourceName("sp", 16);
var group1Name = SdkContext.RandomResourceName("group", 16);
var group2Name = SdkContext.RandomResourceName("group", 16);
IActiveDirectoryUser user = null;
IServicePrincipal servicePrincipal = null;
IActiveDirectoryGroup group1 = null;
IActiveDirectoryGroup group2 = null;
try
{
user = manager.Users.Define(userName)
.WithEmailAlias(userName)
.WithPassword("StrongPass!123")
.Create();
servicePrincipal = manager.ServicePrincipals.Define(spName)
.WithNewApplication("https://" + spName)
.Create();
group1 = manager.Groups.Define(group1Name)
.WithEmailAlias(group1Name)
.Create();
SdkContext.DelayProvider.Delay(15000);
group2 = manager.Groups.Define(group2Name)
.WithEmailAlias(group2Name)
.WithMember(user.Id)
.WithMember(servicePrincipal.Id)
.WithMember(group1.Id)
.Create();
Assert.NotNull(group2);
Assert.NotNull(group2.Id);
var members = group2.ListMembers();
Assert.Equal(3, members.Count());
var enumerator = members.GetEnumerator();
Assert.True(enumerator.MoveNext());
Assert.NotNull(enumerator.Current.Id);
Assert.True(enumerator.MoveNext());
Assert.NotNull(enumerator.Current.Id);
Assert.True(enumerator.MoveNext());
Assert.NotNull(enumerator.Current.Id);
Assert.False(enumerator.MoveNext());
}
finally
{
if (servicePrincipal != null)
{
manager.ServicePrincipals.DeleteById(servicePrincipal.Id);
}
// cannot delete users or groups from service principal
// if (user != null) {
// manager.Users.DeleteById(user.Id);
// }
// if (group != null) {
// manager.Groups.DeleteById(group.Id);
// }
}
}
}
/// <summary>
/// Specifies the Active Directory group this access policy is for.
/// </summary>
/// <param name="activeDirectoryGroup">The AD group object.</param>
/// <return>The next stage of access policy definition.</return>
Microsoft.Azure.Management.KeyVault.Fluent.AccessPolicy.Definition.IWithAttach <Microsoft.Azure.Management.KeyVault.Fluent.Vault.Definition.IWithCreate> Microsoft.Azure.Management.KeyVault.Fluent.AccessPolicy.Definition.IWithIdentity <Microsoft.Azure.Management.KeyVault.Fluent.Vault.Definition.IWithCreate> .ForGroup(IActiveDirectoryGroup activeDirectoryGroup)
{
return(this.ForGroup(activeDirectoryGroup));
}
public RoleAssignmentImpl ForGroup(IActiveDirectoryGroup activeDirectoryGroup)
{
this.objectId = activeDirectoryGroup.Id;
return(this);
}
/**
* Azure Compute sample for managing virtual machines -
* - Create a AAD security group
* - Assign AAD security group Contributor role at a resource group
* - Create a virtual machine with MSI enabled
* - Add virtual machine MSI service principal to the AAD group
* - Set custom script in the virtual machine that
* - install az cli in the virtual machine
* - uses az cli MSI credentials to create a storage account
* - Get storage account created through MSI credentials.
*/
public static void RunSample(IAzure azure)
{
var groupName = Utilities.CreateRandomName("group");
var roleAssignmentName = SdkContext.RandomGuid();
var linuxVMName = Utilities.CreateRandomName("VM1");
var rgName = Utilities.CreateRandomName("rgCOMV");
var pipName = Utilities.CreateRandomName("pip1");
var userName = "******";
var password = "******";
var region = Region.USWestCentral;
var installScript = "https://raw.githubusercontent.com/Azure/azure-libraries-for-net/master/Samples/Asset/create_resources_with_msi.sh";
var installCommand = "bash create_resources_with_msi.sh {stgName} {rgName} {location}";
List <String> fileUris = new List <String>();
fileUris.Add(installScript);
try
{
//=============================================================
// Create a AAD security group
Utilities.Log("Creating a AAD security group");
IActiveDirectoryGroup activeDirectoryGroup = azure.AccessManagement
.ActiveDirectoryGroups
.Define(groupName)
.WithEmailAlias(groupName)
.Create();
//=============================================================
// Assign AAD security group Contributor role at a resource group
IResourceGroup resourceGroup = azure.ResourceGroups
.Define(rgName)
.WithRegion(region)
.Create();
SdkContext.DelayProvider.Delay(45 * 1000);
Utilities.Log("Assigning AAD security group Contributor role to the resource group");
azure.AccessManagement
.RoleAssignments
.Define(roleAssignmentName)
.ForGroup(activeDirectoryGroup)
.WithBuiltInRole(BuiltInRole.Contributor)
.WithResourceGroupScope(resourceGroup)
.Create();
Utilities.Log("Assigned AAD security group Contributor role to the resource group");
//=============================================================
// Create a Linux VM with MSI enabled for contributor access to the current resource group
Utilities.Log("Creating a Linux VM with MSI enabled");
var virtualMachine = azure.VirtualMachines
.Define(linuxVMName)
.WithRegion(region)
.WithNewResourceGroup(rgName)
.WithNewPrimaryNetwork("10.0.0.0/28")
.WithPrimaryPrivateIPAddressDynamic()
.WithNewPrimaryPublicIPAddress(pipName)
.WithPopularLinuxImage(KnownLinuxVirtualMachineImage.UbuntuServer16_04_Lts)
.WithRootUsername(userName)
.WithRootPassword(password)
.WithSize(VirtualMachineSizeTypes.Parse("Standard_D2a_v4"))
.WithOSDiskCaching(CachingTypes.ReadWrite)
.WithSystemAssignedManagedServiceIdentity()
.Create();
Utilities.Log("Created virtual machine with MSI enabled");
Utilities.PrintVirtualMachine(virtualMachine);
//=============================================================
// Add virtual machine MSI service principal to the AAD group
Utilities.Log("Adding virtual machine MSI service principal to the AAD group");
activeDirectoryGroup.Update()
.WithMember(virtualMachine.SystemAssignedManagedServiceIdentityPrincipalId)
.Apply();
Utilities.Log("Added virtual machine MSI service principal to the AAD group");
Utilities.Log("Waiting 10 minutes to MSI extension in the VM to refresh the token");
SdkContext.DelayProvider.Delay(10 * 60 * 1000);
// Prepare custom script to install az cli that uses MSI to create a storage account
//
var stgName = Utilities.CreateRandomName("st44");
installCommand = installCommand
.Replace("{stgName}", stgName)
.Replace("{rgName}", rgName)
.Replace("{location}", region.Name);
// Update the VM by installing custom script extension.
//
Utilities.Log("Installing custom script extension to configure az cli in the virtual machine");
Utilities.Log("az cli will use MSI credentials to create storage account");
virtualMachine.Update()
.DefineNewExtension("CustomScriptForLinux")
.WithPublisher("Microsoft.OSTCExtensions")
.WithType("CustomScriptForLinux")
.WithVersion("1.4")
.WithMinorVersionAutoUpgrade()
.WithPublicSetting("fileUris", fileUris)
.WithPublicSetting("commandToExecute", installCommand)
.Attach()
.Apply();
// Retrieve the storage account created by az cli using MSI credentials
//
var storageAccount = azure.StorageAccounts
.GetByResourceGroup(rgName, stgName);
Utilities.Log("Storage account created by az cli using MSI credential");
Utilities.PrintStorageAccount(storageAccount);
}
finally
{
try
{
Utilities.Log("Deleting Resource Group: " + rgName);
azure.ResourceGroups.BeginDeleteByName(rgName);
}
catch (NullReferenceException)
{
Utilities.Log("Did not create any resources in Azure. No clean up is necessary");
}
catch (Exception g)
{
Utilities.Log(g);
}
}
}
/// <summary>
/// Specifies the assignee of the role assignment to be a group.
/// </summary>
/// <param name="activeDirectoryGroup">The user group.</param>
/// <return>The next stage in role assignment definition.</return>
RoleAssignment.Definition.IWithRole RoleAssignment.Definition.IWithAssignee.ForGroup(IActiveDirectoryGroup activeDirectoryGroup)
{
return(this.ForGroup(activeDirectoryGroup) as RoleAssignment.Definition.IWithRole);
}
/// <summary>
/// Adds a group as a member in the group.
/// </summary>
/// <param name="group">The Active Directory group to add.</param>
/// <return>The next AD group definition stage.</return>
ActiveDirectoryGroup.Definition.IWithCreate ActiveDirectoryGroup.Definition.IWithMemberBeta.WithMember(IActiveDirectoryGroup group)
{
return(this.WithMember(group));
}
/// <summary>
/// Removes a group as a member in the group.
/// </summary>
/// <param name="group">The Active Directory group to remove.</param>
/// <return>The next AD group update stage.</return>
ActiveDirectoryGroup.Update.IUpdate ActiveDirectoryGroup.Update.IWithMemberBeta.WithoutMember(IActiveDirectoryGroup group)
{
return(this.WithoutMember(group));
}
///GENMHASH:498DF2FE8CE61E58CF671C4DCDF1A6D1:F6952E2299613B074C6F3E2594360B44
public AccessPolicyImpl ForGroup(IActiveDirectoryGroup group)
{
Inner.ObjectId = group.Id;
return(this);
}
/// <summary>
/// Specifies the Active Directory group this access policy is for.
/// </summary>
/// <param name="group">group the AD group object</param>
/// <returns>the next stage of access policy definition</returns>
Microsoft.Azure.Management.KeyVault.Fluent.AccessPolicy.UpdateDefinition.IWithAttach <Microsoft.Azure.Management.KeyVault.Fluent.Vault.Update.IUpdate> Microsoft.Azure.Management.KeyVault.Fluent.AccessPolicy.UpdateDefinition.IWithIdentity <Microsoft.Azure.Management.KeyVault.Fluent.Vault.Update.IUpdate> .ForGroup(IActiveDirectoryGroup group)
{
return(this.ForGroup(group) as Microsoft.Azure.Management.KeyVault.Fluent.AccessPolicy.UpdateDefinition.IWithAttach <Microsoft.Azure.Management.KeyVault.Fluent.Vault.Update.IUpdate>);
}
private static void Log(int level, IActiveDirectoryGroup item)
{
Log(level, $"{item.Name}");
Log(level + 1, $"{item.Inner.MailNickname}");
}
