private static IServicePrincipal CreateServicePrincipalWithRoleForApplicationAndExportToFile(
Azure.IAuthenticated authenticated,
IActiveDirectoryApplication activeDirectoryApplication,
BuiltInRole role,
string subscriptionId,
string authFilePath)
{
Utilities.Log("Creating Service Principal...");
string name = SdkContext.RandomResourceName("sp-sample", 20);
//create a self-sighed certificate
string domainName = name + ".com";
string certPassword = Utilities.CreatePassword();
Certificate certificate = Certificate.CreateSelfSigned(domainName, certPassword);
// create a Service Principal and assign it to a subscription with the role Contributor
return(authenticated.ServicePrincipals
.Define("name")
.WithExistingApplication(activeDirectoryApplication)
// password credentials definition
.DefinePasswordCredential("ServicePrincipalAzureSample")
.WithPasswordValue(Utilities.CreatePassword())
.Attach()
// certificate credentials definition
.DefineCertificateCredential("spcert")
.WithAsymmetricX509Certificate()
.WithPublicKey(File.ReadAllBytes(certificate.CerPath))
.WithDuration(TimeSpan.FromDays(7))
// export the credentials to the file
.WithAuthFileToExport(new StreamWriter(new FileStream(authFilePath, FileMode.OpenOrCreate)))
.WithPrivateKeyFile(certificate.PfxPath)
.WithPrivateKeyPassword(certPassword)
.Attach()
.WithNewRoleInSubscription(role, subscriptionId)
.Create());
}
/**
* Azure Service Principal sample for managing Service Principal -
* - Create an Active Directory application
* - Create a Service Principal for the application and assign a role
* - Export the Service Principal to an authentication file
* - Use the file to list subcription virtual machines
* - Update the application
* - Update the service principal to revoke the password credential and the role
* - Delete the Service Principal.
*/
public static void RunSample(Azure.IAuthenticated authenticated)
{
string subscriptionId = authenticated.Subscriptions.List().First <ISubscription>().SubscriptionId;
Utilities.Log("Selected subscription: " + subscriptionId);
IActiveDirectoryApplication activeDirectoryApplication = null;
string authFilePath = Path.Combine(Utilities.ProjectPath, "Asset", "mySamplAuthdFile.azureauth").ToString();
try
{
activeDirectoryApplication = CreateActiveDirectoryApplication(authenticated);
IServicePrincipal servicePrincipal = CreateServicePrincipalWithRoleForApplicationAndExportToFile(authenticated, activeDirectoryApplication, BuiltInRole.Contributor, subscriptionId, authFilePath);
// Wait until Service Principal is ready
SdkContext.DelayProvider.Delay(15);
UseAuthFile(authFilePath);
UpdateApplication(authenticated, activeDirectoryApplication);
UpdateServicePrincipal(authenticated, servicePrincipal);
}
finally
{
Utilities.Log("Deleting Active Directory application and Service Principal...");
if (activeDirectoryApplication != null)
{
// this will delete Service Principal as well
authenticated.ActiveDirectoryApplications.DeleteById(activeDirectoryApplication.Id);
}
}
}
private static IActiveDirectoryApplication CreateActiveDirectoryApplication(Azure.IAuthenticated authenticated)
{
Utilities.Log("Creating Active Directory application...");
var name = SdkContext.RandomResourceName("adapp-sample", 20);
//create a self-sighed certificate
var domainName = name + ".com";
var certPassword = "******";
Certificate certificate = Certificate.CreateSelfSigned(domainName, certPassword);
// create Active Directory application
var activeDirectoryApplication = authenticated.ActiveDirectoryApplications
.Define(name)
.WithSignOnUrl("https://github.com/Azure/azure-sdk-for-java/" + name)
// password credentials definition
.DefinePasswordCredential("password")
.WithPasswordValue("P@ssw0rd")
.WithDuration(TimeSpan.FromDays(700))
.Attach()
// certificate credentials definition
.DefineCertificateCredential("cert")
.WithAsymmetricX509Certificate()
.WithPublicKey(File.ReadAllBytes(certificate.CerPath))
.WithDuration(TimeSpan.FromDays(100))
.Attach()
.Create();
Utilities.Log(activeDirectoryApplication.Id + " - " + activeDirectoryApplication.ApplicationId);
return(activeDirectoryApplication);
}
public AzureResourceManager(
AzureCredentials azureCredentials
)
{
_authenticated = Azure
.Configure()
.Authenticate(azureCredentials);
}
private static void UpdateServicePrincipal(Azure.IAuthenticated authenticated, IServicePrincipal servicePrincipal)
{
Utilities.Log("Updating Service Principal...");
servicePrincipal.Update()
// add another password credentials
.WithoutCredential("ServicePrincipalAzureSample")
.WithoutRole(servicePrincipal.RoleAssignments.First())
.Apply();
}
public AzureUtils(string applicationId, string applicationKey, string tenantId, ILogger logger)
{
_logger = logger;
var credentials = SdkContext.AzureCredentialsFactory.FromServicePrincipal(applicationId,
applicationKey, tenantId, AzureEnvironment.AzureGlobalCloud);
_authenticatedAzure = Azure.Configure()
.WithLogLevel(HttpLoggingDelegatingHandler.Level.BodyAndHeaders)
.Authenticate(credentials);
}
private static async Task SyncUsersAsync(Azure.IAuthenticated authenticated,
MyUser[] myUsers, string password)
{
Log(0, "===========================================");
Log(0, "SyncUsersAsync");
var aadUsers = await LoadActiveDirectoryUsersAsync(authenticated);
Log(1, $"AAD Users: {aadUsers.Length}");
Log(1, $"My Users: {myUsers.Length}");
Log(0, "===========================================");
await Task.WhenAll(myUsers.Select(x => ProcessUserAsync(x, aadUsers, authenticated, password)));
}
private static async Task SyncGroupsAsync(Azure.IAuthenticated authenticated,
MyGroup[] myGroups)
{
Log(0, "===========================================");
Log(0, "SyncGroupsAsync");
var aadGroups = await LoadActiveDirectoryGroupsAsync(authenticated);
Log(1, $"AAD Groups: {aadGroups.Length}");
Log(1, $"My Groups: {myGroups.Length}");
Log(0, "===========================================");
await Task.WhenAll(myGroups.Select(x => ProcessGroupAsync(x, aadGroups, authenticated)));
}
private static void UpdateApplication(Azure.IAuthenticated authenticated, IActiveDirectoryApplication activeDirectoryApplication)
{
Utilities.Log("Updating Active Directory application...");
activeDirectoryApplication.Update()
// add another password credentials
.DefinePasswordCredential("password-1")
.WithPasswordValue("P@ssw0rd-1")
.WithDuration(TimeSpan.FromDays(700))
.Attach()
// add a reply url
.WithReplyUrl("http://localhost:8080")
.Apply();
}
private static async Task <IActiveDirectoryGroup?> ProcessGroupAsync(MyGroup item, IActiveDirectoryGroup[] list,
Azure.IAuthenticated authenticated)
{
Log(0, "===========================================");
Log(0, "Processing Group");
Log(1, item);
var cur = list.FirstOrDefault(x => x.Inner.MailNickname == item.MailNickname);
if (cur == null && !item.Delete)
{
Log(2, "Creating Group");
cur = await authenticated.ActiveDirectoryGroups
.Define(item.Name)
.WithEmailAlias(item.MailNickname)
.CreateAsync();
}
if (cur != null)
{
Log(2, cur);
if (item.Delete)
{
Log(2, "Deleting Group");
await authenticated.ActiveDirectoryGroups.DeleteByIdAsync(cur.Id);
return(null);
}
// // update
// if (!string.Equals(cur.Name, item.Name, StringComparison.OrdinalIgnoreCase))
// {
// Log(2, "Recreating Group");
// await authenticated.ActiveDirectoryGroups.DeleteByIdAsync(cur.Id);
//
//
// cur = await authenticated.ActiveDirectoryGroups
// .Define(item.Name)
// .WithEmailAlias(item.MailNickname)
// .CreateAsync();
// }
// cur.Manager.Inner.Groups.GetWithHttpMessagesAsync()
}
return(cur);
}
/**
* Azure Users, Groups and Roles sample.
* - Create a user
* - Assign role to AD user
* - Revoke role from AD user
* - Get role by scope and role name
* - Create service principal
* - Assign role to service principal
* - Create 2 Active Directory groups
* - Add the user, the service principal, and the 1st group as members of the 2nd group
*/
public static void RunSample(Azure.IAuthenticated authenticated)
{
string userEmail = Utilities.CreateRandomName("test");
string userName = userEmail.Replace("test", "Test ");
string spName = Utilities.CreateRandomName("sp");
string raName1 = SdkContext.RandomGuid();
string raName2 = SdkContext.RandomGuid();
string groupEmail1 = Utilities.CreateRandomName("group1");
string groupEmail2 = Utilities.CreateRandomName("group2");
string groupName1 = groupEmail1.Replace("group1", "Group ");
string groupName2 = groupEmail2.Replace("group2", "Group ");
String spId = "";
string subscriptionId = authenticated.Subscriptions.List().First().SubscriptionId;
Utilities.Log("Selected subscription: " + subscriptionId);
// ============================================================
// Create a user
Utilities.Log("Creating an Active Directory user " + userName + "...");
var user = authenticated.ActiveDirectoryUsers
.Define(userName)
.WithEmailAlias(userEmail)
.WithPassword("StrongPass!12")
.Create();
Utilities.Log("Created Active Directory user " + userName);
Utilities.Print(user);
// ============================================================
// Assign role to AD user
IRoleAssignment roleAssignment1 = authenticated.RoleAssignments
.Define(raName1)
.ForUser(user)
.WithBuiltInRole(BuiltInRole.DnsZoneContributor)
.WithSubscriptionScope(subscriptionId)
.Create();
Utilities.Log("Created Role Assignment:");
Utilities.Print(roleAssignment1);
// ============================================================
// Revoke role from AD user
authenticated.RoleAssignments.DeleteById(roleAssignment1.Id);
Utilities.Log("Revoked Role Assignment: " + roleAssignment1.Id);
// ============================================================
// Get role by scope and role name
IRoleDefinition roleDefinition = authenticated.RoleDefinitions
.GetByScopeAndRoleName("subscriptions/" + subscriptionId, "Contributor");
Utilities.Print(roleDefinition);
// ============================================================
// Create Service Principal
IServicePrincipal sp = authenticated.ServicePrincipals.Define(spName)
.WithNewApplication("http://" + spName)
.Create();
// wait till service principal created and propagated
SdkContext.DelayProvider.Delay(15000);
Utilities.Log("Created Service Principal:");
Utilities.Print(sp);
spId = sp.Id;
// ============================================================
// Assign role to Service Principal
string defaultSubscription = authenticated.Subscriptions.List().First().SubscriptionId;
IRoleAssignment roleAssignment2 = authenticated.RoleAssignments
.Define(raName2)
.ForServicePrincipal(sp)
.WithBuiltInRole(BuiltInRole.Contributor)
.WithSubscriptionScope(defaultSubscription)
.Create();
Utilities.Log("Created Role Assignment:");
Utilities.Print(roleAssignment2);
// ============================================================
// Create Active Directory groups
Utilities.Log("Creating Active Directory group " + groupName1 + "...");
var group1 = authenticated.ActiveDirectoryGroups
.Define(groupName1)
.WithEmailAlias(groupEmail1)
.Create();
Utilities.Log("Created Active Directory group " + groupName1);
Utilities.Print(group1);
var group2 = authenticated.ActiveDirectoryGroups
.Define(groupName2)
.WithEmailAlias(groupEmail2)
.Create();
Utilities.Log("Created Active Directory group " + groupName2);
Utilities.Print(group2);
Utilities.Log("Adding group members to group " + groupName2 + "...");
group2.Update()
.WithMember(user)
.WithMember(sp)
.WithMember(group1)
.Apply();
Utilities.Log("Group members added to group " + groupName2);
Utilities.Print(group2);
}
private static async Task Run()
{
string subscriptionIds = ConfigurationManager.AppSettings["subscriptionIds"];
string ownerTagName = ConfigurationManager.AppSettings["ownerTagName"];
string startDate = DateTime.Now.ToUniversalTime().AddDays(-30).ToString("yyyy-MM-ddTHH:mm:ss.fffZ");
string endDate = DateTime.Now.ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss.fffZ");
string clientId = ConfigurationManager.AppSettings["clientId"];
string clientSecret = ConfigurationManager.AppSettings["clientSecret"];
string tenantId = ConfigurationManager.AppSettings["tenantId"];
AzureCredentialsFactory factory = new AzureCredentialsFactory();
AzureCredentials azureCreds = factory.FromServicePrincipal(clientId, clientSecret, tenantId,
AzureEnvironment.AzureGlobalCloud);
Azure.IAuthenticated azure = Azure.Configure().Authenticate(azureCreds);
string body = @"
{
""type"": ""Usage"",
""timeframe"": ""Custom"",
""timePeriod"": {
""from"": """ + startDate + @""",
""to"": """ + endDate + @""",
},
""dataset"": {
""granularity"": ""Daily"",
""aggregation"": {
""totalCost"": {
""name"": ""PreTaxCost"",
""function"": ""Sum""
}
},
""grouping"": [
{
""type"": ""Dimension"",
""name"": ""ResourceGroup""
}
]
}
}
";
string currency = String.Empty;
Dictionary <string, Double> costPerUser = new Dictionary <string, Double>();
Dictionary <string, Double> costPerGroup = new Dictionary <string, Double>();
Dictionary <string, string> groupOwner = new Dictionary <string, string>();
string token = await GetOAuthTokenFromAAD();
foreach (var subscriptionId in subscriptionIds.Split(",", StringSplitOptions.RemoveEmptyEntries))
{
var azureSub = azure.WithSubscription(subscriptionId);
var resourceGroups = azureSub.ResourceGroups.List();
string uri = $"https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.CostManagement/query?api-version=2019-01-01";
while (!String.IsNullOrEmpty(uri))
{
QueryResult result = null;
int costIndex = -1;
int currencyIndex = -1;
int groupIndex = -1;
var request = HttpWebRequest.CreateHttp(uri);
request.ContentType = "application/json";
request.Method = "POST";
request.Headers.Add("Authorization", $"Bearer {token}");
try
{
using (StreamWriter writer = new StreamWriter(request.GetRequestStream()))
{
writer.Write(body);
writer.Flush();
}
var response = await request.GetResponseAsync();
var responseString = String.Empty;
using (StreamReader reader = new StreamReader(response.GetResponseStream()))
{
responseString = reader.ReadToEnd();
}
result = JsonConvert.DeserializeObject <QueryResult>(responseString);
uri = result.properties.nextLink;
costIndex = GetColumnIndex(result.properties.columns, "PreTaxCost");
currencyIndex = GetColumnIndex(result.properties.columns, "Currency");
groupIndex = GetColumnIndex(result.properties.columns, "ResourceGroup");
if (costIndex < 0)
{
Console.WriteLine($"Could not find cost index for subscription {subscriptionId}");
continue;
}
}
catch (WebException wex)
{
string errorMessage = string.Empty;
if (wex.Response != null)
{
using (StreamReader reader = new StreamReader(wex.Response.GetResponseStream()))
{
errorMessage = reader.ReadToEnd();
}
}
Console.WriteLine($"Error while calculating costs for subscription {subscriptionId}: {wex} ({errorMessage})");
}
catch (Exception ex)
{
Console.WriteLine($"Error while calculating costs for subscription {subscriptionId}: {ex}");
}
if (result != null)
{
foreach (var group in resourceGroups)
{
var resourceGroupOwner = OWNER_UNKNOWN;
var defaultKeyValuePair = default(KeyValuePair <String, String>);
var ownerTag = defaultKeyValuePair;
if (group.Tags != null)
{
ownerTag = group.Tags.Where(tag => tag.Key.Equals(ownerTagName, StringComparison.InvariantCultureIgnoreCase)).FirstOrDefault();
}
if (!ownerTag.Equals(defaultKeyValuePair))
{
resourceGroupOwner = ownerTag.Value;
}
//Console.WriteLine($"Calculating costs for resource group {group.Name} in subscription {subscriptionId} which belongs to {resourceGroupOwner}");
string keyNameGroup = $"{subscriptionId}/{group.Name}";
if (!costPerUser.ContainsKey(resourceGroupOwner))
{
costPerUser.Add(resourceGroupOwner, 0);
}
if (!costPerGroup.ContainsKey(keyNameGroup))
{
costPerGroup.Add(keyNameGroup, 0);
}
if (!groupOwner.ContainsKey(keyNameGroup))
{
groupOwner.Add(keyNameGroup, resourceGroupOwner);
}
var groupRows = result.properties.rows.Where(rTemp => rTemp[groupIndex].ToString().Equals(group.Name,
StringComparison.InvariantCultureIgnoreCase)).ToArray();
foreach (var row in groupRows)
{
costPerUser[resourceGroupOwner] += (Double)row[costIndex];
costPerGroup[keyNameGroup] += (Double)row[costIndex];
var currencyOfRow = (string)row[currencyIndex];
if (String.IsNullOrEmpty(currency))
{
currency = currencyOfRow;
}
else if (!currency.Equals(currencyOfRow))
{
throw new Exception("There are different currencies");
}
}
}
}
}
Console.WriteLine($"##########################################");
Console.WriteLine($"Cost between {startDate} and {endDate} per resource group for unknown owner");
Console.WriteLine($"##########################################");
var subscriptionRgUnknown = costPerGroup.Where(temp => temp.Key.Split("/")[0].
Equals(subscriptionId, StringComparison.InvariantCultureIgnoreCase));
foreach (KeyValuePair <string, double> costEntry in subscriptionRgUnknown.OrderByDescending(temp => temp.Value))
{
if (groupOwner[costEntry.Key].Equals(OWNER_UNKNOWN, StringComparison.InvariantCultureIgnoreCase))
{
Console.WriteLine($"{costEntry.Key}: {currency} {costEntry.Value}");
}
}
}
Console.WriteLine($"##########################################");
Console.WriteLine($"Cost between {startDate} and {endDate} per user");
Console.WriteLine($"##########################################");
foreach (KeyValuePair <string, double> costEntry in costPerUser.OrderByDescending(temp => temp.Value))
{
Console.WriteLine($"{costEntry.Key}: {currency} {costEntry.Value}");
}
Console.WriteLine($"##########################################");
Console.WriteLine($"Cost between {startDate} and {endDate} per resource group");
Console.WriteLine($"##########################################");
foreach (KeyValuePair <string, double> costEntry in costPerGroup.OrderByDescending(temp => temp.Value))
{
Console.WriteLine($"{costEntry.Key}: {currency} {costEntry.Value} (owner: {groupOwner[costEntry.Key]})");
}
}
public static async Task Run()
{
string tag_owner = GetConfigItem("tag_owner");
string tag_deallocate = GetConfigItem("tag_deallocate");
int tag_deallocate_days = int.Parse(GetConfigItem("tag_deallocate_days"));
string tag_deletevm = GetConfigItem("tag_deletevm");
int tag_deletevm_days = int.Parse(GetConfigItem("tag_deletevm_days"));
string tag_deleterg = GetConfigItem("tag_deleterg");
int tag_deleterg_days = int.Parse(GetConfigItem("tag_deleterg_days"));
string subscriptionIds = GetConfigItem("subscriptionIds");
string clientId = GetConfigItem("clientId");
string clientSecret = GetConfigItem("clientSecret");
string tenantId = GetConfigItem("tenantId");
AzureCredentialsFactory factory = new AzureCredentialsFactory();
AzureCredentials azureCreds = factory.FromServicePrincipal(clientId, clientSecret, tenantId,
AzureEnvironment.AzureGlobalCloud);
Azure.IAuthenticated azure = Azure.Configure().Authenticate(azureCreds);
foreach (var subscriptionId in subscriptionIds.Split(",", StringSplitOptions.RemoveEmptyEntries))
{
Console.WriteLine($"Looking for new resources without an owner tag in subscription {subscriptionId}");
var azureSub = azure.WithSubscription(subscriptionId);
var insightsClient = new InsightsClient(azureCreds);
insightsClient.SubscriptionId = subscriptionId;
var resourceGroups = azureSub.ResourceGroups.List();
foreach (var group in resourceGroups)
{
try
{
var defaultKeyValuePair = default(KeyValuePair <String, String>);
var ownerTag = defaultKeyValuePair;
if (group.Tags != null)
{
ownerTag = group.Tags.Where(tag => tag.Key.Equals(tag_owner, StringComparison.InvariantCultureIgnoreCase)).FirstOrDefault();
}
String endTime = DateTime.Now.ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ss.fffZ");
String resourceId = group.Id;
if (ownerTag.Equals(defaultKeyValuePair))
{
//Console.WriteLine($"Resource group {group.Name} does not contain owner tag...looking in activity log");
String startTime = DateTime.Now.ToUniversalTime().AddHours(-25).ToString("yyyy-MM-ddTHH:mm:ss.fffZ");
string newOwner = UNKNOWN_OWNER;
var resourceGroupCreateLogs = await GetCreationLogs(startTime, endTime, resourceId, OPERATION_RESOURCEGROUP_WRITE, insightsClient);
if (resourceGroupCreateLogs.Length == 0)
{
startTime = DateTime.Now.ToUniversalTime().AddDays(-90).ToString("yyyy-MM-ddTHH:mm:ss.fffZ");
resourceGroupCreateLogs = await GetCreationLogs(startTime, endTime, resourceId, OPERATION_RESOURCEGROUP_WRITE, insightsClient);
}
if (resourceGroupCreateLogs.Length != 0)
{
newOwner = resourceGroupCreateLogs[0].Caller;
}
if (!UNKNOWN_OWNER.Equals(newOwner))
{
await group.Update().WithTag(tag_owner, newOwner).ApplyAsync();
Console.WriteLine($"Resource group {group.Name} tagged with owner {newOwner}");
}
}
else if (UNKNOWN_OWNER.Equals(ownerTag.Value))
{
bool needsUpdate = false;
var updateGroup = group.Update();
if (group.Tags.Where(tag => tag.Key.Equals(tag_deallocate, StringComparison.InvariantCultureIgnoreCase)).Count() == 0)
{
needsUpdate = true;
updateGroup.WithTag(tag_deallocate, DateTime.Now.ToUniversalTime().AddDays(tag_deallocate_days).ToString("yyyy-MM-ddTHH:mm:ss.fffZ"));
}
if (group.Tags.Where(tag => tag.Key.Equals(tag_deletevm, StringComparison.InvariantCultureIgnoreCase)).Count() == 0)
{
needsUpdate = true;
updateGroup.WithTag(tag_deletevm, DateTime.Now.ToUniversalTime().AddDays(tag_deletevm_days).ToString("yyyy-MM-ddTHH:mm:ss.fffZ"));
}
if (group.Tags.Where(tag => tag.Key.Equals(tag_deleterg, StringComparison.InvariantCultureIgnoreCase)).Count() == 0)
{
needsUpdate = true;
updateGroup.WithTag(tag_deleterg, DateTime.Now.ToUniversalTime().AddDays(tag_deleterg_days).ToString("yyyy-MM-ddTHH:mm:ss.fffZ"));
}
if (needsUpdate)
{
await updateGroup.ApplyAsync();
}
}
else
{
//Console.WriteLine($"Resource group {group.Name} is already owned by {ownerTag.Value}");
}
}
catch (Exception ex)
{
Console.WriteLine("Exception: " + ex);
}
}
}
Console.WriteLine("Done Tagging");
}
public async Task <Azure.IAuthenticated> GetAzureConnection()
{
if (_azure != null)
{
return(_azure);
}
AzureCredentials credentials;
string localDevelopment = Environment.GetEnvironmentVariable("LocalDevelopment", EnvironmentVariableTarget.Process);
if (!string.IsNullOrEmpty(localDevelopment) &&
string.Equals(localDevelopment, "true", StringComparison.InvariantCultureIgnoreCase))
{
Log.LogDebug($"Get the local service principal for local login");
var localDevSp = new Principal
{
UserPrincipalName = "LocalLogin",
AppId = Environment.GetEnvironmentVariable("ClientId", EnvironmentVariableTarget.Process),
TenantId = Environment.GetEnvironmentVariable("TenantId", EnvironmentVariableTarget.Process)
};
string clientSecret = Environment.GetEnvironmentVariable("ClientSecret", EnvironmentVariableTarget.Process);
Log.LogDebug($"AppId: {localDevSp.AppId}, TenantId: {localDevSp.TenantId}");
credentials = SdkContext
.AzureCredentialsFactory
.FromServicePrincipal(localDevSp.AppId, clientSecret, localDevSp.TenantId, AzureEnvironment.AzureGlobalCloud);
}
else
{
Log.LogDebug($"Get the MSI credentials");
// Because MSI isn't really nicely supported in this nuget package disable it for now and user workaround
////credentials = SdkContext
//// .AzureCredentialsFactory
//// .FromMSI(new MSILoginInformation(MSIResourceType.AppService), AzureEnvironment.AzureGlobalCloud);
try
{
// START workaround until MSI in this package is really supported
string tenantId = Environment.GetEnvironmentVariable("TenantId", EnvironmentVariableTarget.Process);
Log.LogDebug($"TenantId: {tenantId}");
AzureServiceTokenProvider astp = new AzureServiceTokenProvider();
string graphToken = await astp.GetAccessTokenAsync("https://graph.windows.net/", tenantId);
AzureServiceTokenProvider astp2 = new AzureServiceTokenProvider();
string rmToken = await astp2.GetAccessTokenAsync("https://management.azure.com/", tenantId);
Log.LogDebug("Logging with tokens from Token Provider");
AzureCredentials customTokenProvider = new AzureCredentials(
new TokenCredentials(rmToken),
new TokenCredentials(graphToken),
tenantId,
AzureEnvironment.AzureGlobalCloud);
RestClient client = RestClient
.Configure()
.WithEnvironment(AzureEnvironment.AzureGlobalCloud)
.WithLogLevel(HttpLoggingDelegatingHandler.Level.Basic)
//.WithRetryPolicy(new RetryPolicy(new HttpStatusCodeErrorDetectionStrategy(), new IncrementalRetryStrategy(2, TimeSpan.FromSeconds(30), TimeSpan.FromMinutes(1))))
.WithCredentials(customTokenProvider)
.Build();
return(Azure.Authenticate(client, tenantId));
// END workaround until MSI in this package is really supported
}
catch (Exception ex)
{
Log.LogError(ex, ex.Message);
if (ex.InnerException != null)
{
Log.LogError(ex.InnerException, ex.InnerException.Message);
}
throw;
}
}
ServiceClientTracing.AddTracingInterceptor(new MicrosoftExtensionsLoggingTracer(Log));
ServiceClientTracing.IsEnabled = true;
_azure = Azure
.Configure()
.WithDelegatingHandler(new HttpLoggingDelegatingHandler())
.WithLogLevel(HttpLoggingDelegatingHandler.Level.None)
.Authenticate(credentials);
return(_azure);
}
/**
* Azure Service Principal sample for managing Service Principal -
* - Create an Active Directory application
* - Create a Service Principal for the application and assign a role
* - Export the Service Principal to an authentication file
* - Use the file to list subcription virtual machines
* - Update the application
* - Delete the application and Service Principal.
*/
public static void RunSample(Azure.IAuthenticated authenticated, AzureEnvironment environment)
{
string spName = Utilities.CreateRandomName("sp");
string appName = SdkContext.RandomResourceName("app", 20);
string appUrl = "https://" + appName;
string passwordName1 = SdkContext.RandomResourceName("password", 20);
string password1 = "P@ssw0rd";
string passwordName2 = SdkContext.RandomResourceName("password", 20);
string password2 = "StrongP@ss!12";
string certName1 = SdkContext.RandomResourceName("cert", 20);
string raName = SdkContext.RandomGuid();
string servicePrincipalId = "";
try
{
// ============================================================
// Create application
Utilities.Log("Creating a service principal " + spName + "...");
IServicePrincipal servicePrincipal = authenticated.ServicePrincipals
.Define(appName)
.WithNewApplication(appUrl)
.DefinePasswordCredential(passwordName1)
.WithPasswordValue(password1)
.Attach()
.DefinePasswordCredential(passwordName2)
.WithPasswordValue(password2)
.Attach()
.DefineCertificateCredential(certName1)
.WithAsymmetricX509Certificate()
.WithPublicKey(File.ReadAllBytes(Path.Combine(Utilities.ProjectPath, "Asset", "NetworkTestCertificate1.cer")))
.WithDuration(TimeSpan.FromDays(1))
.Attach()
.Create();
Utilities.Log("Created service principal " + spName + ".");
Utilities.Print(servicePrincipal);
servicePrincipalId = servicePrincipal.Id;
// ============================================================
// Create role assignment
Utilities.Log("Creating a Contributor role assignment " + raName + " for the service principal...");
SdkContext.DelayProvider.Delay(15000);
IRoleAssignment roleAssignment = authenticated.RoleAssignments
.Define(raName)
.ForServicePrincipal(servicePrincipal)
.WithBuiltInRole(BuiltInRole.Contributor)
.WithSubscriptionScope(authenticated.Subscriptions.List().First <ISubscription>().SubscriptionId)
.Create();
Utilities.Log("Created role assignment " + raName + ".");
Utilities.Print(roleAssignment);
// ============================================================
// Verify the credentials are valid
Utilities.Log("Verifying password credential " + passwordName1 + " is valid...");
AzureCredentials testCredential = new AzureCredentialsFactory().FromServicePrincipal(
servicePrincipal.ApplicationId, password1, authenticated.TenantId, environment);
try
{
Azure.Authenticate(testCredential).WithDefaultSubscription();
Utilities.Log("Verified " + passwordName1 + " is valid.");
}
catch (Exception e)
{
Utilities.Log("Failed to verify " + passwordName1 + " is valid. Exception: " + e.Message);
}
Utilities.Log("Verifying password credential " + passwordName2 + " is valid...");
testCredential = new AzureCredentialsFactory().FromServicePrincipal(
servicePrincipal.ApplicationId, password2, authenticated.TenantId, environment);
try
{
Azure.Authenticate(testCredential).WithDefaultSubscription();
Utilities.Log("Verified " + passwordName2 + " is valid.");
}
catch (Exception e)
{
Utilities.Log("Failed to verify " + passwordName2 + " is valid. Exception: " + e.Message);
}
Utilities.Log("Verifying certificate credential " + certName1 + " is valid...");
testCredential = new AzureCredentialsFactory().FromServicePrincipal(
servicePrincipal.ApplicationId,
Path.Combine(Utilities.ProjectPath, "Asset", "NetworkTestCertificate1.pfx"),
"Abc123",
authenticated.TenantId,
environment);
try
{
Azure.Authenticate(testCredential).WithDefaultSubscription();
Utilities.Log("Verified " + certName1 + " is valid.");
}
catch (Exception e)
{
Utilities.Log("Failed to verify " + certName1 + " is valid. Exception: " + e.Message);
}
// ============================================================
// Revoke access of the 1st password credential
Utilities.Log("Revoking access for password credential " + passwordName1 + "...");
servicePrincipal.Update()
.WithoutCredential(passwordName1)
.Apply();
SdkContext.DelayProvider.Delay(15000);
Utilities.Log("Credential revoked.");
// ============================================================
// Verify the revoked password credential is no longer valid
Utilities.Log("Verifying password credential " + passwordName1 + " is revoked...");
testCredential = new AzureCredentialsFactory().FromServicePrincipal(
servicePrincipal.ApplicationId, password1, authenticated.TenantId, environment);
try
{
Azure.Authenticate(testCredential).WithDefaultSubscription();
Utilities.Log("Failed to verify " + passwordName1 + " is revoked.");
}
catch (Exception e)
{
Utilities.Log("Verified " + passwordName1 + " is revoked. Exception: " + e.Message);
}
// ============================================================
// Revoke the role assignment
Utilities.Log("Revoking role assignment " + raName + "...");
authenticated.RoleAssignments.DeleteById(roleAssignment.Id);
SdkContext.DelayProvider.Delay(5000);
// ============================================================
// Verify the revoked password credential is no longer valid
Utilities.Log("Verifying password credential " + passwordName2 + " has no access to subscription...");
testCredential = new AzureCredentialsFactory().FromServicePrincipal(
servicePrincipal.ApplicationId, password2, authenticated.TenantId, environment);
try
{
Azure.Authenticate(testCredential).WithDefaultSubscription()
.ResourceGroups.List();
Utilities.Log("Failed to verify " + passwordName2 + " has no access to subscription.");
}
catch (Exception e)
{
Utilities.Log("Verified " + passwordName2 + " has no access to subscription. Exception: " + e.Message);
}
}
catch (Exception f)
{
Utilities.Log(f.Message);
}
finally
{
try
{
Utilities.Log("Deleting application: " + appName);
authenticated.ServicePrincipals.DeleteById(servicePrincipalId);
Utilities.Log("Deleted application: " + appName);
}
catch (Exception e)
{
Utilities.Log("Did not create applications in Azure. No clean up is necessary. Exception: " + e.Message);
}
}
}
private static Task <IActiveDirectoryUser[]> LoadActiveDirectoryUsersAsync(Azure.IAuthenticated authenticated)
{
return(LoadPagedCollectionAsync(authenticated.ActiveDirectoryUsers.ListAsync()));
}
private static async Task <IActiveDirectoryUser?> ProcessUserAsync(MyUser item, IActiveDirectoryUser[] list,
// ReSharper disable once UnusedParameter.Local
Azure.IAuthenticated authenticated, string password)
{
async Task ApplyPassword(IActiveDirectoryUser activeDirectoryUser)
{
if (item.UseDefaultPassword)
{
Log(3, $"Updating UseDefaultPassword: {activeDirectoryUser.UserPrincipalName}");
var respo = await authenticated.ActiveDirectoryUsers.Inner.UpdateWithHttpMessagesAsync(
activeDirectoryUser.UserPrincipalName,
new UserUpdateParameters()
//{
// PasswordProfile = new PasswordProfile(password)
// PasswordProfile = new PasswordProfile(SdkContext.RandomResourceName("Pa5$", 15))
// {
// ForceChangePasswordNextLogin = false
// }
// }
);
var cont = await respo.Response.Content.ReadAsStringAsync();
Log(3,
$"Updating UseDefaultPassword Responce: {activeDirectoryUser.UserPrincipalName}: {respo.Response.StatusCode} {cont}");
}
}
Log(0, "===========================================");
Log(0, "Processing User");
Log(1, item);
var cur = list.FirstOrDefault(x => x.UserPrincipalName == item.Upn);
if (cur == null && !item.Delete)
{
Log(3, $"Creating User: {item.Upn}");
// var userCreateParameters = new UserCreateParameters()
// {
// MailNickname = item.Upn,
// Surname = item.Surname,
// GivenName = item.Givenname,
// DisplayName = item.Displayname,
// UserPrincipalName = item.Upn,
// UserType = UserType.Member,
// PasswordProfile = new PasswordProfile(SdkContext.RandomResourceName("Pa5$", 15))
// // {
// // Password = SdkContext.RandomResourceName("Pa5$",
// // 15), // Guid.NewGuid().ToString(), // password,
// // ForceChangePasswordNextLogin = false
// // }
// };
// userCreateParameters.Validate();
// //
// var inner = await authenticated.ActiveDirectoryUsers.Inner.CreateWithHttpMessagesAsync(
// userCreateParameters
// );
// //
// Policy.Handle<Exception>()
// .RetryAsync(5,
// async (exception, i) =>
// {
// cur = await authenticated.ActiveDirectoryUsers.GetByIdAsync(inner.Body.ObjectId);
//
// if (cur == null)
// throw new Exception();
// });
cur = await authenticated.ActiveDirectoryUsers
.Define(item.Displayname)
.WithUserPrincipalName(item.Upn)
// .WithPassword(password)
.WithPassword(SdkContext.RandomResourceName("Pa5$", 15))
.WithPromptToChangePasswordOnLogin(false)
.CreateAsync();
await ApplyPassword(cur);
}
if (cur != null)
{
if (item.Delete)
{
Log(3, $"Deleting User: {cur.UserPrincipalName}");
await authenticated.ActiveDirectoryUsers.DeleteByIdAsync(cur.Id);
return(null);
}
Log(3, $"Updating User: {cur.UserPrincipalName}");
Log(3, cur);
var parameters = new UserUpdateParameters
{
Surname = item.Surname,
GivenName = item.Givenname,
DisplayName = item.Displayname
};
// if (item.UseDefaultPassword)
// {
// parameters.AdditionalProperties = new Dictionary<string, object>();
//
// // parameters.AdditionalProperties.Add("UseDefaultPassword", item.UseDefaultPassword.ToString());
// }
await authenticated.ActiveDirectoryUsers.Inner.UpdateWithHttpMessagesAsync(cur.UserPrincipalName,
parameters);
//
await ApplyPassword(cur);
}
if (cur != null)
{
Log(0, $"Finished Processing: {cur.UserPrincipalName}");
}
return(cur);
}
/**
* Azure Users, Groups and Roles sample.
* - List users
* - Get user by email
* - Assign role to AD user
* - Revoke role from AD user
* - Get role by scope and role name
* - List roles
* - List Active Directory groups.
*/
public static void RunSample(Azure.IAuthenticated authenticated)
{
string subscriptionId = authenticated.Subscriptions.List().First().SubscriptionId;
Utilities.Log("Selected subscription: " + subscriptionId);
string raName1 = SdkContext.RandomGuid();
// ============================================================
// List users
var users = authenticated.ActiveDirectoryUsers.List();
Utilities.Log("Active Directory Users:");
foreach (var user in users)
{
Utilities.Print(user);
}
// ============================================================
// Get user by email
IActiveDirectoryUser adUser = authenticated.ActiveDirectoryUsers.GetByName("*****@*****.**");
Utilities.Log("Found User with email \"[email protected]\": ");
Utilities.Print(adUser);
// ============================================================
// Assign role to AD user
IRoleAssignment roleAssignment1 = authenticated.RoleAssignments
.Define(raName1)
.ForUser(adUser)
.WithBuiltInRole(BuiltInRole.DnsZoneContributor)
.WithSubscriptionScope(subscriptionId)
.Create();
Utilities.Log("Created Role Assignment:");
Utilities.Print(roleAssignment1);
// ============================================================
// Revoke role from AD user
authenticated.RoleAssignments.DeleteById(roleAssignment1.Id);
Utilities.Log("Revoked Role Assignment: " + roleAssignment1.Id);
// ============================================================
// Get role by scope and role name
IRoleDefinition roleDefinition = authenticated.RoleDefinitions
.GetByScopeAndRoleName("subscriptions/" + subscriptionId, "Contributor");
Utilities.Print(roleDefinition);
// ============================================================
// List roles
var roles = authenticated.RoleDefinitions
.ListByScope("subscriptions/" + subscriptionId);
Utilities.Log("Roles: ");
foreach (var role in roles)
{
Utilities.Print(role);
}
// ============================================================
// List Active Directory groups
var groups = authenticated.ActiveDirectoryGroups.List();
Utilities.Log("Active Directory Groups:");
foreach (var group in groups)
{
Utilities.Print(group);
}
}
private static async Task SyncGroupMembers(Azure.IAuthenticated authenticated, MyGroup[] myGroups)
{
Log(0, "===========================================");
Log(0, "SyncGroupMembers");
var aadGroups = await LoadActiveDirectoryGroupsAsync(authenticated);
var aadUsers = await LoadActiveDirectoryUsersAsync(authenticated);
foreach (var myGroup in myGroups)
{
var group = aadGroups.FirstOrDefault(x => x.Inner.MailNickname == myGroup.MailNickname);
if (group != null && myGroup.Members != null)
{
Log(1, "Processing User Membership");
Log(2, $"{group.Name}");
var aadMembers = await LoadPagedCollectionAsync(group.ListMembersAsync());
Log(3, "Checking Members to Remove");
foreach (var mem in aadMembers.OfType <IActiveDirectoryUser>())
{
Log(4, $"Name: {mem.Name}");
var u = aadUsers.FirstOrDefault(x => x.Id == mem.Id);
if (u != null)
{
Log(5, $"UserPrincipalName: {u.UserPrincipalName}");
if (!myGroup.Members.Contains(u.UserPrincipalName))
{
Log(5, "Removing Member from Group");
await group.Update()
.WithoutMember(mem.Id)
.ApplyAsync();
}
}
else
{
Log(5, "Removing Member from Group");
await group.Update()
.WithoutMember(mem.Id)
.ApplyAsync();
}
}
Log(3, "Checking Members to Add");
foreach (var upn in myGroup.Members)
{
Log(4, $"{upn}");
var u = aadUsers.FirstOrDefault(x => x.UserPrincipalName == upn);
if (u != null)
{
if (aadMembers.OfType <IActiveDirectoryUser>().All(x => x.Id != u.Id))
{
Log(5, "Adding Member to Group");
await group.Update()
.WithMember(u)
.ApplyAsync();
}
}
}
}
if (group != null && myGroup.Groups != null)
{
Log(1, "Processing Groups Membership");
Log(2, $"{group.Name}");
var aadMembers = await LoadPagedCollectionAsync(group.ListMembersAsync());
Log(3, "Checking Groups to Remove");
foreach (var mem in aadMembers.OfType <IActiveDirectoryGroup>())
{
Log(4, $"Name: {mem.Name}");
var u = aadGroups.FirstOrDefault(x => x.Id == mem.Id);
if (u != null)
{
Log(5, $"MailNickname: {u.Inner.MailNickname}");
if (!myGroup.Groups.Contains(u.Inner.MailNickname))
{
Log(5, "Removing Group from Group");
await group.Update()
.WithoutMember(mem.Id)
.ApplyAsync();
}
}
else
{
Log(5, "Removing Group from Group");
await group.Update()
.WithoutMember(mem.Id)
.ApplyAsync();
}
}
Log(3, "Checking Groups to Add");
foreach (var nick in myGroup.Groups)
{
Log(4, $"{nick}");
var u = aadGroups.FirstOrDefault(x => x.Inner.MailNickname == nick);
if (u != null)
{
if (aadMembers.OfType <IActiveDirectoryGroup>().All(x => x.Id != u.Id))
{
Log(5, "Adding Group to Group");
await group.Update()
.WithMember(u)
.ApplyAsync();
}
}
}
}
}
}
