public async Task AssignContributorRole(ClaimsPrincipal principal, DomainObjects.Subscription subscription, ServicePrincipal servicePrincipal) { // Contributor role: https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#contributor var contributorRoleId = "b24988ac-6180-42a0-ab88-20f7382dd24c"; var assignmentId = Guid.NewGuid(); var url = $"https://management.azure.com/subscriptions/{subscription.SubscriptionId}/providers/Microsoft.Authorization/roleAssignments/{assignmentId}?api-version=2015-07-01"; var body = new { properties = new { roleDefinitionId = $"/subscriptions/{subscription.SubscriptionId}/providers/Microsoft.Authorization/roleDefinitions/{contributorRoleId}", principalId = servicePrincipal.Id } }; var content = new StringContent(JsonConvert.SerializeObject(body), Encoding.UTF8, "application/json"); var token = await _tokenService.GetAccessTokenAsync(principal, _adOptions.ManagementAzureScope); _httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", token); var response = await _httpClient.PutAsync(url, content); response.EnsureSuccessStatusCode(); await _repository.Add(subscription); }
public async Task <DomainObjects.ServicePrincipal> CreateServicePrincipal(ClaimsPrincipal principal) { // create a password for the ServicePrincipal var secret = Guid.NewGuid().ToString(); // create the GraphClient var client = new GraphServiceClient(new DelegateAuthenticationProvider(async requestMessage => { var token = await _tokenService.GetAccessTokenAsync(principal, "https://graph.microsoft.com/Directory.AccessAsUser.All"); requestMessage.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token); })); // Create the Azure AD application var app = await client.Applications.Request().AddAsync(new Application { DisplayName = $"demosprbac-{Guid.NewGuid()}", PasswordCredentials = new List <PasswordCredential>() { new PasswordCredential() { DisplayName = "ClientSecret", SecretText = secret, StartDateTime = DateTimeOffset.Now.AddMinutes(-2), EndDateTime = DateTimeOffset.Now.AddYears(1) } } }); // now create an instance of the application in the current Azure AD tenant, this is the ServicePrincipal var sp = await client.ServicePrincipals.Request().AddAsync(new ServicePrincipal() { AppId = app.AppId }); return(await _repository.Add(new DomainObjects.ServicePrincipal { Id = sp.Id, AppId = sp.AppId, AppObjectId = app.Id, DisplayName = sp.DisplayName, SecretText = secret })); }