Coder Social home page Coder Social logo

ms-graph-app-management's Introduction

Application and Service Principal management via Microsoft Graph API

The repository contains a Proof of concept Azure Function implementation that does the following:

  • Triggered via Azure Storage Queue message.

The message that needs to be pushed into the storage queue accepts the following schema:

{
    "OrgName": "Your Organization name (just the name not the entire URL)",
    "PAT": "A personal access token",
    "ProjectId": "Must be the Guid of an Azure DevOps Project",
    "RotateAllServiceConnections": false,
    "ServiceEndpoints": ["Must be a guid - a Service Connection ID"],
    "DaysBeforeExpire": 1,
    "LifeTimeInDays": 5
}
  • The function has a Managed Identity
  • The Managed Identity needs to have Application.ReadWrite.OwnedBy Graph permissions and consent granted by Azure AD Administrators.
  • The function read the endpoint (aka. AzDO Service Connection) (or multiple endpoints) and determine the corresponding Azure AD Application (via Service Principal)

โšก Password Credentails

  • If the Service Connection was created with Client Secret (password based authentication).
    • Function will generate a new password credentail (based on DaysBeforeExpire and LifeTimeInDays provided in storage message).
    • Update the service connection in Azure DevOps to use that.
    • Delete the old password credentails for the AAD application.

โšก Certificate credentails

  • If the service connection was created with Certificate (PEM) based authentication.
    • Function will generate a Self-Signed certificate.
    • Update the Application in Azure AD - creating the certificate credentials with the newly created certificate (essentially a self-signed PFX). Note: This operation will remove the old certificate from the application in Azure AD.
    • Update the Azure DevOps service connection to use the newly created certificate (through the PEM)

๐Ÿ“ข Important Notice: The Azure function in this demo application doesn't do anything for securing the API endpoints (there are some test/temporary endpoints), you should either remove them or bring your owner authentiation mechanism with Web Application Firewall (WAF) to protect these endpoints. You must NOT deploy the Azure functions with nacked endpoints exposed in the wild internet.

Details

The implementation is all about Managed Identities. The code offers all the APIs to manage application registrations and service principals in Azure Active directory as REST API and you can deploy it as Azure Functions.

Managed Identity and MS Graph permissions

After deploying it as Azure Functions, you need to make sure the Managed Identity is enabled and Microsoft Graph Application permissions are granted to that idenity.

You can use the bash script examples as described in setup-msi-permissions.sh file.

Then you can use that Azure function REST endpoints to orchestrate your workflows to manage app registrations and service principals.

Examples

There are some example payload schema and REST endpoints can be found in example.http.

Contribution

You are more than welcome to contribute to the repository! ๐Ÿฅ‚

License

This is under MIT license, you are free to use, modify the code anyway you want. Of course, I would appreciate if you acknoledge if this code helped you. That surely motivates and makes my day!

Enjoy!

ms-graph-app-management's People

Contributors

moimhossain avatar zenulous avatar

Stargazers

 avatar Bert Vaerendonck avatar Martin Hentschel avatar  avatar clint_zofnas avatar  avatar Cocoy avatar  avatar  avatar

Watchers

James Cloos avatar  avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.