Greetings to my fellow Technology Advocates and Specialists.
In this Session, I will demonstrate How to Automate App Management with AAD Graph and DevOps.
I had the Privilege to talk on this topic in ONE Azure Communities:-
NAME OF THE AZURE COMMUNITY
TYPE OF SPEAKER SESSION
Azure Back to School 2023
Virtual
EVENT ANNOUNCEMENTS:-
THIS IS HOW IT LOOKS:-
AUTOMATION OBJECTIVES:-
#
TOPICS
1.
Validate if the Resource Group and the Key Vault residing in it exists.
2.
Validate if the App Registration already exists. If No, App Registration will be created.
3.
Secret will be generated and stored in Key Vault.
4.
Set Redirect URI and Enable ID Token.
5.
Set Token Configuration - Optional Claims.
6.
Set Token Configuration - Groups Claim.
7.
Set Microsoft Graph API Permissions.
8.
Create App Roles.
9.
Set App Owners.
IMPORTANT NOTE:-
The YAML Pipeline is tested on WINDOWS BUILD AGENT Only!!!
REQUIREMENTS:-
Azure Subscription.
Azure DevOps Organisation and Project.
Service Principal with Required RBAC ( Contributor) applied on Subscription or Resource Group(s).
Azure Resource Manager Service Connection in Azure DevOps.
Azure Tenant by type "Azure Active Directory (AAD)" with one of the Licenses: a.) Azure AD Premium P2, OR b.) Enterprise Mobility + Security (EMS) E5 license.
"Cloud Application Administrator" is required to create and configure App Registration.
"Global Administrator" PIM role is required to Grant Admin Consent to Microsoft Graph API Rights.
A test Azure Active Directory (AAD) user to add as an owner of the App.
Please change the values of the variables accordingly.
The entire YAML pipeline is build using Runtime Parameters and Variables. No Values are Hardcoded.
For all Permissions and Ids, please refer the MS Documentation link
PART #3:-
This is a Single Stage Pipeline - App_Registration_Setup_Configure (with 7 Pipeline Tasks):-
PIPELINE TASK #1:-
Validate Resource Group and Key Vault. If either one of the Azure Resource is not Available, Pipeline will fail.
Validate App Registration. If available with same name, Pipeline will fail else App Registration will be created successfully. The generated secret will be stored in the Keyvault.
- stage: App_Registration_Setup_Configure
jobs:
- job: App_Registration_Setup_Configure
displayName: App Registration Setup and Configure
steps:
- task: AzureCLI@2
displayName: Validate and Create App
inputs:
azureSubscription: $(ServiceConnection)
scriptType: ps
scriptLocation: inlineScript
inlineScript: |
az --version
az account set --subscription ${{ parameters.SubscriptionID }}
az account show
$i = az ad sp list --display-name ${{ parameters.SPIName }} --query [].appDisplayName -o tsv
if ($i -ne "${{ parameters.SPIName }}") {
$j = az group exists -n ${{ parameters.RGName }}
if ($j -eq "true") {
$k = az keyvault list --resource-group ${{ parameters.RGName }} --query [].name -o tsv
if ($k -eq "${{ parameters.KVName }}") {
$spipasswd = az ad sp create-for-rbac -n ${{ parameters.SPIName }} --query "password" -o tsv
az keyvault secret set --name ${{ parameters.SPIName }} --vault-name ${{ parameters.KVName }} --value $spipasswd
echo "##################################################################"
echo "Service Principal ${{ parameters.SPIName }} created successfully and the Secret Stored inside Key Vault ${{ parameters.KVName }} in the Resource Group ${{ parameters.RGName }}!!!"
echo "##################################################################"
}
else {
echo "##################################################################"
echo "Key Vault ${{ parameters.KVName }} DOES NOT EXISTS in Resource Group ${{ parameters.RGName }}!!!"
echo "##################################################################"
exit 1
}
}
else {
echo "##################################################################"
echo "Resource Group ${{ parameters.RGName }} DOES NOT EXISTS!!!"
echo "##################################################################"
exit 1
}
}
else {
echo "##################################################################"
echo "Service Principal ${{ parameters.SPIName }} EXISTS and hence Cannot Proceed with Deployment!!!"
echo "##################################################################"
exit 1
}
PIPELINE TASK #2:-
Set Redirect URI and Enable ID Token
For more details, please refer the MS Documentation link
- task: AzureCLI@2
displayName: Set Redirect URI & ID Token
inputs:
azureSubscription: $(ServiceConnection)
scriptType: ps
scriptLocation: inlineScript
inlineScript: |
$appid = az ad app list --display-name ${{ parameters.SPIName }} --query [].appId -o tsv
az ad app update --id $appid --web-redirect-uris ${{ parameters.RedirectURI }} --enable-id-token-issuance true
echo "##################################################################"
echo "Redirect URL is set and ID Token has been enabled successfully!!!"
echo "##################################################################"
PIPELINE TASK #3:-
Token Configuration: Optional Claims
For more details, please refer the MS Documentation link
5. App Registration Secret stored successfully in Key Vault.
6. App Registration Token Configuration (Optional Claims and Group Claims) was setup successfully.
7. App Registration API Permissions set correctly.
Note:- Global Administrator PIM role is required to Grant Admin Consent to the MS Graph API permissions added. After Pipeline is executed, Cloud Administrator needs to elevate to Global Administrator PIM role to grant admin consent.
8. Below is how it looks after granting admin consent.
9. App Registration App Roles created successfully.