Category Archives: Uncategorized

How to Use Azure AD Privileged Identity Management PowerShell and Graph API

A while back I wrote a blog post on how you could download, install and use a separate Azure AD PIM PowerShell Module for managing Privileged Roles, https://gotoguy.blog/2018/05/22/getting-started-with-azure-ad-pim-powershell-module/. With the recent update of the AzureADPreview Module, the cmdlets for managing Privileged Roles are now included in the module, so there is no longer required to install a separate module for this.

In this blog post I will explain and show how these commands can be used.

Install or Update AzureADPreview Module

First you need to either install or update the AzureADPreview Module, so that you are running on version 2.0.2.27 or newer. The AzureADPreview Module can be installed from PowerShellGallery using Install-Module or Update-Module, and you can verify which version you have installed using Get-Module <modulename> –ListAvailable like this:

image

With that requirement out of the way we can proceed to look at the commands.

Privileged Role Management Commands

Currently in the AzureADPreview Module, there are 13 commands related to Privileged Roles:

Get-Command -Module AzureADPreview | Where-Object {$_.Name -like “*privileged*”}

image

The new cmdlets in AzureADPreview Module 2.0.2.27 are documented here, https://docs.microsoft.com/en-us/powershell/module/azuread/?view=azureadps-2.0-preview#privileged_role_management.

Note that some of the above commands are not in that documentation, all the new commands have a *MS* which means it is mapped to equvivalent Microsoft Graph API’s.

In the interest of this blog post, here is a quick explanation of each of the available commands:

  • Add-AzureADMSPrivilegedResource. Use this API to add a new azure AD MS privileged resource.
  • Close-AzureADMSPrivilegedRoleAssignmentRequest. Cancel a AzureADMSPrivilegedRoleAssignmentRequest.
  • Get-AzureADMSPrivilegedResource. Get azure AD MS privileged resource.
  • Get-AzureADMSPrivilegedRoleAssignment. Get role assignments for a specific provider and resource.
  • Get-AzureADMSPrivilegedRoleAssignmentRequest. Get role assignment request for a specific resource.
  • Get-AzureADMSPrivilegedRoleDefinition. Get role definitions.
  • Get-AzureADMSPrivilegedRoleSetting. Get role settings.
  • Open-AzureADMSPrivilegedRoleAssignmentRequest. Create a role assignment request.
  • Set-AzureADMSPrivilegedRoleAssignmentRequest. Update a role assignment request.
  • Set-AzureADMSPrivilegedRoleSetting. Update role setting.

The other 3 Privileged Role commands that are still available to use, but currently are not documented are:

  • Get-AzureADPrivilegedRole. List all Directory Roles available for Privileged Roles assignments.
  • Get-AzureADPrivilegedRoleAssignment. List active and eligable privileged role assignments.
  • New-AzureADPrivilegedRoleAssignment. Creates a new privileged role assignment for specified role and user.

Further on in this blog post I will provide some more examples and usage scenarios for the new Azure AD Privileged Role Management commands, and their equivalent Microsoft Graph API methods, but first something on the difference between Azure Resources and Azure AD, upcoming changes and current limitations in the PowerShell commands.

Azure Resources vs. Azure AD

As you might know, Azure AD PIM can be used for managing privileged role assignments to both Azure AD roles and Azure Resources:

image

The new PowerShell commands that follows the syntax verb-AzureADMSPrivilegedRole…. all require a parameter called ProviderId, which as per today only support “AzureResources”. This means that currently you can only use the new Azure AD PowerShell commands for managing PIM for Azure resources, not for Azure AD roles yet! I had this confirmed with the Microsoft Program Manager for Azure AD PIM, as you can see from the conversation https://twitter.com/stevemsft/status/1143977432690466816?s=20 and shown in the following image:

image

This is related to the following notice from the Azure AD PIM Microsoft Graph documentation, stating that Azure AD roles will move to the Azure resource API in the coming months:

image

As the new PowerShell commands are built on Microsoft Graph, this also means that they will not work for Azure AD roles until the move to the Azure resources API!

Explore Privileged Azure Resources

image

There are two commands for exploring and adding Privileged Azure Resources:

  • Get-AzureADMSPrivilegedResource –ProviderId AzureResources
  • Add-AzureADMSPrivilegedResource –ProviderId AzureResources

g-raph

Their equivalent Microsoft Graph API methods are (Beta endpoint only as per july 2019):

  • List: GET /privilegedAccess/azureResources/resources
  • Get: GET /privilegedAccess/azureResources/resources/{id}
  • Register: POST /privilegedAccess/azureResources/resources/register

Getting or listing Privileged Resources is based on that you have onboarded to Azure AD PIM for Azure Resources, as explained here: https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-resource-roles-discover-resources. You can also add a privileged resource by ExternalId, which I will show an example of later.

To get a list over all privileged Azure resources, just run:

Get-AzureADMSPrivilegedResource –ProviderId AzureResources

This will return a list (capped at max 200 results), with the Id, ExternalId, Type, DisplayName and more for each resource that have been registered to Azure AD PIM:

image

As mentioned above the list is capped at max 200 results, which is a Microsoft Graph limitation for this privileged resource API. You can use the –Top parameter to specify a lower number of returned results, like –Top 50,  but it will just ignore and cap at 200 if you for example type –Top 300.

So to return fewer results we can use the –Filter parameter which support Odata query. I have tried some different combinations, and not all will work as expected. Some examples of working filters:

Get-AzureADMSPrivilegedResource -ProviderId AzureResources -Filter “Type eq ‘resourcegroup'”

Get-AzureADMSPrivilegedResource -ProviderId AzureResources -Filter “Type eq ‘subscription'”

Get-AzureADMSPrivilegedResource -ProviderId AzureResources -Filter “DisplayName eq ‘elvsabootdiag001”

Get-AzureADMSPrivilegedResource -ProviderId AzureResources -Filter “startswith(DisplayName,’rg-‘)”

image

What I found DON’T work is filters for specific resource types like:

Get-AzureADMSPrivilegedResource -ProviderId AzureResources -Filter “Type eq ‘Microsoft.Compute/virtualMachines'”

..or any other specific resource type like Microsoft.Network/loadBalancers, Microsoft.Network/networkSecurityGroups, etc., which I find is a bit strange as I would like to filter on those as well.

If you know the specific resource id you can also get that privileged resource object directly:

Get-AzureADMSPrivilegedResource -ProviderId AzureResources –Id <resource id>

Lets compare this to the Microsoft Graph API methods, using Graph Explorer. To list all managed Azure Resources I run the GET /privilegedAccess/azureResources/resources like this:

image

Which pretty much returns the same list of resources and attributes as I did when running the PowerShell command. There is one important change though, and I mentioned earlier that the PowerShell command would only return max 200 results. In the Graph response I will receive a skip token from where if I run that I will get the next set of potentially 200 more results, and so on.

Graph can also handle filters of course, so lets try that. Here are some variations you can try out:

GET /privilegedAccess/azureResources/resources?$filter=type eq ‘resourcegroup’&$top=5

GET /privilegedAccess/azureResources/resources?$filter=displayName eq ‘rg-auth-dc’

GET /privilegedAccess/azureResources/resources?$filter=startswith(displayName,’rg-‘)

And if you want to get a specific resource with Graph, just specify the id like this:

GET /privilegedAccess/azureResources/resources/ad7327ba-50f4-4f03-a4ee-029f310b6775

Which will return the specific resource in the response:

image

Last, to add a resource as a managed resource to Azure AD PIM, using PowerShell can be done like this:

Add-AzureADMSPrivilegedResource -ProviderId AzureResources -ExternalId “/subscriptions/<your-subscription-id>”

And via Graph:

POST /privilegedAccess/azureResources/resources/register

Request Body:

{
“externalId”: “/subscriptions/<your-subscription-id>”
}

These commands are just to get a list of and adding managed Azure resources for Azure AD PIM, i the next parts we will look into actually managing assignments and settings.

Explore Role Assignments

image

The following command can be used for listing or getting specific role assignments for Azure resources:

  • Get-AzureADMSPrivilegedRoleAssignment –ProviderId AzureResources –ResourceId <resource id>

g-raph

The equivalent Microsoft Graph API methods:

  • List: GET /privilegedAccess/azureResources/resources/{resourceId}/roleAssignments
  • List: GET /privilegedAccess/azureResources/roleAssignments?$filter=resourceId+eq+'{resourceId}’
  • List (Mine): GET /privilegedAccess/azureResources/roleAssignments?$filter=subjectId+eq+'{myId}’
  • Get: GET /privilegedAccess/azureResources/resources/{resourceId}/roleAssignments/{id}
  • Get: GET /privilegedAccess/azureResources/roleAssignments/{id}?$filter=resourceId+eq+'{resourceId}’
  • Get (Mine): GET /privilegedAccess/azureResources/roleAssignments/{id}?$filter=subjectId+eq+'{myId}’

Now that seems a lot of different variations for Graph calls for the one PowerShell command, but as you will see later Graph can be a little more flexible in querying in different ways.

Lets see some samples for PowerShell first. Now we need to supply a resource id, that can be subscription object, a resource group object, any type of resource objects like virtual machines, virtual networks and so on, and even management group objects. So based on the commands previously shown in the blog post, we should be able to get out the resource id’s first, for example like this:

$myResource = Get-AzureADMSPrivilegedResource -ProviderId AzureResources -Filter “DisplayName eq ‘NetworkWatcherRG'”

Get-AzureADMSPrivilegedRoleAssignment –ProviderId AzureResources –ResourceId $myResource.Id

So this returns a list of role assignments for the specified resource, each assignment has its own id, as well as the ResourceId, the RoleDefinitionId (which role that has been assigned, like reader, contributor, owner, etc), SubjectId (which user, service principal, group, etc has been assigned the role). In addition we can get info on any linked eligible assignements, start and end time for assignements, assignment state and if the assignment is active or not, or if the type is inherited or assigned directly to the resource.

image

Basically the above command returns the same as this blade in the Azure Portal:

image

Explore and Manage Role Assignment Requests

image.png

The following command can be used for exploring and managing role assignment requests:

    • Get-AzureADMSPrivilegedRoleAssignmentRequest. Get role assignment request for a specific resource.
    • Open-AzureADMSPrivilegedRoleAssignmentRequest. Create a role assignment
      request.
    • Set-AzureADMSPrivilegedRoleAssignmentRequest. Update a role assignment
      request.
    • Close-AzureADMSPrivilegedRoleAssignmentRequest. Cancel a
      AzureADMSPrivilegedRoleAssignmentRequest.

g-raph

The equivalent Microsoft Graph API methods:

  • GET /privilegedAccess/azureResources/resources/{resourceId}/roleAssignmentRequests
  • GET /privilegedAccess/azureResources/roleAssignmentRequests?$filter=resourceId+eq+'{resourceId}’
  • GET /privilegedAccess/azureResources/roleAssignmentRequests?$filter=subjectId+eq+'{myId}’
  • GET /privilegedAccess/azureResources/roleAssignmentRequests/{id}
  • POST /privilegedAccess/azureResources/roleAssignmentRequests
  • POST /privilegedAccess/azureResources/roleAssignmentRequests/{id}/updateRequest
  • POST /privilegedAccess/azureResources/roleAssignmentRequests/{id}/cancel

Explore and Manage Role Definitions and Settings

image.png

The following commands can be used to get and manage role definitions and settings:

  • Get-AzureADMSPrivilegedRoleDefinition. Get role
    definitions.
  • Get-AzureADMSPrivilegedRoleSetting. Get role settings.
  • Set-AzureADMSPrivilegedRoleSetting. Update role
    setting.

g-raph

The equivalent Microsoft Graph API methods:

  • GET /privilegedAccess/azureResources/resources/{resourceId}/roleDefinitions
  • GET /privilegedAccess/azureResources/roleDefinitions?$filter=resourceId+eq+'{resourceId}’
  • GET /privilegedAccess/azureResources/resources/{resourceId}/roleDefinitions/{id}
  • GET /privilegedAccess/azureResources/roleDefinitions/{id}?$filter=resourceId+eq+'{resourceId}’
  • GET /privilegedAccess/azureResources/resources/<resourceId>/roleSettings
  • GET /privilegedAccess/azureResources/roleSettings?$filter=resourceId+eq+'<resourceId>’
  • GET /privilegedAccess/azureResources/roleSettings/{id}
  • PATCH /privilegedAccess/azureResources/roleSettings/{id}

Speaking at Experts Live Europe 2019

I’m very happy to announce that I will back speaking at Experts Live Europe 2019! I got 2 sessions to present this year, and I really look forward to go to Prague in November and be a part of this great community conference for the 7th time in a row! Read on for some more details, history and perspectives on why you should attend this conference also.

Experts Live Europe, SCU Europe & Me

This years event is the third edition under the name “Experts Live Europe”. Before that it was known as System Center Universe Europe, or just SCU Europe. The first edition of SCU Europe was in Bern, Switzerland, 2013. I went there because I wanted to attend a European based conference with focus on Datacenter Management after it was announced that Microsoft Management Summit (MMS) would be no more. I was immediately blown away by the community experience, great speakers and content. I made some contacts and friends I’m still happy to see and meet again today.

Of course I had to make it to the 2nd and 3rd editions of SCU Europe that were held in Basel, Switzerland, in 2014 and 2015. Speakers, sessions and community was as good or better as the first conference in Bern, and content was starting to focus more on Microsoft Cloud. Myself I was intrigued and motivated to be a bigger part of this community, and started submitting sessions proposals to be a speaker myself.

In 2016, SCU Europe moved out of Switzerland and to Berlin, Germany. And this year I was one of the speakers! I was so proud when the opening keynote video introduced this speaker from Norway, you can by the way see all those opening videos at https://www.expertslive.eu/history. The conference being in Berlin meant a much easier travel from Norway, and this time around I was able to bring some colleagues and customers along. We had a great time:

At the end of the 2016 conference it was announced that the name SCU Europe will be no more, from 2017 the conference would be named Experts Live Europe, being part of the Experts Live network of global community conferences (www.expertslive.org).

In 2017 we were back in Berlin and I was accepted as a speaker again :). Once again we traveled as a group of colleagues and customers, and had a great time enjoying the excellent content and community.

In 2018, after all 5 previous conferences had been in a city that started with the letter “B”, it was announced that Experts Live Europe 2018 was to be held in the beautiful city of Prague, Czech Republic. For the third time in a row I would be one of the Experts again. Prague is also easy to travel to from Norway so we once again went as a group.

And that brings us to 2019, where we go back to the excellent Prague Congress Center, 20-22nd of November! I’m once again very proud to be speaking at this great community conference, and my record of 100% attendance for every SCU/ExpertsLive Europe record is intact, 7th time in a row now :).

My Sessions

As previously mentioned, I will be delivering two sessions at this years Experts Live Europe. And for the first time I will hold a session together with the one and only Samuel Erskine. This session should be both informative and entertaining!

My session with Sam is titled “Same old System Center.. but how can we hook up the Cloud and make it hot again!”. As System Center 2019 was released earlier this year, and with updates from Ignite, we will look into how System Center 2019 can go from “same old, same old..” to integrating with the Azure Cloud Platform and make System Center hot again!

My second session is named “Manage Identity Lifecycle and Access Control with Azure AD Identity Governance”, in which we will focus on how to manage identity lifecycle and make sure users have the right access at every time using Identity Governance solutions in Azure AD.

You can see the complete agenda for all the sessions here: https://www.expertslive.eu/agenda.

Community Rocks!

The thing I love most with ExpertsLive Europe is the really strong community of experts, sponsors and attendees. Beside the sessions and pre-conference itself, a big part of the value of attending is getting to know new people, connect again with people you have met before, learn, discuss and ask questions, get answers and be followed up with the best of the MVP’s and Community leaders out there. I started out standing in the corner and slowly started interacting with the community members, and now feel I have made many friends and being part of this great community myself. I really want to say hi to you in Prague, either if you are attending one of my sessions or you see me in the expo area, at the VIP party or attendee party.

Hope to see you there, and if you’re still not signed up, you can still register at http://www.expertslive.eu!

Speaking at Evolve Conference!

I’m delighted to announce that I will be speaking at Evolve Conference in Birmingham, 21st of October! Evolve Conference is a free Microsoft 365 and Azure Conference, and if you live near or are able to travel to Birmingham on monday there is still time to register: https://www.evolveconf.co.uk/.

Evolve, previously known as UC Day UK, is a one day conference covering a range of interesting topics on Microsoft 365 and Azure, delivered by top notch speakers from UK and abroad.

I have been lucky enough to present at this event on 2 occasions before, and I have been blown away at both the amount of sponsors and attendants making this a great community event.

I will be presenting a session on “Mastering Azure AD B2B Guests”, which will provide you with all the info you need for taking control of B2B collaboration in your organization.

Hope to see you there, and please come and say hi if you do!

Using a Custom Domain Name for an Application Published with with Azure AD Application Proxy

This is a follow up post from an earlier blog post on how to Publish the Cireson Self Service Portal with Azure AD Application Proxy. Is this blog post I will show how to configure a custom domain name for the same published application.

Change External URL

From earlier I already have published this application with the external URL of https://selfservice-skillas.msapproxy.net. I will now change this to our own domain, like this:

As shown over, I now have to configure the public DNS zone for my domain, with a CNAME record as specified in the screenshot.

Upload SSL Certificate

Following that, I now need to upload a SSL certificate to work with the external URL. Either a Wildcard Cert or a Certificate with common name or subject alternative name containing the external URL can be used.

 

When uploading the certificate I will need the .pfx file and the password to access the private key:

After uploading, I can verify the certificate subject, thumbprint and expiry date:

Testing the External URL

I can now test the external URL, https://selfservice.skill.no.

If I’m already authenticated with Azure AD in this session I will be directed to the external URL, or else I will have to pre-authenticate first as I have configured that.

In the end, everything works as expected with the custom domain name: