Unable to find a management group - terraform - azure-active-directory

Any advice on additional troubleshooting steps for the below error?
Error: Management Group "00000000-0000-0000-0000-000000000000" was not found
with data.azurerm_management_group.current
on main.tf line 40, in data "azurerm_management_group" "current":
data "azurerm_management_group" "current" {
I am using a service principal with the Contributor role assigned to authenticate to azure.
I have ensured the management group UUID set in the terraform config points to the correct ID.
I have ensured that access management for Azure resources in the azure active directory is enabled so that my user account can manage access to all Azure subscriptions and management groups in this tenant.
I know that the GET Management REST API throws errors when calls are made to azure ad tenants with large resource hierarchies that would return a payload greater than 15 MB. However, I only have 1 root tenant management group in my tenant that I want to reference.
The data source is configured as:
data "azurerm_management_group" "current" {
# parent management group ID pulled in as a variable from terraform cloud using interpolation
name = var.parent_mg_id
}
The management group resource which will be created once the data source can be referenced is currently set as follows:
resource "azurerm_management_group" "az104-02-mg1" {
display_name = "az104-02-mg1"
# current subscription associated with existing tenant assigned to this management group
subscription_ids = [data.azurerm_subscription.current.subscription_id]
# existing root management group within AAD tenant set as parent mg of az-104 lab 2 management group
parent_management_group_id = data.azurerm_management_group.current.parent_management_group_id
}
Thanks in advance!

I tried to reproduce the same issue in my environment and got the below results
I have used the following script for the management groups it worked for me
vi vm.tf
provider "azurerm" {
features {}
}
data "azurerm_subscription" "current" {
}
resource "azurerm_management_group" "example_parent" {
display_name = "ParentGroup"
subscription_ids = [
data.azurerm_subscription.current.subscription_id,
]
}
resource "azurerm_management_group" "example_child" {
display_name = "ChildGroup"
parent_management_group_id = azurerm_management_group.example_parent.id
subscription_ids = [
data.azurerm_subscription.current.subscription_id,
]
}
Follow the below steps to execute the file
Terraform init
It will initialize the file
terraform plan
This will creates an execution plan and it will preview the changes that terraform plans to make the infrastructure
terraform apply
This will creates or updates the infrastructure depending on the configuration

Related

Can Conditional AD access be used to restrict the access to azure portal to disallow users from a certain locations from accessing the portal?

I am a developer working for an EU region customer and am based out of India.
now - I don't want my azure portal to be accessible directly from my browser but should be able to access it from an Azure VM provisioned in the EU region.
Can this be achieved using Azure AD conditional access?
Also - If possible - what are different kind of hardening methods that can be used to ensure no data leakage is possible by copying data from this VMA to my local machine ?
Yes, you can use conditional access policies to restrict access to Azure Portal for users from specific locations.
Make sure to acquire at least Azure AD Premium P1 license that supports conditional access feature.
I tried to reproduce the same in my environment and got below results:
Create one named location by selecting your region to exclude it from blocking access like below:
Go to Azure Portal -> Azure Active Directory -> Security -> Conditional Access -> Named locations
You can also create named location by specifying the IP addresses that you want to allow Azure Portal access from like below:
Now create one conditional access policy by following below steps:
Go to Azure Portal -> Azure Active Directory -> Security -> Conditional Access -> Policies -> New Policy
Enter the policy name and include the users/groups on which you want to apply policy on like below:
In "Cloud apps or actions" tab, make sure to select Microsoft Azure Management app like below:
In Conditions tab, include all locations and exclude the location by selecting the named location that you created earlier like below:
In Access controls, Select Block access and create the policy as below:
When users of different locations tried to login to Azure Portal, they will get error like below:
Reference: Conditional Access - Block access - Azure Active Directory | Microsoft

Unable to update Azure AD user property from SharePoint using #pnp/graph

I have created a SharePoint Framework web part using React. After that, I integrated #pnp/graph under that SPFx application. Also, I have given an API access permission request to my SPFx app.
I have fetched all users from the Azure AD group. Now, I need to update the currently logged-in user property under Azure AD. Below is my code snippet,
import { graph } from "#pnp/graph";
public async UpdateCurrentUserProperties(companyName) {
return await graph.me.update({
companyName: companyName
});
}
Below is the reference link,
https://pnp.github.io/pnpjs/graph/users/#update-current-user
I am facing the below error while updating the currently logged-in user profile properties under Azure AD.
Unable to update the specified properties for on-premises mastered Directory Sync objects or objects currently undergoing migration
Can anyone help me with the same?
The error "Unable to update the specified properties for on-premises mastered Directory Sync objects or objects currently undergoing migration" usually occurs if you are trying to update the users which synced from on-premises to Azure AD.
You have to update these users on on-premises environment and then sync it to Azure.
To resolve the error, Try changing it on On-prem server and then sync it to Azure AD.
Please check if your organization uses a hybrid environment and those users are synced from AD, you have to manage them from on-premises Exchange.
Check whether you have given required API permissions.
You can refer this similar case that can give you some pointer.
For more in detail, please find below links:
azure - Set-AzureADuser failing - Stack Overflow
Unable to update the specified properties for on-premises mastered Directory Sync objects - Microsoft Q&A

Microsoft Graph API: Getting the users who are assigned to an Enterprise application

Is there a way to pull list of Users for a given Enterprise Application from MS Graph? I can see that Azure portal is making this query:
https://main.iam.ad.ext.azure.com/api/ManagedApplications/{enterprise-app-id}/AppRoleAssignments
Thanks!
According to the document:
If the resource service principal is an application that has app roles
granted to users and groups, this will return all the users and groups
assigned app roles for this application.
You can use this api to list all users or groups assigned to the enterprise application:
https://graph.microsoft.com/beta/servicePrincipals/{id}/appRoleAssignedTo
You need to replace {id} with Object ID.

Add azure SQL Server login using terraform

Is it possible to add an user as active directory admin for an azure sql server using terraform?
https://learn.microsoft.com/pt-br/azure/sql-database/sql-database-aad-authentication
I need this to be enable users to authenticate through their company logins to a sql server created using Terraform.
I've found this question:
Add azure SQL user with terraform
But it is not what I need, it creates a new user for a login. Terraform docs regarding azure do not document this action.
https://www.terraform.io/docs/providers/azurerm/r/sql_server.html
Please reference this link: Active Directory Admin for azurerm_sql_server:
Support for configuring Azure Active Directory Administrators for a SQL Server Database can be found in the azurerm_sql_active_directory_administrator resource.
azurerm_sql_active_directory_administrator:
Allows you to set a user or group as the AD administrator for an Azure SQL server.
Example useage:
data "azurerm_client_config" "current" {}
resource "azurerm_resource_group" "example" {
name = "acceptanceTestResourceGroup1"
location = "West US"
}
resource "azurerm_sql_server" "example" {
name = "mysqlserver"
resource_group_name = "${azurerm_resource_group.example.name}"
location = "${azurerm_resource_group.example.location}"
version = "12.0"
administrator_login = "4dm1n157r470r"
administrator_login_password = "4-v3ry-53cr37-p455w0rd"
}
resource "azurerm_sql_active_directory_administrator" "example" {
server_name = "${azurerm_sql_server.example.name}"
resource_group_name = "${azurerm_resource_group.example.name}"
login = "sqladmin"
tenant_id = "${data.azurerm_client_config.current.tenant_id}"
object_id = "${data.azurerm_client_config.current.object_id}"
}
Hope this helps.

Can I Access the Azure AD tenant id in Terraform Resource

I am trying to build a Key Vault resource and associate to my service principal in azure. I am working through the required fields and I need to provide my Azure AD Tenant id where my service principal is registered. Is there an easy way to access this in a terraform file? Rather not use ENV vars.
Figured it out. Terraform has an option to generate a data object.
https://www.terraform.io/docs/providers/azurerm/d/client_config.html
main.tf file
data "azurerm_client_config" "current" {}
usage
tenant_id = "${data.azurerm_client_config.current.tenant_id}"

Resources