Our current Proof of Concept makes use of Azure Logic Apps workflows to perform calculations and returns this result. Our client would like to monitor when and by who theseworkflows are called/triggered. Is this possible to do in Azure Monitor/Log Analytics/Application Insights?
From my own research it seems that the above Azure resources are only able to register when triggers happend with further diagnostics, but not which AD user triggered the action.
Any advice or knowledge sharing would be greatly appreciated!
Standard Azure Activity log contains information about who triggered the manual Logic App run. You can check it in the 'Activity log' section in the Azure portal. Here is how the typical event looks like for manual trigger activated by user in the Azure portal:
If you go into details of the event you will see the full JSON object containing information about the user, IP address from which user was logged and more. These activity logs can be forwarded to Log Analytics workspace for extended storage and analytics.
1: To Know when the logic app triggered, integrate the log analytics to Azure Logic App and follow the below process:-
we have enabled log analytics workspace while creating logic app.
Run logic app twice.
Added diagnostic setting in logic app as shown below.
Once added, go to Diagnostics in logic app.
You can view when the logic app was called using report below:
Reference link
2: To know who the users is/are accessed the logic app, integrate the app insights to Azure Logic App:-
Using application insights also we can view report for logic app.
If you are calling logic app through angular or any UI, you can configure app insights in code. In this way we can get details of user who run the logic app.
Related
I have web app written in react which is Single Page Application. Then I have back end API written in .NET core 3.1.
As I mentioned earlier I have web app written in react so this react web app has to call one more API to read some configs. This third application is also a API application written in .NET core 3.1. As soon as web app spins up, it will call this third APP and read configs like API URL of second application and other azure related details. Now this third API app should be protected. Only web app should access this app and not any other users.
So I am trying to find what are the best scenarios available in azure AD. Can someone help me to understand the possible scenarios to handle this?
What you seem to want to accomplish at the moment is for the web application to access the third API application. If this is the case, it is simple. The steps are as follows:
First, you need to expose the api of the third API application protected by Azure, which can be configured according to the following process
Azure portal>App registrations>Expose an API>Add a scope>Add a client application
Next, you need to define the manifest of api applications and grant application permissions to your client applications (this is the role permissions you define yourself, you can find it in My APIs when you add permissions). This is the process of defining the manifest.
This is to grant permissions for the client application (You can find your expose api permissions in My APIs.):
Finally, you need to obtain an access token using the client credential flow where no user is logged in:
Parse the token:
so as per you description It seems you want to permit only API application to access your third application.
One thing you can do you can create a user group and give acess to your API only and put application restricted to this group only.
See this hope it will help
https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/users-default-permissions
My demo app uses Azure AD B2C. Since it's a B2C, new users can create their own account. When a new user joins, I want:
to event grid to start a Logic app
the logic app will grab some of the data update the CosmosDb containers
send an email to the new user
deliver a message that any subscriber can read
I'm stuck in the beginning because I can't find anything that it's related to Azure Active Directory. I can't find a tutorial or any information related to tha.
My question is to know whether event grid can even be used to react to users being created in Azure AD?
Thanks for helping.
I don't think this trigger can implement your requirement. As we can see it requires us to choose Resource Type, Resource Name... But users do not belong to resources, resources refer to storage, VM, keyvault and so on.
So for your question about
whether event grid can even be used to react to users being created in Azure AD
I think it can't be used to react to users being created in Azure AD.
I am trying to set up an authenticated webhook call from an Azure Event Grid Domain subscription to a web app service in the same tenant. I am able to do everything up to a certain point which is that I am trying to tie the authentication to a specific app role in the subscribing app. Currently, the authentication works, but I cannot seem to figure out how to include a specific role in the token that gets sent to the subscribing endpoint. It may be that it's more of a generic question on setting up an enterprise app registration (which event grid uses) with a configurable role for app registrations. My issue is that I know how to do it when there's an app registration, but in this case I only have an enterprise app.
I have followed the documentation, and this article seems to try to do the same thing, but I don't want to do it in powershell as we have an Identity-responsible who is going to do the actual work as well as me wanting to understand what happens behind the scenes.
https://learn.microsoft.com/en-us/azure/event-grid/secure-webhook-delivery
Does anybody know how to set up the event grid webhook authentication so it includes a specific role (most probably an app role defined in the manifest of the subscribing app's app registration)?
You are following correct way of configuring event subscription.
The role which you wants to add in application can be done as below -
Azure Portal>>All Services>>Subscription>>Select Subscription>>IAM Role>>Add Role assignment>>1.Select the role which he need 2. Assign access to Azure AD user or Service Principal 3. Select the application >> Save.
or
If need to assign some customise role you can create the custom role as below -
https://learn.microsoft.com/bs-cyrl-ba/azure/role-based-access-control/custom-roles?toc=%2Fazure%2Fvirtual-network%2Ftoc.json
Azure Active Directory to secure the connection between your Event Subscription and your webhook endpoint.
https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/event-grid/secure-webhook-delivery.md
I have an existing J2EE application which provides some specific features after logging in to the application.
I have to provide SSO to just ONE of the customer who logs into our application while the rest of the customers would still use the login page and login with their credentials.
I am planning to use OpenAM Fedlet act as SP deployed as a separate application in our container.
I need some help in understanding if i need a full blown OpenAM instance deployed within us. Please provide any insights if you may have on this .
You can use the fedlet as an SP for this user. The trick is identifying this particular user and initiating SSO for this person, and going to the login screen for everyone else.
We would like to connect a salesforce user to another salesforce user in another org without any user intervention from a service.
We have tried SAML Bearer Flow (using Remote Access Application) to connect to salesforce to retreive Access Token for one of our product. We are referring to the follwoing article.
http://help.salesforce.com/help/doc/en/remoteaccess_oauth_SAML_bearer_flow.htm
As referred by the SF article for this flow, it uses a previous user authorization to connect and retreive Token. In case the user (for whom Token is requested) has not already authorized the App, SF takes you to the Authorization page first and app will get the access token once app is authorized. This is working fine too. However it has this painful step of users authorizing the app before we can use this flow for the product. It would be good and simplified if this step can be done once for an org and the article does mentions that either User or Admin can authorize the app. However I am not able to find how an Admin can authorize the remote access application.
Does anyone knows and can guide how can an Admin authorize an App or is thre any other way we can achieve our requirement. Any thoughts will be really appreciated.
OAuth1 and OAuth2 require user intervention by design. Anything you do to defeat this would be circumspect and not best practice. You could make it easy on the user, but you will always have the initial "Authorize this app" message.
If you are trying to make it easy for the user to login to either org, then you may want to consider a hub-and-spoke SSO solution. See this doc.
If you are trying to pass information between two Salesforce instances, then you may want to consider Salesforce2Salesforce, or outbound workflow. However, this is done at system context, not user context.
If you want to maintain user context and security, you should consider the new Salesforce Canvas API. Canvas allows you to call an outbound service, and pass credentials to the service so that it can communicate back. There is no reason the foreign service could not be a Salesforce instance.