I'm using the Az modules in Powershell. I want to get the applications for my subscription ID.
Get-Context shows the SubscriptionID I want.
Get-AzAdApplication returns all of the applications for my company, 600K+ of them.
There doesn't seem to be any effective filtering on Get-AzAdApplication. The predecessor was Get-AzureAdApplication or Get-AzureRmAdApplication.
My goal is to scan the App registrations and validate the expiration of each of the service principals.
I need the ApplicationID to do that, but I can't seem to limit the query except by number of items returned. I don't really want to crawl through 600K applications.
Any idea if there is a way to proceed?
There is no relation between the subscription and your applications. You should query all applications in your tenant and get the application id and then after use Get-AzADAppCredential -ObjectId 35157fe1-6ce8-47f6-9ea8-4d23afd4381d command. You can also use MS Graph to get the expiration date, appid using the below serviceprincipal endpoint.
https://graph.microsoft.com/v1.0/serviceprincipals?$select=appid,keyCredentials
Related
My company owns several (verified) facilities and using my company's email i can see those locations (business.google.com).
Now, my company would like to fetch the reviews in each location and present it in our company website. Before we're using the Google Place API but since it only returns the latest 5 reviews we opt to using Google My Business API to retrieve a location's complete reviews. We'd like our backend (PHP) to retrieve the reviews so using the same email I created a service account (console.developers.google.com/apis/credentials) because we don't need the end user to allow/interact anything when browsing our website.
Using postman (with my signed JWT) I have managed to get a valid access token
...that I use to retrieve the lists of accounts (mybusinessaccountmanagement.googleapis.com/v1/accounts) I could see the service account itself alone in the response.
Now, I tried calling the account locations api (mybusiness.googleapis.com/v4/accounts/{MY_ACCOUNT_ID_HERE}/locations) but it only returns and empty object response.
Can someone help me resolve this issue. Why my service account can't see the verified locations under my company's email. Is this even possible? Thank you.
Even that this is an older question - I run into the same issue calling the new Google My Business Information v1 API (getting empty results) using a service account.
It seems, that it is not recommended to use Service Accounts, I found this support article on Google: https://support.google.com/business/thread/8281160/cannot-get-access-to-gmb-locations-with-service-account-with-nodejs?hl=en
The "official" recommendation is to use OAuth.
But we finally made it using Service Account. The following steps are necessary to resolve it (at least for us it is working now):
Add a project in Google Cloud Platform
Add and enable the Account Management and Business Information API's.
Add the service account and generate a key (https://developers.google.com/identity/protocols/oauth2/service-account#creatinganaccount)
Make the Business Profile API request (you need the approval made by Google to be able to make requests against the two API's; otherwise you may run into quota exceeds as "Request per minute" is set to 0 by default). Important: It may take up to 2 weeks until, but we received the approval within about 5 days
Enable domain-wide delegation for the service account using the scope "https://www.googleapis.com/auth/business.manage". More about domain-wide-delegation: https://developers.google.com/identity/protocols/oauth2/service-account#delegatingauthority)
Add a user identity in GCP. This user also needs to be added in Google My Business for editing locations. When creating your ServiceAccountCredential object, impersonate this user.
Security concerns:
Domain-wide-delegation enables that everyone knowing/having the credentials of the service account could impersonate any person (identity) from withing GCP. At least in this case only for Business Profile API, but anyway, keep this in mind.
Also using private keys for authenticating the service account is not recommended, you should be aware to regularly change / create a new private key or there would be a solution with Identity Workload.
Hope this helps everyone facing the challenge with GMB / GCP / service accounts :-)
I'm trying to build functionality into my app for 'admins' to assign users from their AD group to certain groups that are further assigned to app-specific roles. Basically a simple management component.
Adding the user with the oid to a group is easy, the problem I'm facing is finding the actual user.
Currently, the only option I'm seeing is making multiple api requests to v1.0/users (999 items max) and grouping them all in memory and then provide a simple search function to narrow it down.
I have also used the v1.0/me/people endpoint to search for users but this does not reveal all users from the AD group, just relevant users they deal with, so not too useful.
Is there any other api endpoint I could tap into to do a search ONLY on members of the same active directory?
Using the startsWith filter on multiple properties is probably the closest we can get to user search in MS Graph at the moment:
https://graph.microsoft.com/v1.0/users?$filter=startswith(displayName,'sarah') or startswith(givenName,'sarah') or startswith(surname,'sarah') or startswith(mail,'sarah') or startswith(userPrincipalName,'sarah')
Ended up switching to the old AD Graph API and implementing a query on the endpoint as follows:
https://graph.windows.net/{ tenant ID }/users?api-version=1.6&$select=mail,displayName,objectId,givenName,surname&$filter=startswith(givenName,'SEARCH TERM') or startswith(surname,'SEARCH TERM')
If a function receives 1 single param, it will search for that parameter in both givenName and surname but you could configure this to search accross any other supported fields.
You could also completely ditch the $select= completely to get the whole data. I didn't want the clutter though and those keys are enough for me.
Instead of going with startswith You may get better experience using search keyword:
https://learn.microsoft.com/en-us/graph/api/user-list?view=graph-rest-1.0&tabs=http#example-6-use-search-to-get-users-with-display-names-that-contain-the-letters-wa-including-a-count-of-returned-objects
I have a SaaS system using Azure AD and multitenant access. This records the issuer, in the format https://sts.windows.net/xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx/ and an objectidentifier ID.
The portal I'm using insists on seamless trials, so for trial users I can't show a box to collect emails etc. When people later sign up this is collected.
In the initial version I screwed up and didn't collect user names/emails addresses, so I can't warn such users their trials are terminating. I've now fixed this and record the Principal.Identity.Name, which contains an email, every initial sign on.
This leaves me with a bunch of people I have no emails for.
Using what I've got, and maybe powershell or the Graph API, how do I get the names/emails?
What is the recommended way to provide Bigquery access to end users?
We have a multitenant application for appengine where each company has its own namespace in Datastore. We can ingest data from these individual namespaces into BigQuery and run various reports.
We would like to let our users to be able to run queries in their respective BigQuery projects. What is the best way to achieve this?
Possible options:
user sends query to appengine, which passes it to his BigQuery project and returns reply
user sends query to BigQuery directly. The question here, how is the best to faciliate this?
some other way?
My favorite is "user sends query to BigQuery directly. The question here, how is the best to faciliate this?":
BigQuery supports sharing datasets with specific individuals. So you could load each table into its own dataset, and then share that dataset with the individual customers (or even with groups).
You can do this manually on the web UI or, via the REST API:
access[].domain A domain to grant access to. Any users signed in with the domain specified will be granted the specified access. Example: "example.com".
access[].groupByEmail A fully-qualified email address of a mailing list to grant access to. This must be either a Google Groups mailing list (ends in #googlegroups.com) or a group managed by an enterprise version of Google Groups.
access[].userByEmail A fully qualified email address of a user to grant access to. For example: fred#example.com.
access[].role READER, WRITER, OWNER
https://developers.google.com/bigquery/docs/reference/v2/datasets/update
I have an Account entity that has a facebook id.
Sometimes, the client might send all facebook ids (the clients facebook friends) to the server.
We want to select all Accounts IN the facebook ids the client provided.
Looping and calling get on each facebook id seems rather slow, considering people might have 1000+ friends. Further more, GAE is limited to 30 queries with IN clause.
Has anyone had a similar situation? How did you handle it?
Thanks!
You can set up a model that uses the facebook ID as a key which allows you to use Model. get_by_key_name(key_names=fb_ids) to fetch all the models with keys in fb_ids at once.
e.g.
class FBModel(db.Model):
account = db.ReferenceProperty(reference_class=Account)
When creating the model:
model = FBModel(key_name=fb_id)