Does anybody know how to setup ARM Template to keep "Allow access to Azure services" switch be turned OFF by default?
Here is what I currently have
"resources": [
{
"name": "[parameters('serverName')]",
"type": "Microsoft.Sql/servers",
"location": "[parameters('location')]",
"apiVersion": "2014-04-01-preview",
"properties": {
"administratorLogin": "[parameters('administratorLogin')]",
"administratorLoginPassword": "[parameters('administratorLoginPassword')]",
"version": "[parameters('serverVersion')]"
},
"tags": {
"deploymentVersion": "[parameters('deploymentVersion')]",
"deploymentType": "[parameters('deploymentType')]"
},
"resources": [
{
"apiVersion": "2014-04-01-preview",
"dependsOn": [
"[concat('Microsoft.Sql/servers/', parameters('serverName'))]"
],
"location": "[parameters('location')]",
"name": "AllowAllWindowsAzureIps",
"properties": {
"endIpAddress": "0.0.0.0",
"startIpAddress": "0.0.0.0"
},
"type": "firewallrules"
}
]
} ]
Just modify endIpAddress and startIpAddress to 255.255.255.255. Like below:
{
"apiVersion": "2014-04-01-preview",
"dependsOn": [
"[concat('Microsoft.Sql/servers/', parameters('serverName'))]"
],
"location": "[parameters('location')]",
"name": "AllowAllWindowsAzureIps",
"properties": {
"endIpAddress": "255.255.255.255",
"startIpAddress": "255.255.255.255"
},
"type": "firewallrules"
}
Just remove the nested resources section. Then the sql will deploy without that checkmark. Redeploying won't remove the rule, but deploying a new sql will work.
My experience is when you use the name AllowAllWindowsAzureIps for a firewall resource type then it will ignore what range you specifiy in properties and just turn Allow Access to Azure Services flag on.
If you want to not have it enabled then don't include a resource with that name in your template.
Here is a bicep example:
resource sqlServer 'Microsoft.Sql/servers#2022-02-01-preview' = {
name: name
location: location
tags: tags
properties: {
administratorLogin: sqlAdministratorLogin
administratorLoginPassword: sqlAdministratorLoginPassword
version: '12.0'
}
}
resource allowAccessToAzureServices 'Microsoft.Sql/servers/firewallRules#2020-11-01-preview' = {
name: 'allow-access-to-azure-services'
parent: sqlServer
properties: {
startIpAddress: '0.0.0.0'
endIpAddress: '0.0.0.0'
}
}
Related
Cannot authenticate user in MS Teams Bot.
Same works in "Test in webchat" properly:
Domain added to Teams manifest properly:
{
"$schema": "https://developer.microsoft.com/en-us/json-schemas/teams/v1.15/MicrosoftTeams.schema.json",
"version": "1.0.0",
"manifestVersion": "1.15",
"id": "a0d93a07-2f63-4569-a651-cf3761859b28",
"packageName": "com.package.name",
"name": {
"short": "NewTest",
"full": ""
},
"developer": {
"name": "KUKA",
"mpnId": "",
"websiteUrl": "https://supportbotkuka.z6.web.core.windows.net/teams_ITSupport_about.html",
"privacyUrl": "https://supportbotkuka.z6.web.core.windows.net/teams_ITSupport_priv.html",
"termsOfUseUrl": "https://supportbotkuka.z6.web.core.windows.net/teams_ITSupport_terms.html"
},
"description": {
"short": "CS Logistics TEST app",
"full": "test app for CS Logistics"
},
"icons": {
"outline": "outline.png",
"color": "color.png"
},
"accentColor": "#FFFFFF",
"staticTabs": [
{
"entityId": "conversations",
"scopes": [
"personal"
]
},
{
"entityId": "about",
"scopes": [
"personal"
]
}
],
"bots": [
{
"botId": "99e82921-96c9-4ec1-83ab-bd05382abc96",
"scopes": [
"personal"
],
"isNotificationOnly": false,
"supportsCalling": false,
"supportsVideo": false,
"supportsFiles": true
}
],
"validDomains": [
"token.botframework.com"
],
"webApplicationInfo": {
"id": "1e04e5cd-88e1-4522-984d-2bba5e2d37eb",
"resource": "https://graph.microsoft.com/"
}
}
Also recreated AppService, AzureBot in Azure, and setup new Teams app with new manifest version via Developer Portal.
Installed the Teams app directly just form myself, as a personal app.
App registration redirect URIs:
Also the app registration works fine for other chatbots in our domain. Why not for this one?
Actually the only thing that needed to be changed was to add this line of code to the error handler adapter to the bot code: base.Use(new TeamsSSOTokenExchangeMiddleware(storage, configuration["ConnectionName"]));Add code to handle an access token.
And also to add method OnTeamsSigninVerifyStateAsync to Bot like in sso-quickstart sample.
{
"AWSTemplateFormatVersion": "2010-09-09",
"Description": "Installing CloudAuth Application in Ubuntu 18.04 LTS",
"Parameters": {
"secretname": {
"Type": "String",
"Description": "A descriptive name that helps you find your secret later"
},
"myuser": {
"Type": "String",
"Description": "Enter existing user name"
}
},
"Resources": {
"myaccesskey": {
"Type": "AWS::IAM::AccessKey",
"Properties": {
"UserName": {
"Ref": "myuser"
}
}
},
"mysecrets": {
"Type": "AWS::SecretsManager::Secret",
"Properties": {
"Name": {
"Ref": "secretname"
},
"SecretString": "{\"Access_Key\":\"${myaccesskey}\",\"Secret_Key\":\"${myaccesskey.SecretAccessKey}\"}"
}
}
}
}
From my understanding, you are trying to pass the Access Key and Secret Key to the secret string of Secrets manager resources.
Instead of using:
"SecretString":
"{"Access_Key":"${myaccesskey}","Secret_Key":"${myaccesskey.SecretAccessKey}"}"
Try the following format(Fn::Sub function):
SecretString: !Sub '{ "access_key": "${AccessKey}",
"secret_key": "${AccessKey.SecretAccessKey}" }'
I used the YAML format for the stack creation.
I have an Azure Logic App with a SQL Server connector through a On-Premise Data Gateway, the connection is made using SQL Server Authentication. It works fine from the Logic App Designer.
No details about the connection are stored in the ARM template of the SQL Server connection, so if I want to automate the deployment of the Logic App, I need to add some values to the ARM template. The documentation for this is really poor, even though I was able to write this template:
{
"type": "MICROSOFT.WEB/CONNECTIONS",
"apiVersion": "2018-07-01-preview",
"name": "[parameters('sql_2_Connection_Name')]",
"location": "[parameters('logicAppLocation')]",
"properties": {
"api": {
"id": "[concat(subscription().id, '/providers/Microsoft.Web/locations/', parameters('logicAppLocation'), '/managedApis/', 'sql')]"
},
"displayName": "[parameters('sql_2_Connection_DisplayName')]",
"parameterValues": {
"server": "[parameters('sql_2_server')]",
"database": "[parameters('sql_2_database')]",
"username": "[parameters('sql_2_username')]",
"password": "[parameters('sql_2_password')]",
"authType": "[parameters('sql_2_authtype')]",
"sqlConnectionString": "[parameters('sql_2_sqlConnectionString')]",
"gateway": {
"id": "[concat('subscriptions/', subscription().subscriptionId, '/resourceGroups/', parameters('dataGatewayResourceGroup'), '/providers/Microsoft.Web/connectionGateways/', parameters('dataGatewayName'))]"
}
}
}
}
But I can't find the correct value for the authType property corresponding to "SQL Server Authentication". The values windows and basic are accepted, but couldn't find the value for "SQL Server Authentication".
Can someone please tell me what's the value for the authType property corresponding to "SQL Server Authentication"?
Use following properties json inside your web api connection
"properties": {
"api": {
"id": "/subscriptions/<YourSubscriptionIDHere>/providers/Microsoft.Web/locations/australiaeast/managedApis/sql"
},
"parameterValueSet": {
"name": "sqlAuthentication",
"values": {
"server": {
"value": "SampleServer"
},
"database": {
"value": "WideWorldImporters"
},
"username": {
"value": "sampleuser"
},
"password": {
"value": "somepasssword"
},
"gateway": {
"value": {
"id": "/subscriptions/<subscriptionIDGoesHere>/resourceGroups/az-integration-study-rg/providers/Microsoft.Web/connectionGateways/<NameofTheGatewayHere>"
}
}
}
}
},
"location": "australiaeast"
That should do the trick
I am working on setting up my site authentication settings to use the AAD provider. Most of the template is respected. However, the unauthenticatedClientAction and allowedAudiences is not being properly assigned. I observe 'allow anonymous' and no 'allowed audiences' being assigned.
Please note that I was working with the ARM Template API 2018-02-01. This problem may still exist due to the documentation, if you provide an answer, please note the ARM Template version it addresses.
Additionally, create an issue for the ARM documentation team to correct any issues.
Here is my template segment for these settings. It is nested under resources in my website template.
root > Microsoft.Web/Site > Resources
{
"type": "config",
"name": "web",
"apiVersion": "2016-08-01",
"location": "[parameters('app-location')]",
"dependsOn": [
"[resourceId('Microsoft.Web/sites', variables('web-site-name'))]"
],
"properties": {
"siteAuthEnabled": true,
"siteAuthSettings": {
"enabled": true,
"unauthenticatedClientAction": "RedirectToLoginPage",
"tokenStoreEnabled": true,
"defaultProvider": "AzureActiveDirectory",
"clientId": "[parameters('web-aad-client-id')]",
"issuer": "[concat('https://sts.windows.net/', parameters('web-aad-tenant'))]",
"allowedAudiences": [
"[concat('https://', variables('web-site-name'), '.azurewebsites.net')]"
]
}
}
}
Template Validates
Deployment does not output any errors
Issues:
unauthenticatedClientAction is assigned allow anonymous not RedirectToLoginPage
allowedAudiences is not assigned any sites
What could be causing these issues? What could I have missed?
I got my answer after working with the fine people at Azure Support.
Please note that this solution targets API 2018-02-01 which was the current version at the time of this post.
This sub-resource is no longer a valid solution, while the endpoint may still recognize some of its fields, this is deprecated.
The new solution is to add the siteAuthSettings object to the main 'Microsoft.Web/site' properties and the siteAuthEnabled is no longer needed as siteAuthSettings.enable duplicates this functionality.
Updated ARM Template (removed other settings for brevity)
{
"name": "[variables('app-service-name')]",
"type": "Microsoft.Web/sites",
"location": "[parameters('app-location')]",
"apiVersion": "2016-08-01",
"dependsOn": [
"[variables('app-plan-name')]"
],
"properties": {
//... other app service settings
"siteAuthSettings": {
"enabled": true,
"unauthenticatedClientAction": "RedirectToLoginPage",
"tokenStoreEnabled": true,
"defaultProvider": "AzureActiveDirectory",
"clientId": "[parameters('web-aad-client-id')]",
"issuer": "[concat('https://sts.windows.net/', parameters('web-aad-tenant'))]",
"allowedAudiences": [
"[concat('https://', variables('web-site-name'), '.azurewebsites.net')]"
]
}
}
}
As suggested by #Michael, the siteAuthSettings object must be added to the siteConfig object, not just under the root properties object.
{
"apiVersion": "2019-08-01",
"name": "[variables('webAppName')]",
"type": "Microsoft.Web/sites",
"kind": "app",
"location": "[resourceGroup().location]",
"dependsOn": [
"[resourceId('Microsoft.Web/serverfarms', variables('appServiceName'))]"
],
"properties": {
...
"siteConfig": {
"siteAuthSettings": {
"enabled": true,
"unauthenticatedClientAction": "RedirectToLoginPage",
"tokenStoreEnabled": true,
"defaultProvider": "AzureActiveDirectory",
"clientId": "[parameters('clientId')]",
"issuer": "[concat('https://sts.windows.net/', parameters('tenantId'), '/')]"
}
}
}
}
The other solutions given only apply when using the classic authentication experience (Authentication (Classic)). If you would like to use the new authentication experience, use below configuration:
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"resources": [
{
"apiVersion": "2019-08-01",
"name": "[variables('webAppName')]",
"type": "Microsoft.Web/sites",
"kind": "app",
"location": "[resourceGroup().location]",
"resources": [
{
"type": "config",
"apiVersion": "2020-12-01",
"name": "authsettingsV2",
"location": "[resourceGroup().location]",
"dependsOn": [
"[concat('Microsoft.Web/sites/', variables('webAppName'))]"
],
"properties": {
"platform": {
"enabled": true,
"runtimeVersion": "~1"
},
"identityProviders": {
"azureActiveDirectory": {
"isAutoProvisioned": false,
"registration": {
"clientId": "[parameters('clientId')]",
"clientSecret": "[variables('clientSecret')]",
"openIdIssuer": "[concat('https://sts.windows.net/', parameters('tenantId'), '/v2.0')]"
},
"validation": {
"allowedAudiences": [
"https://management.core.windows.net/"
]
}
}
},
"login": {
"routes": {},
"tokenStore": {
"enabled": true,
"tokenRefreshExtensionHours": 72,
"fileSystem": {},
"azureBlobStorage": {}
},
"preserveUrlFragmentsForLogins": false,
"allowedExternalRedirectUrls": [],
"cookieExpiration": {
"convention": "FixedTime",
"timeToExpiration": "08:00:00"
},
"nonce": {
"validateNonce": true,
"nonceExpirationInterval": "00:05:00"
}
},
"globalValidation": {
"redirectToProvider": "azureactivedirectory",
"unauthenticatedClientAction": "RedirectToLoginPage"
},
"httpSettings": {
"requireHttps": true,
"routes": {
"apiPrefix": "/.auth"
},
"forwardProxy": {
"convention": "NoProxy"
}
}
}
}
]
}
]
}
I've created a service bus, topic, and subscription to that topic in Azure. I have a logic app that is triggered when a message arrives but I need to apply a filter (or rule?) to that subscription where it looks for a particular value in the message header before the logic app processes the message. I don't see anywhere in the logic app or in the Azure portal to create filters for the subscriptions. What mechanism exists to create a filter for a subscription?
How did you create your topic subscription? did you use ARM Templates?
When you are creating the Subscription, you can add a SqlFilter to the rule applied in the topic subscription.
The ARM Template below (taken from here) shows you how to add a SqlFilter to the Rule in a Topic Subsctiption
"resources": [{
"apiVersion": "[variables('sbVersion')]",
"name": "[parameters('serviceBusNamespaceName')]",
"type": "Microsoft.ServiceBus/Namespaces",
"location": "[variables('location')]",
"sku": {
"name": "Standard",
},
"resources": [{
"apiVersion": "[variables('sbVersion')]",
"name": "[parameters('serviceBusTopicName')]",
"type": "Topics",
"dependsOn": [
"[concat('Microsoft.ServiceBus/namespaces/', parameters('serviceBusNamespaceName'))]"
],
"properties": {
"path": "[parameters('serviceBusTopicName')]"
},
"resources": [{
"apiVersion": "[variables('sbVersion')]",
"name": "[parameters('serviceBusSubscriptionName')]",
"type": "Subscriptions",
"dependsOn": [
"[parameters('serviceBusTopicName')]"
],
"properties": {},
"resources": [{
"apiVersion": "[variables('sbVersion')]",
"name": "[parameters('serviceBusRuleName')]",
"type": "Rules",
"dependsOn": [
"[parameters('serviceBusSubscriptionName')]"
],
"properties": {
"filterType": "SqlFilter",
"sqlFilter": {
"sqlExpression": "StoreName = 'Store1'",
"requiresPreprocessing": "false"
},
"action": {
"sqlExpression": "set FilterTag = 'true'"
}
}
}]
}]
}]
}]
You need to add your filter using Sql like expressions in the properties member of the rules sub-resource
e.g.
"sqlExpression": "YourMessageProperty='YourExpectedValue'",
If you are not using ARM Templates, the Service Bus Explorer allows you to remove the default subscription rule and create a new one with your own SqlFilter.
HTH