Does anyone have any experience using the REST API reference for Windows Store for Business (https://msdn.microsoft.com/en-us/library/windows/hardware/mt608306(v=vs.85).aspx)?
I'm trying to use it to but having authorization issues. Does anyone know what needs to be passed over for authorization when using the api?
Then Store for Business service reply on Azure Directory for authentication. The management toll must be registered as an Azure AD application within an organization tenant to authenticate against the Store for business. About configuring your Azure AD application you could refer to this document.
To learn more about Azure Ad and how to register your application within Azure Ad, here are some topics to get your started:
• Adding an application to Azure Active Directory - Azure Active Directory integration with MDM
• Accessing other Web applications and configuring your application to access other APIs - Integrating Applications with Azure Active Directory
• Authenticating to the Store for Business services via Azure AD - Authentication Scenarios for Azure Active Directory
Related
What pre-requisite services/subscriptions do I need to get to that point?
Right now, we have Azure AD Connect. Can that be used to authenticate users' access to the network shares of Azure Files?
I had to setup an Azure subscription first to access storage services. The azure subscription did not show pricing because it was a trial subscription. I did not know whether it would be per user subscription or not.
Azure Files supports identity-based authentication for Windows file shares over Server Message Block (SMB) using the Kerberos authentication protocol through the following three methods:
On-premises Active Directory Domain Services (AD DS)
Azure Active Directory Domain Services (Azure AD DS)
Azure Active Directory (Azure AD) Kerberos for hybrid user identities
For your use case where you want to use Azure AD Connect, you need to go with Azure AD Kerberos for Hybrid User Identities. You can find more information here- https://learn.microsoft.com/en-us/azure/storage/files/storage-files-identity-auth-azure-active-directory-enable?tabs=azure-portal
Here are details regarding a subscription in Microsoft Cloud- https://learn.microsoft.com/en-us/microsoft-365/enterprise/subscriptions-licenses-accounts-and-tenants-for-microsoft-cloud-offerings?view=o365-worldwide#subscriptions
Hope this helps. Please do let me know if you have further questions and I will be glad to assist you further. Thank you!
I am looking for Is there a way to create a custom connector for other tenants or as guests?
A connector is a wrapper or a proxy around an API that interact between Power Automate or Power Apps and the back-end service or data source.
The custom connector (API connector) enables you to connect your own web API (REST API) in Power Automate and Power Apps. To create a custom connector first we need to enable authentication in Azure Active Directory then register one of the APIs as a custom connector and lastly connect to it in Power Automate.
Authentication in Azure Active Directory
First, you need to create an Azure Active Directory (AAD) application that performs the authentication when calling the API endpoint.
First create an App registration in Azure Active Directory.
Now in the settings of the registered App, go to required permission and Add API.
For more detailed information check this Enable authentication in Azure Active Directory section of the Microsoft document.
Custom connector
After configuring the AAD Application we can now create the custom connector.
After clicking the Settings at the top of Power Automate web page, select custom connector.
Select Create custom connector, then Import an OpenAPI file .
In Security page, provide AAD information for the application and set Resource URL.
For detailed information check this Create a custom connector section of the Microsoft document.
I have created a web application as a private developer for a friends company. All the code lives within my personal Azure Dev Ops portal and at present has a pipeline configured to build and a release configured to release to a web application within my Azure tenant.
How can I now create a new release pipeline so that the code will be published to the a web application within the companies official Azure tenant?
We have created an Azure subscription and a web application using my friends company office 365 account but I somehow need to grant access or authorise my personal Azure Devops portal to publish.
After a lot of searching and playing it would seem there are many many ways to do this. In the end I went down the route of adding my friends work account to my Azure DevOps project so that they could create a service connection by authorising with their Office 365 account.
Once done I gained access to the subscription when creating the release.
I'm doing some tests with Azure APIM and have already published an API on the developer portal. I have the docs, have it secured using OAuth2 with Azure AD with client_credentials flow. I can invoke this API from Postman and from the developer portal.
Unfortunatelly, the client_id and secret are set on the configuration and the developer cannot self service them. Is there a way to do so instead of having to add it manually to each developer?
I was looking for something like this: https://tyk.io/docs/tyk-stack/tyk-developer-portal/portal-oauth-clients/
Azure APIM itself doesn't act as an identity provider like tyk but instead uses Azure AD (or rather any OAuth 2.0 provider).
The configuration in the docs is primarily to get the Developer Portal Console (the one used to test APIs) to work. For the actual API calls, there is no configuration required.
The validate-jwt policy is what takes care of preauthorization of requests.
Since you are looking for the client credentials flow alone, you could simply expose a portal that can create the required app registrations on your Azure AD using the Microsoft Graph API and expose the client id/secret to your users.
The current developer portal doesn't support this as of today but is something you could contribute to if you wish.
I have an ASP.NET Core REST API Service hosted on an Azure Web App. I own its source code and I can change it if required.
I am planning to publish REST API Service with Azure API Management.
I am adding Azure AD authentication to the Azure API Management front. So, the API management front is secured. All the steps are is described here.
All good so far. Here is the question (or challange?) :
Considering that my backend REST API Service is hosted on Azure and publicly accessible, how do I protect it against the request calls other than the API Management Calls?
How the backend service knows the identity and AAD group claims of the incoming call and access to its claims?
A link to a code sample or online documentation would be a great help.
Update
While there are some overlaps with the follwoing question:
How to prevent direct access to API hosted in Azure app service
... part of this question is still outstanding:
How the backend service knows the identity and AAD group claims of the incoming call and access to its claims?
You can enable static IP restriction on your WebApp to only allow incoming traffic from the VIP of your APIM Service facing ( keep in mind in some specific scenarios , the VIP may change and will be required to update the whitelist again).
Clients ==> AAD==> VIP APIM Service <==> (VIP APIM allowed) Web App
https://learn.microsoft.com/en-us/azure/app-service/app-service-ip-restrictions