Recommended way to automate deplyoment of Azure AD

2020-02-06 16:42发布

站内问答 / 前端开发
1449 4 6

What is the recommended way of automating the configuration of an Azure AD B2C instance, e.g. configuration of policies, application registrations, maybe even creating initial accounts?

  • Is it possible to use an ARM Template for it? If so, where can I find a quick-start sample?
  • Is it possible to do in a programmatically way, i.e. using PowerShell? If so, where can I find some sample?

Usage scenario: setting up either an ARM Template or Script to deploy (update) to several environments.

Thanks in advance OliverB

4条回答
姐就是有狂的资本
2楼-- · 2020-02-06 17:21

Until the ability to do this is implemented, you just need to document the setup process in detail, with step-by-step instructions, and any scripts you can write (such as power-shell scripts for registering an application with the graph-api).

Keep all these files in a separate module or folder in your project and under version control.

Once it can be automated (if ever), these files can be used as the foundation for the requirements of you auto-deployment-and-update module.

查看更多
0人赞 添加讨论(0) 举报
干净又极端
3楼-- · 2020-02-06 17:26

You can now use Microsoft Graph apis to manage custom policies and policy keys. Please find the documentation for custom policies api here and for policy keys here. You can find samples here .

Azure AD B2C supports PowerShell cmdlets for custom policies as of today.

Azure AD Preview module documentation

See medium blog

查看更多
0人赞 添加讨论(0) 举报
Root(大扎)
4楼-- · 2020-02-06 17:35

It is currently not possible to automate creation of AAD B2C tenant. You can follow this tutorial to create a BC tenant:

Tutorial: Create an Azure Active Directory B2C tenant.

Since B2C custom policies went GA, there are some new AAD roles that allow some automation:

enter image description here

If you want to automate upload of custom policies (IEF policy), you can:

  1. Create a local user in the B2C Tenant with the B2C IEF Policy Administrator role.

  2. create a native app registration

    enter image description here

  3. Add Required Permissions for the previously created application registration

    Access directory as the signed in user

    enter image description here

  4. Grant permissions

    enter image description here

The Graph API (beta version) provides endpoint to manage custom policies:

trustFrameworkPolicy resource type

Here is the script I am using to upload custom policies (Upload-B2C-CustomPolicies.ps1):

Param(
    [string] [Parameter(Mandatory = $true)] $b2cTenantName
    , [string] [Parameter(Mandatory = $true)] $graphAppId
    , [string] [Parameter(Mandatory = $true)] $userName
    , [string] [Parameter(Mandatory = $true)] $userPassword
    , [string[]] [Parameter(Mandatory = $true)] $filePaths
)

function Get-Accesstoken {
    param (
        [string] [Parameter(Mandatory = $true)] $b2cTenantName
        , [string] [Parameter(Mandatory = $true)] $graphAppId
        , [string] [Parameter(Mandatory = $true)] $userName
        , [string] [Parameter(Mandatory = $true)] $userPassword
    )

    $accessTokenUrl = "https://login.microsoftonline.com/$b2cTenantName.onmicrosoft.com/oauth2/token"

    $body = @{
        grant_type = "password"
        resource   = "https://graph.microsoft.com"
        username   = "$username"
        password   = "$userPassword"
        client_id  = "$graphAppId"
    }

    $response = Invoke-RestMethod `
        -Uri $accessTokenUrl `
        -Method Post `
        -ContentType "application/x-www-form-urlencoded" `
        -Body $body

    return $response.access_token
}

function Set-Policy {
    param (
        [string] [Parameter(Mandatory = $true)] $policyUrl
        , [string] [Parameter(Mandatory = $true)] $accessToken
        , [string] [Parameter(Mandatory = $true)] $xml
    )

    $headers = @{
        "Authorization" = "Bearer $accessToken";
    }

    Invoke-RestMethod `
        -Uri $policyUrl `
        -Method Put `
        -Headers $headers `
        -ContentType "application/xml" `
        -Body $xml
}

Write-Host "Getting access token to call the graph api"
$accessToken = Get-Accesstoken -b2cTenantName $b2cTenantName -graphAppId $graphAppId -userName $userName -userPassword $userPassword

foreach ($filePath in $filePaths) {    
    try {
        Write-Host "`nGetting file content from file path: $filePath"
        $xml = Get-Content $filePath | Out-String
        [xml]$xmlDoc = $xml
    }
    catch {
        Write-Host "##vso[task.logissue type=error;]$filePath is an invalid xml file."
        return
    }

    $policyId = $xmlDoc.TrustFrameworkPolicy.PolicyId
    $policyUrl = "https://graph.microsoft.com/beta/trustframework/policies/$policyId/`$value"

    Write-Host "Uploading policy with id: $policyId"
    Set-Policy -policyUrl $policyUrl -accessToken $accessToken -xml $xml
}

I execute the script like this:

.\Upload-B2C-CustomPolicies.ps1 `
  -b2cTenantName "my b2c tenant name" `
  -graphAppId "app id of the previously created app registration" `
  -userName "b2c local username with IEF policy admin role" `
  -userPassword "b2c local user password with IEF policy admin role" `
  -filePaths "full path of the TrustFrameworkBase.xml file", "full path of the TrustFrameworkExtension.xml file", "full path of the SignUpSingIn.xml file"
查看更多
0人赞 添加讨论(0) 举报
家丑人穷心不美
5楼-- · 2020-02-06 17:42

Is it possible to user an ARM Template? If so, where can I find a quick-start sample? Is it possible to do in a programmatically way, i.e. using PowerShell? If so, where can I find a sample?

Currently, it is not possible to manage B2C policies programmatically. That feature is currently under development.If this is important to you ,you can vote for it in this Feedback Forum so that we can let you know when it is available for preview. The feature request for programmatic registering application is in this Feedback Forum.

Additional, If you want get some samples for Azure B2C cutom Plicies, you can refer these samples.

Hope this helps!

查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(6)