I want to list azure security center alerts using the python SDK.
I found this package:
https://pypi.org/project/azure-mgmt-security/
It must be included in the microsoft documentation:
https://learn.microsoft.com/en-gb/python/azure/?view=azure-python
https://github.com/Azure/azure-sdk-for-python
but I can not find any reference or example.
Does anyone know where I can find this information?
Best regards.
I can just give a rough reference.
After install the package azure-mgmt-security, you should use List method in the package, source code is here.
Here is the the doc on how to authentication.
Here is doc on how to get tenantId / client_id / key.
Here is my code:
from azure.mgmt.security import SecurityCenter
from azure.common.credentials import ServicePrincipalCredentials
subscription_id = "xxxx"
# Tenant ID for your Azure subscription
TENANT_ID = '<Your tenant ID>'
# Your service principal App ID
CLIENT = '<Your service principal ID>'
# Your service principal password
KEY = '<Your service principal password>'
credentials = ServicePrincipalCredentials(
client_id = CLIENT,
secret = KEY,
tenant = TENANT_ID
)
client = SecurityCenter(credentials=credentials,subscription_id=subscription_id,asc_location="centralus")
client.alerts.list()
Also, you can use List Alerts api with a http request in python.
As of today, February 2021, Microsoft again changed the way credentials are instantiated. Here is the current one:
from azure.identity import DefaultAzureCredential
# Acquire a credential object for the app identity. When running in the cloud,
# DefaultAzureCredential uses the app's managed identity (MSI) or user-assigned service principal.
# When run locally, DefaultAzureCredential relies on environment variables named
# AZURE_CLIENT_ID, AZURE_CLIENT_SECRET, and AZURE_TENANT_ID.
credential = DefaultAzureCredential()
And it also changed the SecurityCenter signature, the credentials parameter was renamed to credential without the "s".
Full documentation here.
Related
We are working on our dev environment around Azure ML and Python.
As part of this, we are using azure-identity (DefaultAzureCredential) for authorization. This is going to either match a CLI credential or a "VSCode-logged-in" credential.
We would programatically like to know which user (identified by email address or ID) is currently present. How would we do this?
from azure.identity import DefaultAzureCredential
credential = DefaultAzureCredential()
token = credential.get_token("https://management.azure.com/", scopes=["user.read"])
current_user_id = ???
Update 1
As suggested by #xyan I can deconstruct the token to retrieve information about user accounts:
import json
import base64
from azure.identity import DefaultAzureCredential
credential = DefaultAzureCredential()
token = credential.get_token("https://management.azure.com/", scopes=["user.read"])
base64_meta_data = token.token.split(".")[1].encode("utf-8") + b'=='
json_bytes = base64.decodebytes(base64_meta_data)
json_string = json_bytes.decode("utf-8")
json_dict = json.loads(json_string)
current_user_id = json_dict["upn"]
print(f"{current_user_id=}")
This works for user accounts, but not for service principals. In that case, it fails retrieving the token:
DefaultAzureCredential failed to retrieve a token from the included credentials.
Attempted credentials:
EnvironmentCredential: Authentication failed: ClientApplication.acquire_token_silent_with_error() got multiple values for argument 'scopes'
What would be a proper scope that could retrieve upn/oid for various types of clients?
You can try parse the token to get the client id, tenant id information.
Sample code:
https://github.com/Azure/azure-sdk-for-python/blob/main/sdk/identity/azure-identity/azure/identity/_internal/decorators.py#L38.
(I work in the Azure SDK team in Microsoft)
I am trying to migrate my simple python script that accesses an O365 email account using basic auth to modern auth:
Here's the current setup.
import exchangelib as exch
credentials = exch.Credentials('my_username', 'my_password')
configInfo = exch.Configuration(server='smtp.office365.com', credentials=credentials)
tz = exch.EWSTimeZone.localzone()
account = exch.Account(primary_smtp_address='my_email_address', config=configInfo, autodiscover=False, access_type=exch.DELEGATE)
It works fine. From here I can access items such as account.inbox to iterate emails, etc.
Moving to Azure Identity, my devops team assigned me the following:
a registered app in the Azure Portal
an app ID
an object ID
a tenant ID
a secret value ID
a secret key ID
an https://ps.outlook.com/ URL
I've run this...
pip install azure-identity
And now I can run this...
from azure.identity import DefaultAzureCredential
# Now what? A service client perhaps?
I'm at a loss as to what comes next. My goal is to authenticate using the IDs above, then create an account object as before, and continue processing. Can anyone help? Thank you.
I'm looking for a way to get access token from a client profile when working with Azure using Python.
from azure.common.client_factory import get_client_from_cli_profile
from azure.mgmt.compute import ComputeManagementClient
client = get_client_from_cli_profile(ComputeManagementClient)
From the code I get the client profile context but how can I get access token from it?
I could find the method to get the access token from a client profile, to get the access token, you could use the adal, use which method depends on your requirement.
For example, I get the access token of a service principal with the client credentials to access the Azure Management REST API, the given resource is https://management.azure.com/.
import adal
# Tenant ID for your Azure Subscription
TENANT_ID = 'xxxxxxx'
# Your Service Principal App ID
CLIENT = 'xxxxxxx'
# Your Service Principal Password
KEY = 'xxxxxxx'
subscription_id = 'xxxxxxx'
authority_url = 'https://login.microsoftonline.com/'+TENANT_ID
context = adal.AuthenticationContext(authority_url)
token = context.acquire_token_with_client_credentials(
resource='https://management.azure.com/',
client_id=CLIENT,
client_secret=KEY
)
print(token["accessToken"])
I am trying to use automation for the creation of Management groups. I will be using Python SDK, but I am having hard time understanding how we authenticate to Azure and generate some of these values.
I see the documentation shows how to create a group, but I can't find how to get the client value and then how to generate the credentials for this class. If there is a sample would be much appreciated
this shows how to authenticate against Azure using the Python SDK.
The way to authenticate to Azure, I suggest the Service Principal and it's easy to use.
And to create the Management groups, it's a little complex what you think. The Management groups are also the managed resources. So you just need to use the ResourceManagementClient in Python SDK azure.mgmt.resource, and the class ResourceGroupsOperations, the whole code here:
import os
from azure.common.credentials import ServicePrincipalCredentials
from azure.mgmt.resource import ResourceManagementClient
TENANT_ID = "xxxx"
CLIENT_ID = "xxxx"
KEY = "xxxx"
credentials = ServicePrincipalCredentials(
client_id = CLIENT_ID,
secret = KEY,
tenant = TENANT_ID
)
subscription_id = "xxxx"
client = ResourceManagementClient(credentials, subscription_id)
resource_group_params = {'location': 'eastus'}
resource_group = client.resource_groups.create_or_update('groupName', resource_group_params)
print resource_group
You can more details from ResourceGroupsOperations. Good Luck!
I am trying to authenticate azure using ADAL, I am following azure docs
https://learn.microsoft.com/en-us/python/azure/python-sdk-azure-authenticate?view=azure-python
I am getting error
msrest.exceptions.AuthenticationError: Get Token request returned http error: 401 and server response: {"error":"invalid_client","error_description":"AADSTS70002: Error validating credentials. AADSTS50012: Invalid client secret is provided.\r\nTrace ID: be8e6b37-71dc-4a03-a6d5-8c1ea0c91900\r\nCorrelation ID: 0c1cb916-3250-4176-be9e-d951b8ec7203\r\nTimestamp: 2018-12-21 11:03:22Z","error_codes":[70002,50012],"timestamp":"2018-12-21 11:03:22Z","trace_id":"be8e6b37-71dc-4a03-a6d5-8c1ea0c91900","correlation_id":"0c1cb916-3250-4176-be9e-d951b8ec7203"}
I am sure that i am using correct TENANT_ID CLIENT and KEY.
Here is my code from docs
import adal
from msrestazure.azure_active_directory import AdalAuthentication
from msrestazure.azure_cloud import AZURE_PUBLIC_CLOUD
from azure.mgmt.compute import ComputeManagementClient
# Tenant ID for your Azure Subscription
TENANT_ID = 'bef06fb1-f1d7-4b31-9a96-xxfx5xx5xbx2x7'
# Your Service Principal App ID
CLIENT = '8ce61571-35c4-43ce-94ae-7xx1xex2x5x9'
# Your Service Principal Password
KEY = 'SoafGHAvu2EyTdSvxWQo/1XnlKRoaf89eDuuQiCnptc='
subscription_id = '020dd0e6-f63c-4e76-825c-02faad1d8d18'
LOGIN_ENDPOINT = AZURE_PUBLIC_CLOUD.endpoints.active_directory
RESOURCE = AZURE_PUBLIC_CLOUD.endpoints.active_directory_resource_id
context = adal.AuthenticationContext(LOGIN_ENDPOINT + '/' + TENANT_ID)
credentials = AdalAuthentication(
context.acquire_token_with_client_credentials,
RESOURCE,
CLIENT,
KEY
)
client = ComputeManagementClient(credentials, subscription_id)
vmlist = client.virtual_machines.list_all()
for vm in vmlist:
print(vm.name)
`
I can reproduce your issue on my side, I think you did not give the role to your service principal at the subscription scope.
To fix the issue, you could try to navigate to your subscription -> Access control (IAM) -> Add role assignment -> Add a Owner role(for example) to your service principal.
Then it will work fine.
For more details about Azure RBAC, refer to this link.