I'm trying to use graph REST api / python of AzureAd.
I'm logged in with service principal.
Is it possible to list users/groups which has access to enterprise application?
If so: How?
Look in the RestAPI if you found what you need:
https://msdn.microsoft.com/Library/Azure/Ad/Graph/api/api-catalog
If you don't find it, it's likely not possible. If you found it, this RestAPI is exposed in Python by the azure-graphrbac package:
https://pypi.python.org/pypi/azure-graphrbac
https://learn.microsoft.com/python/api/overview/azure/activedirectory
If you found it in the RestAPI, but not in the Python package, open an issue for support to the endpoint your need:
https://github.com/Azure/azure-sdk-for-python/issues
(I work in the Azure SDK for Python team at MS)
Thanks to #laurent-mazuel I found the problem that Navigation Properties are missing from SDK
Workaround:
From documentation: Service Principal Entity has Navigation property appRoleAssignedTo. Then the solution was to use raw API endpoint as folows:
https://graph.windows.net/{tenant_id}/servicePrincipals/{service_principal}/appRoleAssignedTo/ and extend ServicePrincipalOperations in azure-sdk-for-python
Which returns AppRoleAssignment entities.
Related
I need to get the events for the current day from a personal Outlook calendar. I have found next to no feasible resources online besides maybe Microsoft's tutorial (https://learn.microsoft.com/en-us/graph/tutorials/python), but I do not want to build a Django app. Can anyone provide some other resources?
also: I have seen a lot of ppl calling APIs by using a GET <url> command. I cannot for the life of me understand how or where you can use this? Am I missing something crucial when it comes to using APIs?
First you should know that if you wanna call ms graph api, you need to get the access token first and add it to the request header like screenshot below. What I showed in the screenshot is create calendar events but they're similar. Therefore, you can't avoid to generate the token.
Then there're 2 ways lie in front of you, if you are composing a web app, then you can follow this section to find a suitable sample for you, and if you are composing a daemon application, that means you need to use clientcredentialflow here and you may refer to this section.
Anyway, whatever you use SDK or sending http request to call the api, you all need to choose a suitable flow to obtain access token.
For this purpose without using Microsoft Graph API via request in python, there is a PyPI package named O365.
By the following procedure you can easily read a Microsoft calendar:
install the package: pip install O365
register an application in the Microsoft Azure console and keep the application (client) id as well as client secret — this article can help you up.
check the signInAudience, it should be AzureADandPersonalMicrosoftAccount not PersonalMicrosoftAccount within Microsft Azure Manifest, otherwise, you can edit that.
next you should set delegated permission to what scopes you want, in your case it's Calendars.Read. Here's a snapshot of my configuration in Azure:
Now it's time to dive into the code:
from O365 import Account
CLIENT_ID = "xxx"
CLIENT_SECRET = "xxx"
credentials = (CLIENT_ID, CLIENT_SECRET)
scopes = ['Calendars.Read']
account = Account(credentials)
if not account.is_authenticated:
account.authenticate(scopes=scopes)
print('Authenticated!')
schedule = account.schedule()
calendar = schedule.get_default_calendar()
events = calendar.get_events(include_recurring=False)
for event in events:
print(event)
1) Instantiate an AWS Linux, micro instance using the AWS python API (include authentication to AWS)
2) Update the instance with tags: customer=ACME, environment=PROD
3) Assign a security group to the instance
To program in Python on AWS, you should use the boto3 library.
You will need to do the following:
supply credentials to the library (link)
create an EC2 client (link)
use the EC2 client to launch EC2 instances using run_instances (link)
You can specify both tags and security groups in the run_instances call. Additionally, the boto3 documentation provides some Amazon EC2 examples that will help.
Maybe you want to observe this project:
https://github.com/nchammas/flintrock
This is a hadoop and apache spark clustering project. But, it can inspire you.
Actually, there is many feature that you want like security group or filtering by tag name. Just, look around of code
I get an error when trying to deallocate a virtual machine with the Python SDK for Azure.
Basically I try something like:
credentials = ServicePrincipalCredentials(client_id, secret, tenant)
compute_client = ComputeManagementClient(credentials, subscription_id, '2015-05-01-preview')
compute_client.virtual_machines.deallocate(resource_group_name, vm_name)
pprint (result.result())
-> exception:
msrestazure.azure_exceptions.CloudError: Azure Error: AuthorizationFailed
Message: The client '<some client UUID>' with object id '<same client UUID>' does not have authorization to perform action 'Microsoft.Compute/virtualMachines/deallocate/action' over scope '/subscriptions/<our subscription UUID>/resourceGroups/<resource-group>/providers/Microsoft.Compute/virtualMachines/<our-machine>'.
What I don't understand is that the error message contains an unknown client UUID that I have not used in the credentials.
Python is version 2.7.13 and the SDK version was from yesterday.
What I guess I need is a registration for an Application, which I did to get the information for the credentials. I am not quite sure which exact permission(s) I need to register for the application with IAM. For adding an access entry I can only pick existing users, but not an application.
So is there any programmatic way to find out which permissions are required for an action and which permissions our client application has?
Thanks!
As #GauravMantri & #LaurentMazuel said, the issue was caused by not assign role/permission to a service principal. I had answered another SO thread Cannot list image publishers from Azure java SDK, which is similar with yours.
There are two ways to resolve the issue, which include using Azure CLI & doing these operations on Azure portal, please see the details of my answer for the first, and I update below for the second way which is old.
And for you want to find out these permissions programmatically, you can refer to the REST API Role Definition List to get all role definitions that are applicable at scope and above, or refer to Azure Python SDK Authentication Management to do it via the code authorization_client.role_definitions.list(scope).
Hope it helps.
Thank you all for your answers! The best recipe for creating an application and to register it with the right role - Virtual Machine Contributor - is presented indeed on https://learn.microsoft.com/en-us/azure/azure-resource-manager/resource-group-create-service-principal-portal
The main issue I had was that there is a bug in the adding a role within IAM. I use add. I select "Virtual Machine Contributor". With "Select" I get presented a list of users, but not the application that I have created for this purpose. Entering the first few letters of the name of my application will give a filtered output that includes my application this time though. Registration is then finished and things can proceed.
I am developing model to calculate origin to destination using Python3. I tried google-maps-services-python from github and obtain an error.
[API Key already enabled][1]
ApiError: REQUEST_DENIED (This API project is not authorized to use this API. Please ensure this API is activated in the Google Developers Console:)
However the same key I tried work as http request over browser.
The API key did not apply any key restriction
[API key did not apply any key restriction][2]
Any idea what need to be done?
Solution
In order to make it direct query from IPython, you need both API enabled.
-Google Maps Directions API
-Google Maps Geocoding API
Thanks problem solved.
There are built in decorators that easily allow me to access Google's own services but how can I overload these decorators to call other endpoints, specifically Microsofts V2 Azure endpoint (I need to authenticate Office 365 users).
Code snippet which I would like to override to call other end points such as Microsofts:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize
decorator = OAuth2Decorator(
client_id='d4ea6ab9-adf4-4aec-9b99-675cf46ad37',
redirect_uri='',
client_secret='sW8rJYvWtCBVpge54L8684w',
scope='')
class Authtest(BaseRequestHandler):
#decorator.oauth_required
Any ideas greatly appreciated.
Thanks,
Ian
Having wasted a lot of time on this I can confirm that you CAN overload the decorator to direct to the Azure V2 endpoint using the code below:
decorator = OAuth2Decorator(
client_id='d4ea6ab9-adf4-4aec-9b99-675cf46XXX',
auth_uri='https://login.microsoftonline.com/common/oauth2/v2.0/authorize',
response_type='id_token',
response_mode='form_post',
client_secret='sW8rJYvWtCBVpgXXXXX',
extraQueryParameter='nux=1',
state='12345',
nonce='678910',
scope=['openid','email','profile'])
Problem is that the decorators are coded purely to handle Google APIs and can not decode the response from Microsoft, whilst it may be possible to implement this myself by modifying the code in appengine.py it's too much work.
So if you are looking to authenticate to the Microsoft Azure V2 endpoint via Appengine it is not possible by using the built in OAuth2Decorator this only works with Google's own services.