Skip to content
adatum
  •  SCOM Web API
  • About adatum
Site Search
Azure

Microsoft Secure application model

  • 20/01/201920/01/2019
  • by Martin Ehrnst

Secure application model was released by Microsoft late last year (2018). At that time, I noticed it and didn’t quite understad how it impacted my work. I therfore moved on.

A few weeks ago i discovered what this change actually means.
If you are a Microsoft cloud service provider or a control panel vendor, you will have to change to this new model of authentication soon. Depending on how you deliver apps or how you manage your customer tenants, there’s quite some work to do.

Microsoft is forcing all user accounts with access to CSP with MFA. That is great, but if you (and likely you are) using app + user credentials to access partner center you cannot do this programmatically, as the current method uses password grant. I have written about how that method works here.

The secure application model depends on refresh tokens and access tokens. As a service provider your customers will have to consent to an application getting access to their tenant. When the admin user consent, you will get a code response. This code is used to create a refresh token, which later can be used to access Azure or other resources.
I do not have the mandate to learn you how refresh and access tokens work, but i found the articles on Oauth.com pretty good.

The below picture shows a broad overview of the flow and ‘infrastructure’ required. I suggest you download the document as well.

Token flow in the secure application model

Secure application model infrastructure

i have built these examples with PowerShell to authenticate to a customer tenant using the new model. The model used here assumes you function as a managed service provider. Maintaining your customers Azure tenants and subscriptions. That way you can consent on behalf of your customers. If you provide Azure market place applications, the process is a bit different, but infrastructure wise, were using the same tools.

In my implementation of secure application model I have used the following tools.

  • Azure KeyVault
  • Multi tenant Azure AD Application, with access to the APIs you require.
  • A user able to consent (in my case member of Admin Agents in CSP)
  • Single tenant AAD app to authenticate against KeyVault

Multi tenant Azure AD application

If you find this blog post interesting, I assume you already have a multi tenant AAD app used in your integration or software delivery.
If not, you can check out my blog post on how to create Azure AD apps using PowerShell

In my case I have one application used to monitor customers workloads in Azure. This application have access to Azure Management APIs

Single tenant web app

This is the additional application needed. This application will represent your system. In my case a monitoring tool. I use this application registration to access key vault where I have stored my refresh token. The refresh token is then used to get an access token from a customer tenant.

Azure Key Vault

We need a secure place to store the refresh token and possibly other stuff down the road. I chose to run with Key Vault. There are multiple blog posts and documentation on how to provision and give permissions in key vault, but remember to give your single tenant application read and write access to secrets.

Using PowerShell and Rest APIs

As I have multiple times before, I chose to run with REST rather than PowerShell modules. Feel free to use modules or SDKs, it just doesen’t work that well in my environment.

Getting consent

I’m sure theres much slicker ways to do this, but I only needed one consent to make our integration work. If you have multiple refresh tokenst etc. I would build some kind of callback service that could handle the consent flow.
Alter the following code to your needs, paste it in your web browser and sgn in with apropriate credentials. In return, you will have recieve a code. Copy and use this in next step.

Azure AD refresh token

Now that you have consent it is time to get a refresh token. This is what you later use to get access tokens from your customer tenants. By default and if used. The refresh token is valid for 90 days. You will have store this in Key Vault or a similar service.
Add your information to the script below to get your refresh token.

Write and retrieve from Key Vault API

Since you don’t want to get a new consent every time, you will need to save your refresh token to a secure place. I chose to run with Key Vault, but feel free to chose what ever software you want. Below are two snippets that will allow to write and retrieve secrets from Azure KeyVault.
You will have to get your key vault URL and the single tenant application id and secret.
That way your application accessing customers tenants, in my case a monitoring system, have it’s own credentials, separated from the credentials aquiring the refresh and access tokens.

Retrieving data from customer tenant

It’s time to connect to your customers tenants. Before doing that, lets summarize. By now you should have the following in place

  • One multi tenant application with Api access and proper consent.
  • A key vault with the a refresh token
  • A single tenant (your integration) application with access to key vault
  • AppID and access keys for bot application registrations.

Below I have included three examples on how to retrieve data from your customers. The first will get all customers from partner center, second will use the same refresh token to access Microsoft Graph, and the third will access Azure management API’s (Azure Resource Manager). In order for this to work, your multi tenant app must have access to these APIs

Share this:

  • LinkedIn
  • Twitter
  • Email
Azure logo as christmas tree Uncategorised

2018 summary

  • 20/12/201820/12/2018
  • by Martin Ehrnst

2018 – what a year. Besides being the busiest year in my career for a long time, I have had alot of fun doing it!

During 2018 I have used most of my time trying to tame the (in lack of better words) ‘beast’ that Microsoft cloud is. I have spent noumerous hours deep diving in to Azure and Microsoft partner portals REST APIs. As well as developing new services for my employer.

Community

Besides maintaining this blog as my personal libary of technical documentation. Another goal is to provide good content back to the community I’m a part of.

In 2016 I decided to try more ways of contributing to the communtity. One of the things was to contribute to open source, and another was to present at various events.
2018 turned out to be the year for presentations.

  • Nordic Infrastructure conference
  • Azure User Group Norway
  • SquaredUp for hosting expert panel at Microsoft Ignite
  • Approved Consulting for hosting SCOM Day
  • SquaredUp for monitoring panel at Experts Live Europe
  • Microsoft Tech Summit Oslo

I would like to thank each and every one that came to my presentations, and to the organisers for your trust and opportunity.

Blog statistics

For those interested. The last year I have written 17 posts – thats not enough, hopefully I can produce some more written content next year.

In total 14.500 users have visited adatum.no. This results of 23.000 page views. Thats an increase of 55% in unique users since last year. Great!
The most popular post is actually about SCOM REST API Interfaces with a total of 1200 views. Second best performing post is Creating Azure AD Application registration using Powershell with just over 1100 views.

Twitter is by far the social with the most referrers, but most traffic is generated by organic search.

2019

The prospect of 2019 looks busy! I’m confident that community will be a priorty, but I might need to cut back on presentations.
2019 is the year where Microsoft brings Azure to Norway with two regions. I am really looking forward to working with customers making the correct choises on their journey to public cloud. This is going to be a lot of work and great fun, but we should still be pragmatic to the choices we make.

Thanks for following. Merry christmas!

Share this:

  • LinkedIn
  • Twitter
  • Email
Community

Speaking at Microsoft Tech Summit Oslo

  • 14/11/201815/11/2018
  • by Martin Ehrnst

Microsoft Tech Summit is arriving in Oslo December 6 2018.
I am so lucky that I will have a talk on how you can leverage Azure serverless offerings to automate your business processes. All using your existing Ops skills.

The cloud as the established foundation allows the real transformative technologies such as Artificial Intelligence start to transform the way we live and work. The Microsoft Tech summit is your key for inspiration, matching your innovative app ideas with the latest evolution of the Microsoft Cloud platform, also supporting Open Source solutions.

Read more and sign up

Share this:

  • LinkedIn
  • Twitter
  • Email
Community

Speaking at SCOM Dagen 2018

  • 01/10/201801/10/2018
  • by Martin Ehrnst

I am speaking on SCOM dagen 2018 which this year focuses on multi cloud, on premises and hybrid monitoring using Azure and SCOM.

The event focuses on how organisations can leverage new technology, and use their existing systems to become a better IT organisation. SCOM day is hosted by approved.se

My talk will scratch the surface on custom management pack development. Custom MP developement is used by service providers and larger organizations to gain better visibility in multi and hybrid cloud scenarios.

The event will also feature much more seasoned presenters like Thomas Maurer and Marcel Zehner

Hopefully I see you at SCOM dagen 2018 in Gothenburg

Share this:

  • LinkedIn
  • Twitter
  • Email
Community

Microsoft Ignite 2018 announcements and news

  • 25/09/201827/09/2018
  • by Martin Ehrnst

Microsoft Ignite is Microsofts largest conference focusing on the new industry trends and technology from Microsoft and their partners. You can read more about Ignite here

The conference kicked off with Satya Nadella in the Monday morning keynote. From my personal perspective, this was a more down to earth keynote than previous ignite,  with customer stories that you actually believe exists. Microsoft, SAP, and Adobe are lauching a new open data initiative letting customers create richer common data models for your next generation applications.
At the end, Satya announced a new initiative that enabeles humanitarian and non profit organization with AI technology.

Where Satya’s commercial keynote might come off as a tad boring for the IT pros and developers. We got all the news and announcements in  the technical keynote hosted by Scott Guthrie and Julia White. Later in the day, VP Corey Sanders hosted what came off as the infrastructure keynote, and it was quite the show, a lot of demo’s going a little deeper in to the announcements mentioned earlier in the morning.

You will find a complete list of announcements from Microsoft Ignite in the book of news.

Below I have list on the announcements that I personally find interesting. I will make sure to update throughout the week, when I come across something new.

Azure Infrastructure

  • Azure Express Route direct
    Direct connectivity to Azure. Up to 100Gbps
  • Azure Express Route global reach
    Link existing connections and communicate on Azure’s back bone
  • New managed disk sizes
  • Ultra SSD pushing 160k IOPs
  • Windows server 2019 Azure network adapter
    In server 2019 you can create a secure network adapter that creates a tunnel too your Azure network. Perfect for edge devices or hybrid infrastructure where Express Route might be over kill.
  • Azure VM image builder

Azure Management

  • Azure blueprints.
    Azure blueprints is essentially your ARM template for deploying new subscriptions. It let’s you define policys, resources that you want to deploy as your baseline.

    Even if i see this as big news, I feel like there are a few competitive solutions for this. Azure Deployment manager being one of them
    Please let me know what i don’t understand.
  • Azure Resource Graph
    Querying at scale for your resources.

Integration and automation (dev)

  • Azure Functions v2.0 generally available
    Containerized and supposedly 50% faster compared to v1 functions
  • Event Grid
    A few features around filtering and event life time.
  • Logic App in Visual studio code
  • Azure Data Explorer
    This is the PaaS offering for querying and analyzing large data sets. It’s the same technology that is used in Application insights and Log Analytics

Azure Monitor

  • Azure Monitor is generally available
  • Custom Metrics
    To provide unified monitoring. Azure Monitor now supports custom metrics and custom events
  • Azure Monitor for resource groups
    I love this. Now we can define monitoring at the resource group level and enable ‘application status’ monitoring based on all resources within the group. Probably doing a separate post on this.
  • Azure Monitor for Azure VMs
    Enables guest operating system monitoring
    This is where it begins to look like SCOM – see this tweet from Kevin Green. I’m gonna get some more information on this later.
  • Alerts can now be added based on resource type
  • Azure Active Directory Logs in Azure monitor

Operations Manager (SCOM)

  • SCOM 2019 and 1901 are announced for Q1 2019
  • A revised HTML5 dashboard
  • Customizable email notfication (HTML)
  • New alert management capabilities
  • SquaredUp management pack tuning
    This one is great for all SCOM admins. Expect a dedicated post later.

Other

In other news..

  • Azure digital twins
    This one is cool. It maps out digital buildings based on IoT devices.

Summary

The message about moving all workloads to Azure is still there, but the tone has shiftes slightly from previous years, and for the time being, the hybrid model is an acceptable solution.
I know that American companies are the base of Azure customers. And based on the pitch we get, it feels like these companies are running physical servers under their desks. This is not the case in other parts of the world and if you are virtualized on premises and your hardware is up to speed. I don’t think migrating VMs as is (lift and shift) is the correct path…

Share this:

  • LinkedIn
  • Twitter
  • Email

Posts navigation

1 2 3 … 13

Top Posts & Pages

  • Creating Azure AD Application using Powershell
  • Maintenance Mode based on Event
  • SCOM 1801 REST API Interfaces
  • Script to add SCOM agent management group
  • SCOM Alerts to Microsoft Teams and Mattermost
  • Microsoft Secure application model
  • Resource health through Azure Rest API
  • Using webhook in scom subscription (POC)
  • HealthServiceStore.edb file growth

Tags

#Serverless #Azure # speaking agent announcements api authoring Automation Azure AzureAD AzureCloudShell AzureFunctions AzureMonitor AzureRM CSP database EventGrid ExpertsLive ExpertsLiveEU Integrations LogAnalytics management pack monitoring MSBuild2018 MSIgnite MSIgnite2017 MSOMS news nicconf OperationsManager OpsMgr Powershell ProjectHonolulu QUickPublish rest SCDPM SCOM SCOM2016 scu2016 SCVMM Serverless SquaredUP SysCtr system center Teams Webasto WindowsAdminCenter

Follow Martin Ehrnst

  • Twitter
  • LinkedIn

RSS Feed RSS - Posts

RSS Feed RSS - Comments

Adatum.no use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it. Cookie Policy
Theme by Colorlib Powered by WordPress
adatum
Proudly powered by WordPress Theme: Shapely.
loading Cancel
Post was not sent - check your email addresses!
Email check failed, please try again
Sorry, your blog cannot share posts by email.