How to run AzureAD PowerShell commandlets in Azure

I have a PowerShell script which today uses AzureAD commandlets to perform some write operations in Azure AD. This script is to be run on a schedule, and where better to run this than in Azure. It could be as a web job or as an Azure Function.

When running in an app service we cannot use interactive login, but have to use the connect signature below which takes an ADAL app id and a certificate:

Connect-AzureAD –TenantId <tenantId> –ApplicationId <appid> –CertificateThumbprint <thumbprint>

This means we have to create and ADAL app which accepts a certificate, as well as make sure we can access the certificate from the app service.

For this tutorial I’ll go with an Azure Function, but the steps are pretty much the same.

Pre-requisite

Install the AzureAD or AzureADPreview command lets on your local machine.

Steps covered

• Create a self-signed certificate
• Create an ADAL app
• Grant the ADAL app access to write to AAD
• Create an Azure Function
• Load Azure AD PowerShell in an Azure Function
• Connect to AzureAD using an ADAL app and a certificate

Maybe the most useful Azure function ever! – Introducing a proper Swagger definition generator

This post relates to Azure functions written in C#, hosted as a Function App – and maybe the title is a tiny bit clickbaity ;)

I’m in a project where writing small Azure functions to accomplish pieces of functionality is a very good fit, and the tasks will be connected in a workflow – Microsoft Flow or Logic Apps. With the latest update for Visual Studio 2017, creating an Azure Function project and publish the function to Azure is super easy.

The tricky part comes when you want to consume those functions somewhere else using a Swagger definition file to describe your API.

The people over at the Azure team has been kind enough to add functionality to automatically generate a Swagger definition. The problem is that the output of this preview functionality is, to put it in nice terms, the equivalent to a table of contents, where the book was left out.



There are some blog posts out there on how you can write that book to get a working definition, but manual work when you have already defined the functions pretty well in code is not my cup of tea.

Digression

If an Azure function project had been a WebAPI or similar, you could have installed Swashbuckle, and you would have gotten a nice Swagger definition just like that. The fact that Azure functions are compiled to a class DLL, and that Swashbuckle does not work against a DLL in any easy fashion, I saw two options. A shadow API with Swashbuckle, or roll my own.

I started out with the first option where I created a shadow WebAPI project, copying all my Azure Function signatures, and then manually copying out parts to generate a proper Swagger definition. But I quickly discovered this was still too much manual work for my taste.

Option two it is – generate the mofo myself!

That left me with option two, write my own Swagger generator. The Swagger spec itself is not too complicated, and as Azure uses v2, that’s what I set to use as well. I’m no stranger to reflection on .Net DLL’s, having worked with SharePoint for many years, as well as writing other types of generators, so that’s what I did.

I created an Azure function in my project which at run time reflects on the current assembly, finds all methods marked to be Azure functions, then inspect their ins and outs, and construct a full fledged Swagger definition.

It’s not complicated, but a bit tedious to support all the scenarios I wanted to support. I wanted to support input via the path, as query parameters and JSON objects in the body – which is the most useful one in my opinion. It took me one working day, 7.5h to have this up and ready to go, with ~400 lines of code. Imagine if the Azure team could have spend the same? But then again, I wouldn’t have this blog post :)

Azure AD management portal if you don’t have an Azure subscription

I got this tip from Paul Schaeflein via Slack that if you navigate to https://aad.portal.azure.com you can access the AAD of your tenant without signing up an Azure subscription. Awesome for trial tenants and managing app registrations and other AAD tasks in an quick an easy way.

You can also read the May 15th announcement for the portal from the TechNet blogs.

All you never wanted to know about Exchange Online, Azure AD and Office 365 Groups creation

Before setting the scenario, the solution to my problem would be either an Office 365 group with dynamic Azure Active Directory membership where all services in the Office 365 group where opt-in and not mandatory, or an e-mail enabled security group with dynamic membership. Neither of those options exist and we ended up having one dynamic distribution group and one dynamic security group.

Setting up Azure Business to Business (B2B) access for use with SharePoint Online

SharePoint Online’s support for sharing sites and documents with external users has been there a while now, but sharing with each individual users is quite cumbersome if you have to share with a volume of users. This is where Azure B2B comes into play, and the Azure team has good information on this over at Github.
Steps covered in this post:

• Create AAD security group
• Enable external sharing in a site collection
• Add AAD security group in the site’s Members group
• Create and upload CSV file with all external users to AAD
• Accept invitation and have bliss!

Setting up authorization with Office365 (WAAD) for an Azure Web Role

I’ve been working with porting an existing ASP.Net application over to an Azure Web Role. At the same time I wanted to look into setting up authorization against third party providers, in particular for Office 365 users.
Topics covered in this post:

• Set up an Access Control Namespace (Access Control Service/ASC) in Azure
• Configuring the ASC to use Windows Azure Active Directory (WAAD)
• Configuring the WAAD to trust the ASC
• Adding an identity provider to your web role
• Configuring the ASC to trust the application

I’m not detailing all the background information for each step, but try to cover all the necessary steps to get it all up and running.

Yet Another SharePoint 2013 in Azure Post

Topics covered in this post:

• 3 server Azure VM setup for SharePoint 2013
• Shrinking Azure vhd blobs
• Turning a DC into a server core install

I’ve long been thinking about provisioning a SharePoint 2013 dev farm in Windows Azure, and with the new MSDN pricing model this has become more attractive. You can now also do a VM shutdown instead of de-provisioning the full VM if you want to save some $$ by not running the VM 24/7.

In my case I have a Visual Studio Ultimate with MSDN subscription which gives me $150 free spending per month (http://www.windowsazure.com/en-us/offers/ms-azr-0049p), so we’ll see how that looks after a month’s use.

My first Azure project in the cloud

I finally got around to testing a small project in the cloud and it went much smoother than I anticipated.

As the unix server we used to run pornolize.com on is currently down I decided to port the perl code to .Net. It always helps to have a concrete project when learning something new. For those who are unfamiliar with The Pornolizer, it’s basically a web page translation service like Google Translate, except it substitutes words with dirty ones. And yes, I know it’s childish :)

The project consists of a web role which serves up the start page (I decided on a new layout as well once I was at it)

When clicking the “Translate” button the request is picked up by a protocol handler. The handler then downloads the page you want to translate, runs the translation and serves it to the user. Before the handler ends it’s Response, it puts a log message in a queue. This queue entry is picked up by a worker role, which again inserts this into SQL Azure. I could have used a table storage, but since I had a token for SQL Azure I decided to give it a go (and it made it very simple to use Linq to SQL). Just a change of the connection string and it was up and running.

Initially I though about having the worker role do the downloading and parsing, but since I wanted low latency I decided to drop it, and chose to put in the logging instead in order to explore using a queue and SQL Azure.

One of my better weekend projects for a long time – some code cleanup and refactoring and I can move on to something else.