Azure AD Token Generator using .NET Core

10 min to read.

Abstract

Change is inevitable. With .NET Framework becoming legacy and .NET core stated as future; many migration projects are getting triggered. Also for new projects, development choice is .NET core by default.

Last year in April 2019 I wrote a blog post on How to create service principal or App registration in Azure AD.

This is one of the most visited blog post. Reason is simple. Any functionality having requirement of invoking Azure REST API requires Azure AD token generation. This helps in performing management tasks against Azure environment; and hence it is crucial.

The last year blog is based on .NET framework.

With .NET core becoming more and more obvious choice, I thought it is time to have new blog post and new code base for “.NET core based Azure AD Token generator using Service principal.”

Let’s go!

Why I need to generate the Azure AD Token?

This is common question I get. What are the scenarios where I need to generate Azure Ad token from code and use it? Therefore below diagram lists few tasks where I will use Azure AD token generator code. Click on below diagram to get better view.

App registration and assign permissions to Azure AD application

The concepts of Azure AD Service principal, application registration, process of creating service principal remains same for .Net core too.

The only change we will see is in codebase.

So follow my earlier blog and perform below tasks –

       1.       Create Azure Service Principal by app registration
2.      Record Tenant ID, Application ID and Secret key
3.      Assign correct permissions to Azure AD app

By following earlier blog if you are still not clear then refer to document to understand – How and Why applications are added to Azure AD.

.NET Core code base for Azure AD token generation

Let us understand the code base for .NET core. The code now fundamentally is different than .NET framework. However Tenant ID, Application ID and Secret Key of Azure AD will be leveraged same as .NET framework code.

Build confidential client application as below – [click to enlarge]

This class is present in Nuget package Microsoft.Identity.Client and I am using 4.10.0 version for this project.

Azure AD authentication has many flows applicable. The current flow we are using in our code is “Azure AD Client Credentials” flow. For client credential flow we have to provide scope.

Scope is a boundary for which granted access token will be valid. If you request token for one scope and use for another; request will be denied. Example, you provide scope while requesting token from Azure AD as https://api.loganalytics.io/ [Log analytics resource scopes].

Means with generated token we can perform operation ONLY on Log Analytics. Post getting token if you try to access Azure Storage resource with scope as https://storage.azure.com/ then it will be denied. So providing correct scope is crucial.

The format of scope for “Client Credentials” is always of the shape “resource/.default”. So configure the scope as below. In my example I am leveraging scope for Azure Log Analytics. [click to enlarge below].

Now for this scope we retrieve the Access Token as below – [click to enlarge].

Further we can use this token with Postman to perform Azure management operation. Alternatively, we can also integrate this code in Azure functions, or applications to get token at runtime without user credentials and perform required administrative operation against azure environment.

Download  code

Entire code is available for download from github at the link  - https://github.com/kunalchandratre1/AzureADTokenGeneratorNETCore

Conclusion

Hope this article helped you to get quick code for generating Azure AD token using .NET core. Let me know your views in comments section below to improve and what are your thoughts on this approach.

Happy token generating!!

A humble request!

Internet is creating a lot of digital garbage. If you feel this a quality blog and someone will definitely get benefited, don't hesitate to hit share button present below. Your one share will save many precious hours of a developer. Thank you.

Next Related Posts

Azure AD Token generator using Azure Function and .NET Core

Delete Azure Application insights data using Azure AD token generator.

Azure API Management DR using Azure AD Token Generator

Start stop multiple Azure VMs and save cost. This uses Azure AD application behind the scenes.

Azure VMs – Export to CSV

Abstract

For human race, there are some common tasks in daily life which you must do. Without which humans can survive but you can’t say if they are “living the life”. For example, taking a bath is one of such tasks. You can survive without taking a bath but you will not like it. These tasks are those which bring “life” to humans daily lives and make them enjoy their stay on earth.

Out of these humans there is special category of humans – I call them “Humans who work in Software field”. They can be sub-categorized into below –

       1.     Software developers
2.      IT administrators
3.      Project managers
4.      Software Engineers
5.      Solution Architects

For all these sub-categories you can apply prefix such as Senior, Junior, Principal, Full Stack, Distinguished and in recent times we have a new addition to this prefix known as “CLOUD”. These are humans who can easily survive without bath but there is one thing without which none of these humans can survive and it is known as “Export to CSV”. It is more or equally important like eating food and drinking water for them.

No matter how many cutting edge features and service Microsoft Azure is bringing, we still feel the product or service is not complete unless you offer “the” functionality of “Export to CSV”. Surprisingly Azure VM export to csv do not exists on Azure portal and you need to write a PowerShell for this. Therefore my lazy followers and friends asked me to write PowerShell to export Azure VM to CSV. So here we are!

Let’s go!

Current state of feedback

Users have provided the feedback to bring the functionality of export to csv for all azure resources on the portal. It is on the roadmap. You can view the details here - https://feedback.azure.com/forums/216843-virtual-machines/suggestions/37934101-virtual-machine-list-export-to-csv.

Why yet another new script?

I spoke to multiple people who are dealing with Azure VMs daily basis and requirements from there for CSV was an eye opener. Many of the scripts available today provides very minimal details about VM when exported to CSV. Most of the Azure Administrator find them not so useful. So after a quick survey with few of Lazy followers I received below list as a top ask for Azure VM to CSV export. In the below list the top ask was to retrieve Azure VNET for Azure VM and Azure VNET subnet for Azure VM using PowerShell. I have addressed this as well in the script.

So, current script provides the CSV output of Azure VMs with great details. Refer below columns list –

How to receive an email on Azure Network Security Group Rule changes

Abstract

Microsoft Azure Portal already gives a capability to receive an email alert when new Azure Network Security Group  (NSG) is added or existing is deleted. However there is no option today to receive an email when individual NSG security rules are added, deleted or modified. This post will provide the solution to receive emails on Azure NSG security rules changes which isn’t offered by Azure Portal.

Why do I need it?

If you are chief security officer of the company, then you definitely understand why do you care to receive an alert when NSG rules are changed.

NSG’s are fundamental to restrict/ allow access in Azure IaaS VM deployments. They offer controlled access using source and destination port, protocol and IP. So as a security best practice any Azure VM (Network Interface Card) NIC or Subnet in VNET should have NSG associated to it.

Having said that, maintaining rules in NSG is critical. Hence many times Azure portal administrators, CISO staff, IT head, Security head will always love to receive an email in Inbox to verify if the NSG security rule added/ modified/ deleted is after appropriate approval or no.

What do I need?

Creating alert is possible from Azure Monitor services. For example, if I want to create alert of NSG creation or deletion then below is the screenshot which shows how exactly you can configure alert.

As you can see in the above screenshot, there is no resource type available for NSG Security Rules. So, you may get under impression that “email alert on NSG security rule change can’t be configured”; which is wrong. The rule of thumb for Microsoft Azure I follow is

“If any functionality in not achievable from the Azure Portal then try it using Azure PowerShell or Azure ARM Templates.”

So, email alert on NSG security rule change can’t be configured from Portal however it is possible to configure using ARM Template.

Also, we need to create an “Action Group” on Azure portal so as to receive the email. So as a summary we will need below artifacts from Azure  -

1.      Azure ARM template to create Alert

2.      Action group to send emails

3.      Resource group which will contain the alert and action group.

So let’s get started.

Create Action Group

Creation an action group to send emails as per the steps mentioned in the link - https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/monitoring-action-groups

I have created an action group named as AdminsActionsGroup as shown below with Email as Action type –

After successful creation action group, you will receive an email about welcome as shown below –

Copy the resource ID for future use from overview tab as shown below –

Azure ARM Template to create NSG rule add/modify email alert

A sample ARM script to create an Activity Log alert using ARM is available here - https://docs.microsoft.com/en-us/azure/monitoring-and-diagnostics/monitoring-create-activity-log-alerts-with-resource-manager-template

Out of the base ARM template present in above link, we need to replace the operationName for NSG rules Write operation as shown below –

Then search “templates” store at the top in Azure portal. Click on “add”, then provide the suitable name and description for the template. Copy the ARM template we created in above step. After adding the template it will be visible as below –

Complete template download is available at the end of this post.

Let’s deploy!

Click on the Deploy button as highlighted in above screenshot. Provide the action group resource id copied in above steps. Then click on “accept terms and condition” and then click on “Purchase” to complete deployment.

You can view the created alert as shown below –

Modify the security rule of any NSG present in Azure subscription and you should receive an email.

Email on Delete NSG Rule Operation

The approach is same. We need to create another alert for delete operation of NSG rules. Only the operation name will change as below –

Hope this helps.

Download complete script - https://gallery.technet.microsoft.com/Receive-an-email-on-Azure-6ebdd9a5

Backup NSG

I have seen many people asking about backing up NSG and rules. One way you can export the rules using PowerShell. 

If you want readymade solution then, to Backup NSG in your Azure Subscription I found one of the Marketplace solution. I have tried this at one of my customer and works good - https://azuremarketplace.microsoft.com/en-us/marketplace/apps/bowspritconsultingopcprivatelimited1596291408582.nsgbackup?tab=Overview

Start Stop Multiple Azure VMs on schedule using Azure Automation

Abstract

I searched through many, many, many…articles written about Azure VM stop(de-allocate) to save cost. Every article only targets single Azure VM to shutdown (de-allocate). None of the articles target start and Shutdown of multiple Azure VMs using automation. I am going to address this using Azure powershell in this article.

What all Cool features of azure VM start/ stop my script offers?

If you have multiple Azure VMs present in your azure subscription; and you want to start or stop few of them on schedule then you can use below azure PowerShell scripts. It will have below features –

è  Add/ remove the VM names from the list of start/ stop schedule easily. [You don’t need to have PowerShell knowledge]

è  Use same script in multiple different Azure runbooks, with different Azure VM names to start and stop; that too with different schedules.

è  In case any wrong/ nonexistent VM name added to the list, script takes care of giving relative user-friendly message and do not throw error. It continues with other remaining set of Azure VMs and perform start or stop.

è  Can be used with single VM as well if required.

è  You start and stop azure VMs based on schedule hence obviously you optimize or save Azure cost.

è  Script is available for download; hence you can own it to change in future. [that’s cool 😊]

I can say all above feature are nothing but the “Key differentiator” or “Value Proposition” from other Azure VM shut down/ start automation blogs/ scripts. [These marketing terms; I hear them a lot 😊]

Fundamentals of Azure VM cost optimization

Azure VM are made of Compute and Storage. Compute is nothing but Core (number of cores/ CPUs) and RAM you get when you provision Azure VM. Storage is nothing but the C drive or other letter drives; except D drive for windows and Sdb drive for Linux]. These drives are nothing but disks or .vhd files present in Azure storage account [if VM is unmanaged] else disks or .vhd files will be part of your subscription [if VM is created using managed disks].

When we say you stop Azure VM from portal or using PowerShell command “Stop-AzureRMVm” basically Compute part of VM is released (or de-allocated). It is worth to mention here that “STORAGE PART REMAINS”.

So, when you think that if VM is in de-allocated state then I am not charged, YOU ARE WRONG. You are not charged for compute/Cores part; for storage capacity you are charged. However that is too cheap, so don’t worry. Cores are costly and that is where you save cost.

Also if you shutdown Azure VM after taking RDP/ SSH, compute is not released so you are charged for compute and storage both in that case. Therefore, it is recommended that you stop azure vm either using portal or PowerShell command. Refer the FAQ section from link for more details.

Let’s go back to script part now.

Stop multiple Azure VMs script

#define the VM names which are required to be shutdown

$vmNamesToBeShutDown = "vm1", "vm2", "vm3"

foreach($vmName in $vmNamesToBeShutDown)

{

    $resource = Find-AzureRmResource -ResourceNameEquals $vmName -ResourceType "Microsoft.Compute/virtualMachines"

    if($resource -ne $null)

    {  

        Write-Output "Stopping virtual machine..." + $vmName

        Stop-AzureRmVM -ResourceGroupName $resource.ResourceGroupName -Name $vmName -Force

    }   

    else

    {

        Write-output "Virtual machine not found:" + $vmName

    }

}

The variable $vmNamesToBeShutDown is very important. This is where you can add as many VMs as you want to de-allocate them. The only requirement is to add VM name in double quotes and comma separated.

The code then traverse through each of the VM names, checks its existence and if found then fires command to de-allocate the azure vm.

Start multiple Azure VMs script

#define the VM names which are required to be shutdown

$vmNamesToBeStarted = "vm1","vm2", "vm3", "vm4"

foreach($vmName in $vmNamesToBeStarted)

{

    $resource = Find-AzureRmResource -ResourceNameEquals $vmName -ResourceType "Microsoft.Compute/virtualMachines"

    if($resource -ne $null)

    {  

        Write-Output "Starting virtual machine..." + $vmName

        Start-AzureRmVM -ResourceGroupName $resource.ResourceGroupName -Name $vmName

    }   

    else

    {

        Write-output "Virtual machine not found:" + $vmName

    }

}

The structure of the start Azure VM script is same as that of Stop except the command used here to start VM is Start-AzureRmVM.

Here also you will only add VM names comma separated and they will get automatically started once you schedule script running.

Automate and schedule the start/stop Azure VM scripts

Azure automation allows you to create PowerShell script based runbook which can run automatically on pre-defined schedule.

The guidance here is copy paste above scripts in a runbook in PowerShell. When you plan to run the PowerShell as runbook make sure that you are using service principal authentication code at the start of runbook as depicted in this link – http://sanganakauthority.blogspot.in/2017/05/run-login-azurermaccount-to-login.html. The authentication code should be added before any other PowerShell code in runbook. After creating runbook, publish it. Without publish runbook will not execute.

Then create schedule in automation account as per desired schedule. Screenshot below –

Once schedule is created, attach to runbook as below –

Similarly you can create as many as runbook and schedule them at your will and it should work.

Hope this helps.

Happy automating!!

You may be interested in – 

Domain join Azure virtual machine automatically using Azure Automation and DSC - http://sanganakauthority.blogspot.in/2017/01/domain-join-azure-vm-using-azure.html

Azure cost optimization – Send unassigned Azure public IP list using Azure PowerShell

Abstract

Cost of Microsoft cloud is operational. This means every month you are going to get bill just as your grocery/ electricity/ phone bills. Having said that, companies are struggling these days to perform cost optimization or cost reduction on their Microsoft Azure spending.

Current article provides an Azure cost optimization tip by sending the list of unassigned public IPs present in your Azure subscription; as an email using Azure PowerShell and Azure Automation runbook.

Also I am talking about cost optimization (or cost reduction) for Public IP addresses related to Azure Resource Manager (ARM) mode.

Knowledge Update for you!!

In case you are not aware, it is worth to mention that, Azure has 2 types of IP addresses –

1.  Dynamic public IP address
2.  Static public IP address

IP addresses are always attached to Network Interface Card (NIC) of azure virtual machine. So their cost model is as below.

Dynamic public IP address

1. IP address is attached to NIC of Azure VM, and VM is running, you are charged for approx. 197 INR/ month or 3$/ month.
2. IP address is attached to NIC of Azure VM, and VM is in Stopped(De-allocated) state, you are not charged for dynamic public IP address.

Static public IP address

1. Azure Static Public IP addresses are charged for reservation and usage both. This is double cost that of azure dynamic public IP cost.
2. First 5 static public IP addresses cost for reservation is FREE. Only charged for usage at 197 INR/month or 3$/ month.
3. All additional static public IP addresses are charged for Usage and Reservation both, as below -

a.      IP address is attached to NIC of Azure VM, and VM is running; you are charged for approx. 197 INR/ month or 3$/ month for reservation and 197 INR/ month or 3$/ month for usage. Total 394 INR/ month or 6$/ month.

b.      IP address is attached to NIC of Azure VM, and VM is in Stopped(De-allocated) state, you are charged for approx. 197 INR/ month or 3$/ month for reservation. There will be no usage charges.

c.       IP address is created in Azure subscription, not attached to any resource, still you are charged for approx. 197 INR/ month or 3$/ month for reservation. There will be no usage charges.

How we are going to save the azure operational cost?

From the above knowledge paragraph, it is evident that we need to be alert for Static Public IP cost only. As dynamic public IPs are not charged is not being used.

Hence we can optimize/ reduce/ save Azure billing “by deleting Azure Public static IP which is reserved but not attached/ associated to any resource”.

I am going to give you the Azure Automation PowerShell runbook for sending emails of such static unused but reserved public IP addresses.

Hope we are clear here 😊.

Create Sendgrid account on Azure to send emails

To send emails on Azure I always prefer sendgrid as it provide almost 25000 email/ month free. Get started with email account creation from here - http://sanganakauthority.blogspot.in/2017/04/send-email-from-azure-sendgrid-using.html.

Create Azure Automation account and runbook

Below link specifies the steps to provision Azure Automation account – Create Azure Automation account.

After azure automation account creation, select option as Runbook -> Add a runbook -> Quick Create. Provide the name of runbook as “List-UnassignedPublicStaticIPs”. Runbook type as “PowerShell”. Provide meaningful description. Then click on Create.

Open newly created runbook and click on Edit option.

Now to run the PowerShell code in this runbook against our subscription, we need to provide authentication logic in the runbook first.  For the same add below code at the top of runbook –

$connectionName = "AzureRunAsConnection" #this should be your azure connection name. this can be retrieved from your automation account -> Assets -> Connections

try

{

    # Get the connection "AzureRunAsConnection "

    $servicePrincipalConnection = Get-AutomationConnection -Name $connectionName      

    "Logging in to Azure..."

    $account = Add-AzureRmAccount `

        -ServicePrincipal `

        -TenantId $servicePrincipalConnection.TenantId `

        -ApplicationId $servicePrincipalConnection.ApplicationId `

        -CertificateThumbprint $servicePrincipalConnection.CertificateThumbprint 

}

catch {

    if (!$servicePrincipalConnection)

    {

        $ErrorMessage = "Connection $connectionName not found."

        throw $ErrorMessage

    } else{

        Write-Error -Message $_.Exception

        throw $_.Exception

    }

}

Write-Output $account

The above code segment ensures that your azure automation runbook don’t run into famous error “Run Login-AzureRmAccount for login”.

Retrieving unassigned static public IPs in Azure PowerShell

If azure public IP is not attached to any resource then its IpConfigurationText property is always null. Also, the public IP type is dynamic or static can be retrieved from property PublicIpAllocationMethod.

So we will use these two properties as a filter to retrieve public static IPs which are not allocated to any resource and still getting charged.

So below is the full command to retrieve azure public static un-assigned public IPs which can be delete to reduce monthly azure cost.

$unassignedIPs = Get-AzureRmPublicIpAddress | Where-Object IpConfigurationText -EQ null | where-object PublicIpAllocationMethod -EQ "Static" | ConvertTo-Html Name, IPAddress, ResourceGroupName,PublicIpAllocationMethod | Out-String

$unassignedIPs will contain the IP addresses. Now we need to send this is email. Therefore use below code of Sendgrid PowerShell to send email -

$Username ="YourUserName"

$Password = ConvertTo-SecureString "YourPassword" -AsPlainText -Force

$credential = New-Object System.Management.Automation.PSCredential $Username, $Password

$SMTPServer = "smtp.sendgrid.net"

$EmailFrom = "No-reply@azureadmin.com"

[string[]]$EmailTo = "YourEmail"

$Subject = "List of Un-assigned Public IPs"

$Body = $unassignedIPs + "Remember, every un-assigned Static IP is charged at the rate of <b>200 INR/Month</b>. So please delete it if not required."

Send-MailMessage -smtpServer $SMTPServer -Credential $credential -Usessl -Port 587 -from $EmailFrom -to $EmailTo -subject $Subject -Body $Body -BodyAsHtml

Write-Output "Email sent succesfully."

This code will send email all unassigned static public IPs.

Now run the “Test Pane” option of automation runbook and verify that you receive an email about un-assigned static public IP addresses present in your subscription. Then publish the runbook attach a schedule to it so that this runbook will execute automatically and you will receive email. Best frequency would be every Monday morning 9AM when office starts 😊.

Next Step

Obviously, delete the unassigned Azure public IPs from your subscription. You have the list received in your inbox; now delete it manually. Or if you are smart enough, you can use the command –  Remove-AzureRmPublicIpAddress

Full script can be downloaded from here - https://gallery.technet.microsoft.com/Azure-cost-saving-Send-e76b062a?redir=0

That’s all folks.

Happy Cost Optimization on Cloud!!