Azure Migrate, Azure Site Recovery, Azure Database Migration Service & Disaster Recovery

January 18, 2020January 19, 2020 ~ Jean Paul ~ Leave a comment

For migrating on-premise applications to Azure, following tools are available to help you:

Azure Migrate
Azure Site Recovery
Azure Database Migration Service

Planning Phase

Before migrating to Azure, you will have to do a Planning on your existing applications, technologies, hosting methodologies & their corresponding equivalent in Azure.

Azure Migrate

Azure Migrate is a free service which will help in discover, assess & migrate on-premise systems to Azure.

Azure Migrate can do the Assessment with following steps:

Configure Appliance on Server
Run Agents on each VM
Create Assessment

Azure Site Recovery

Azure Site Recovery is a Disaster Recovery strategy which can also be used to Migrate On-Premises VM to Azure.

Database Migration Service

Database Migration Service helps to asses the Compatibility of source database against destination Azure database & Also migrate the data.

Disaster Recovery

Business Continuity and Disaster Recovery is Essential to prevent Revenue Loss & Maintaining SLAs of businesses. Azure provides Disaster Recovery through Azure Site Recovery strategy.

For the same, one has to understand RTO & RPO during a disaster:

Recovery Time Objective (RTO) is maximum time business can survive until service restoration
Recovery Point Objective (RPO) is maximum data business can loose until service restoration

Azure Site Recovery is an important tool for Disaster Recovery & Business Continuity. ASR will replicate workloads from primary site to secondary site during a disaster. Replication can happen:

From VM to Azure
From Azure Region to another Azure region

Note

Failover is the process of switching service from primary to secondary during disaster.

Failback is the process of switching service back to primary when it is recovered.

HADR – High Availability Disaster Recovery

BCDR – Business Continuity Disaster Recovery

Azure Active Directory–How to protect a Web Application without Code

January 17, 2020January 18, 2020 ~ Jean Paul ~ Leave a comment

In this post I would be demonstrating how to protect a web site without any code changes.

Advantages

High Protection Web Site will not serve any html, js, css files without Authentication (MSAL protection causes few MSAL JS to be served to do authentication – this may be restricted by Information Security groups of Enterprise class customers)
Same Code can be deployed multiple places as the Authentication pieces being decoupled

Create Web Application

Create a web application of ASP.NET or Angular.

Publish to Azure

Publish to Azure so that an App Service is created.

Set the Authentication

Test the Application

Now you can test the application & the login prompt happens.

Note

In the background the App Service is adding Redirect URL

https://working-angular-webapi.azurewebsites.net/.auth/login/aad/callback

Client Side Applications

For client side applications, you can always refer the following URL to get the current ID Token for the Authenticated User. It can also be used as Access Token as the Audience is same as Client ID.

https://working-angular-webapi.azurewebsites.net/.auth/me

Summary

In this post we have seen how to do No Code protection of web application using Azure Active Directory.

How to Restrict IP Address to your App Service?

January 17, 2020March 28, 2020 ~ Jean Paul ~ Leave a comment

We can restrict a particular IP Address OR a range of them from accessing your App Service.

Go to App Service > Networking tab > Access Restrictions

Click Configure Access Restrictions > Add Rule

Choose the Deny option and Add rule .

(you can go to whatismyip.com to get your IP and putting it over there)

Testing

Now try accessing the website – You should get the following error.

Azure AD Search using C#

January 15, 2020 ~ Jean Paul ~ Leave a comment

In this post I would like to give a Sample to Search on Azure Active Directory using Filter.

Pre-Requisites

Following are the pre-requisites:

Create AD > App Registration & Client Credentials
Assign Directory.Read.All “application” permission & Provide Admin Consent

The Code

private async static void SerachAzureAD(string search)
        {
                string clientID = “YOUR-CLIENT-ID”;
                string clientSecret = “YOUR-CLIENT-SECRET”;
                string tenantID = “YOUR-AD-TENANT-ID”;

string graphApiResource = “https://graph.microsoft.com”;
Uri microsoftLogin = new Uri(“https://login.microsoftonline.com/”);

               string authority = new Uri(microsoftLogin, tenantID).AbsoluteUri;
                AuthenticationContext authenticationContext = new AuthenticationContext(authority);
                ClientCredential clientCredential = new ClientCredential(clientID, clientSecret);

// Picks up the bearer token.
AuthenticationResult authenticationResult = authenticationContext.AcquireTokenAsync(graphApiResource, clientCredential).Result;

               GraphServiceClient graphClient = new GraphServiceClient(new DelegateAuthenticationProvider(
                async (requestMessage) =>
                {
                    requestMessage.Headers.Authorization = new AuthenticationHeaderValue(“bearer”, authenticationResult.AccessToken);
                }));

string filter = $”startswith(displayName, ‘{search}’) or startswith(givenName, ‘{search}’) or startswith(surname, ‘{search}’) or startswith(mail, ‘{search}’) or startswith(userPrincipalName, ‘{search}’)”;
//$”$filter=displayName EQ {search}”;

               IGraphServiceUsersCollectionPage users = graphClient.Users.Request()
                    .Filter(filter)
                    .GetAsync().Result;

Console.WriteLine(“Searching..”);

               while (users.Count > 0)
                {
                    foreach (var user in users.CurrentPage)
                    {
                        Console.WriteLine(user.DisplayName);
                    }

                   if (users.NextPageRequest != null)
                    {
                        users = await users.NextPageRequest
                            .GetAsync();
                    }
                    else
                    {
                        break;
                    }
                }

}

Result

Summary

In this post we have seen how to do Azure Active Directory Search using C# & Search Filters.

Minimal Code to Protect Web API with Azure AD

January 15, 2020January 14, 2020 ~ Jean Paul ~ Leave a comment

In this post we can see the most minimal code to protect a Web API with Azure AD.

This protected Web API can be used for both:

Frontend Flow with ID Token
Backend Flow with Access Token

Create App Registration

Create App Registration with ID Token & Access Token enabled.

Note down the Client ID & Tenant ID

Create Web API Project

Create a .net core web application, add a ToDo controller into it with get & post methods.

Configuration add the following section into app.config

“AzureActiveDirectory”: {
   “Instance”: “https://login.microsoftonline.com/”,
   “TenantId”: “YOUR-TENANT-ID”,
   “ClientId”: “YOUR-CLIENT-ID”
}

Startup Code

using Microsoft.AspNetCore.Authentication;
using Microsoft.AspNetCore.Authentication.AzureAD.UI;
using Microsoft.AspNetCore.Authentication.JwtBearer;
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Hosting;
using Microsoft.AspNetCore.Mvc;
using Microsoft.AspNetCore.Mvc.Cors.Internal;
using Microsoft.Extensions.Configuration;
using Microsoft.Extensions.DependencyInjection;

namespace WebAPI
{
     public class StartupTest
     {
         public StartupTest(IConfiguration configuration)
         {
             Configuration = configuration;
         }

public IConfiguration Configuration { get; }

        public void ConfigureServices(IServiceCollection services)
         {
             var options = new AzureADOptions();
             Configuration.Bind(“AzureActiveDirectory”, options);

            services.AddAuthentication(op => { op.DefaultScheme = JwtBearerDefaults.AuthenticationScheme; })
             .AddJwtBearer(op =>
             {
                 op.Authority = options.Instance + options.TenantId;
                 op.TokenValidationParameters = new Microsoft.IdentityModel.Tokens.TokenValidationParameters
                 {
                     ValidAudience = options.ClientId,
                     ValidateIssuer = false,
                     ValidateIssuerSigningKey = false
                 };
             });

            services.AddCors(o => o.AddPolicy(“MyPolicy”, builder =>
             {
                 builder.AllowAnyOrigin()
                        .AllowAnyMethod()
                        .AllowAnyHeader();
             }));

            services.AddMvc();
             services.Configure<MvcOptions>(op =>
             {
                 op.Filters.Add(new CorsAuthorizationFilterFactory(“CorsPolicy”));
             });
         }

        public void Configure(IApplicationBuilder app, IHostingEnvironment env)
         {
             if (env.IsDevelopment())
             {
                 app.UseDeveloperExceptionPage();
             }
             else
             {
                 app.UseHsts();
             }

             app.UseHttpsRedirection();
             app.UseCors(“MyPolicy”);
             app.UseAuthentication();
             app.UseMvc();
         }
     }
}

Controller Code

[Authorize]
    [ApiController]
    [Route(“api/[controller]”)]
    [EnableCors(“CorsPolicy”)]
    public class TodoListController : ControllerBase

Testing

You can create a Client App with the same Client ID and get the ID Token to access the API.

You can create a Postman Request with same Client ID & Client Secret and get the Access Token to access the API.

Azure Active Directory Learnings–Zero to Production

January 13, 2020January 13, 2020 ~ Jean Paul ~ Leave a comment

In this post I would like to note down the AAD aspects. This would be helpful for anyone who wanted to Integrate Authentication & Authorization with their applications.

Azure Active Directory

AAD is an Identity management system hosted in Microsoft Azure cloud. It can offer authentication & authorization for applications.

AAD can provide Authentication & Authorization for Web Applications, Desktop Applications & Mobile Applications as well.

OAuth2 & OpenID Connect

OAuth2 is an Authorization protocol.

OpenID Connect can be used for both Authentication & Authorization

Comparison of SAML vs OAuth2 vs OIDC

App Registration for Frontend

App Registration + ID Token

App Registration for Backend

App Registration + Client Credential Flow

App Registration for Frontend & Backend

App Registration + ID Token + Access Token

Pro-Tools

Following are few tools than can help in your adventure:

Postman
Advanced REST Client
https://jwt.io

Accessing Storage Account from VNET

January 13, 2020March 29, 2020 ~ Jean Paul ~ Leave a comment

In Azure, we can create Storage Account which is having a default Public URL. Even though Credential Protection is there – Still it is exposed to Public Access. This may cause issues with Enterprise Customers.

In this post we can see how to protect the Storage Account by preventing Public Access & Only allowing Access from VNET.

Pre-Requisites

For our experiment please create the following resources in same region:

App Service
Virtual Network (VNET)

Add a new Subnet named Frontend

Storage Account

Create a container named “my-blobs”
Upload a blob named readme.txt into the container

Create Sample Application

Create an Web API Sample Application which Reads data from a Blob Storage using code below.

Add namespaces Microsoft.Azure.Storage.Blob, Azure.Storage.Blob packages.

using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Threading.Tasks;
using Azure.Storage.Blobs;
using Microsoft.AspNetCore.Mvc;
using Microsoft.Extensions.Logging;

namespace jp_test_mvc.Controllers
{
     [ApiController]
     [Route(“[controller]”)]
     public class BlobController : ControllerBase
     {
         private readonly ILogger<WeatherForecastController> _logger;

        public BlobController(ILogger<WeatherForecastController> logger)
         {
             _logger = logger;
         }

        [HttpGet]
         public async string Get()
         {
             string result = string.Empty;

            try
             {
                 BlobServiceClient blobServiceClient = new BlobServiceClient(“connectionString”);
                 BlobContainerClient containerClient = blobServiceClient.GetBlobContainerClient(“my-blobs”);
                 BlobClient blobClient = containerClient.GetBlobClient(“readme.txt”);

                var response = await blobClient.DownloadAsync();
                 using (var streamReader = new StreamReader(response.Value.Content))
                 {
                     while (!streamReader.EndOfStream)
                         result += await streamReader.ReadLineAsync();
                 }
             }
             catch (Exception ex)
             {
                 result = ex.ToString();
             }

            return result;
         }
     }
}

Test the Application

Test the application URL & You should get the following result.

https://localhost:44309/blob

Modify the Storage Account Settings

Now go to the Storage Account > Firewall settings & Change the option to Selected Network option. Save changes.

Test the application now & You should get the Exception below.

Add the VNET

Go to App Service > Networking > Configure VNET > Select Frontend Subnet

Go to Storage Account > Firewall > Add existing Virtual Network > Select Frontend

Test Again

Save Changes & Test Again

Now you should get the Contents of the Blob back as shown below.

Azure AD Error–Invalid Grant–Application is not assigned to a Role for applciation

January 13, 2020January 13, 2020 ~ Jean Paul ~ Leave a comment

ERROR

“error”: “invalid_grant”,

“error_description”: “AADSTS501051: Application ‘5669c008-20c0-4118-AAAAAAA(APP-01) is not assigned to a role for the application ‘5669c008-20c0-4118-8f45-AAAAAAAA'(APP-01).

“error_codes”: [501051]

SOLUTION 1

Go to Portal > Active Directory > Enterprise Applications > > Choose your App > Set User assignment required to No

SOLUTION 2

Go to Users > Add User

Azure Active Directory Error – Code: Authorization_RequestDenied

January 5, 2020January 7, 2020 ~ Jean Paul ~ Leave a comment

While working with Azure Active Directory, I encountered following error on code below:

            string clientID = “970a3de9-6714-4a1e-81b7aaaa”;
             string clientSecret = “I0ieHQ3.8DCQ3HX.RkVEbc:u_dddd”; .
                 string tenantID = “0f0a4aac-8998-4f49-8a17-eeeee”;

string resourceID = “https://graph.microsoft.com”;
Uri loginURI = new Uri(“https://login.microsoftonline.com/”);

            // Bearer Token
             string authority = new Uri(loginURI, tenantID).AbsoluteUri;
             AuthenticationContext authenticationContext = new AuthenticationContext(authority);
             ClientCredential clientCredential = new ClientCredential(clientID, clientSecret);
             AuthenticationResult authenticationResult = authenticationContext.AcquireTokenAsync(resourceID, clientCredential).Result;

             IGraphServiceUsersCollectionPage users = new GraphServiceClient(new DelegateAuthenticationProvider(
                 async (requestMessage) =>
                 {
                     requestMessage.Headers.Authorization = new AuthenticationHeaderValue(“Bearer”, authenticationResult.AccessToken);
                 })).Users.Request().GetAsync().Result;

Error displayed below

["System.AggregateException: One or more errors occurred.

(Code: Authorization_RequestDenied\r\nMessage: Insufficient privileges to complete the operation.

Inner error:AdditionalData:\r\n\trequest-id: 22ffcc47-67bd-4ad6-9558-66581d8b0734

---> Microsoft.Graph.ServiceException: Code: Authorization_RequestDenied

Message: Insufficient privileges to complete the operation.\r\nInner error:

AdditionalData:\r\n\trequest-id: 22ffcc47-67bd-4ad6-9558-66581d8b0734\r\n\tdate: 2020-01-07T16:52:11\r\nClientRequestId: 22ffcc47-67bd-4ad6-9558-66581d8b0734\r\n\r\n at Microsoft.Graph.HttpProvider.SendAsync(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationToken cancellationToken)\r\n at Microsoft.Graph.BaseRequest.SendRequestAsync(Object serializableObject, CancellationToken cancellationToken, HttpCompletionOption completionOption)\r\n at Microsoft.Graph.BaseRequest.SendAsync[T](Object serializableObject, CancellationToken cancellationToken, HttpCompletionOption completionOption)\r\n at Microsoft.Graph.GraphServiceUsersCollectionRequest.GetAsync(CancellationToken cancellationToken)\r\n --- End of inner exception stack trace ---\r\n at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification)\r\n at AzureADPassPOC.Controllers.ValuesController.Get() in C:\\Programs\\AzureADPassPOC\\AzureADPassPOC\\Controllers\\ValuesController.cs:line 45\r\n---> (Inner Exception #0) Status Code: Forbidden\r\nMicrosoft.Graph.ServiceException: Code: Authorization_RequestDenied\r\nMessage: Insufficient privileges to complete the operation.\r\nInner error:\r\n\tAdditionalData:\r\n\trequest-id: 22ffcc47-67bd-4ad6-9558-66581d8b0734\r\n\tdate: 2020-01-07T16:52:11\r\nClientRequestId: 22ffcc47-67bd-4ad6-9558-66581d8b0734\r\n\r\n at Microsoft.Graph.HttpProvider.SendAsync(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationToken cancellationToken)\r\n at Microsoft.Graph.BaseRequest.SendRequestAsync(Object serializableObject, CancellationToken cancellationToken, HttpCompletionOption completionOption)\r\n at Microsoft.Graph.BaseRequest.SendAsync[T](Object serializableObject, CancellationToken cancellationToken, HttpCompletionOption completionOption)\r\n at Microsoft.Graph.GraphServiceUsersCollectionRequest.GetAsync(CancellationToken cancellationToken)<---\r\n"]

Solution

Enable Directory.ReadAll permission on Graph

Open Portal > Active Directory > App Registration > API Permissions blade

Choose Application Permissions > Graph API > Directory.ReadAll

Save changes & Run the code again.

The error should disappear.