Azure AD Error–Invalid Grant–Application is not assigned to a Role for applciation

ERROR

“error”: “invalid_grant”,

“error_description”: “AADSTS501051: Application ‘5669c008-20c0-4118-AAAAAAA(APP-01) is not assigned to a role for the application ‘5669c008-20c0-4118-8f45-AAAAAAAA'(APP-01).

“error_codes”: [501051]

SOLUTION 1

Go to Portal > Active Directory > Enterprise Applications > > Choose your App > Set User assignment required to No

image

SOLUTION 2

Go to Users > Add User

Azure Active Directory Error – Code: Authorization_RequestDenied

While working with Azure Active Directory, I encountered following error on code below:

            string clientID = “970a3de9-6714-4a1e-81b7aaaa”;
             string clientSecret = “I0ieHQ3.8DCQ3HX.RkVEbc:u_dddd”; .
                 string tenantID = “0f0a4aac-8998-4f49-8a17-eeeee”;

            string resourceID = “https://graph.microsoft.com”;
             Uri loginURI = new Uri(“https://login.microsoftonline.com/”);

            // Bearer Token
             string authority = new Uri(loginURI, tenantID).AbsoluteUri;
             AuthenticationContext authenticationContext = new AuthenticationContext(authority);
             ClientCredential clientCredential = new ClientCredential(clientID, clientSecret);
             AuthenticationResult authenticationResult = authenticationContext.AcquireTokenAsync(resourceID, clientCredential).Result;

             IGraphServiceUsersCollectionPage users = new GraphServiceClient(new DelegateAuthenticationProvider(
                 async (requestMessage) =>
                 {
                     requestMessage.Headers.Authorization = new AuthenticationHeaderValue(“Bearer”, authenticationResult.AccessToken);
                 })).Users.Request().GetAsync().Result;

Error displayed below

["System.AggregateException: One or more errors occurred.

(Code: Authorization_RequestDenied\r\nMessage: Insufficient privileges to complete the operation.

Inner error:AdditionalData:\r\n\trequest-id: 22ffcc47-67bd-4ad6-9558-66581d8b0734

---> Microsoft.Graph.ServiceException: Code: Authorization_RequestDenied

Message: Insufficient privileges to complete the operation.\r\nInner error:

AdditionalData:\r\n\trequest-id: 22ffcc47-67bd-4ad6-9558-66581d8b0734\r\n\tdate: 2020-01-07T16:52:11\r\nClientRequestId: 22ffcc47-67bd-4ad6-9558-66581d8b0734\r\n\r\n at Microsoft.Graph.HttpProvider.SendAsync(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationToken cancellationToken)\r\n at Microsoft.Graph.BaseRequest.SendRequestAsync(Object serializableObject, CancellationToken cancellationToken, HttpCompletionOption completionOption)\r\n at Microsoft.Graph.BaseRequest.SendAsync[T](Object serializableObject, CancellationToken cancellationToken, HttpCompletionOption completionOption)\r\n at Microsoft.Graph.GraphServiceUsersCollectionRequest.GetAsync(CancellationToken cancellationToken)\r\n --- End of inner exception stack trace ---\r\n at System.Threading.Tasks.Task`1.GetResultCore(Boolean waitCompletionNotification)\r\n at AzureADPassPOC.Controllers.ValuesController.Get() in C:\\Programs\\AzureADPassPOC\\AzureADPassPOC\\Controllers\\ValuesController.cs:line 45\r\n---> (Inner Exception #0) Status Code: Forbidden\r\nMicrosoft.Graph.ServiceException: Code: Authorization_RequestDenied\r\nMessage: Insufficient privileges to complete the operation.\r\nInner error:\r\n\tAdditionalData:\r\n\trequest-id: 22ffcc47-67bd-4ad6-9558-66581d8b0734\r\n\tdate: 2020-01-07T16:52:11\r\nClientRequestId: 22ffcc47-67bd-4ad6-9558-66581d8b0734\r\n\r\n at Microsoft.Graph.HttpProvider.SendAsync(HttpRequestMessage request, HttpCompletionOption completionOption, CancellationToken cancellationToken)\r\n at Microsoft.Graph.BaseRequest.SendRequestAsync(Object serializableObject, CancellationToken cancellationToken, HttpCompletionOption completionOption)\r\n at Microsoft.Graph.BaseRequest.SendAsync[T](Object serializableObject, CancellationToken cancellationToken, HttpCompletionOption completionOption)\r\n at Microsoft.Graph.GraphServiceUsersCollectionRequest.GetAsync(CancellationToken cancellationToken)<---\r\n"]

Solution

Enable Directory.ReadAll permission on Graph

Open Portal > Active Directory > App Registration > API Permissions blade

image

Choose Application Permissions > Graph API > Directory.ReadAll

image

image

Save changes & Run the code again.

The error should disappear.

Data Classification & Storage

Application Data can be classified into 3 ways:

  • Structured
  • Semi-Structured
  • Unstructured

Structured Data

Relational Data with Columns & Data Types.

Example: Financial Statements

Apt for SQL Server

Semi-Structured Data

Dynamic Columns with No pre-defined Data Types.

Example: Product Catalog

Apt for Cosmos DB

Unstructured Data

Files such as Images & Videos

Apt for BLOB Storage.

More Parameters

Following are more parameters which determine the storage of data.

Data Location

The location where data is stored like East-US, West-Europe etc..  In case of Data Compliance rules which demand Data should not cross country-boundaries more stringent location choice is required.

Data Redundancy

Data Redundancy ensures data will be copied to alternative location.  This is useful on disaster recovery scenarios.

VNETs

In case if the Data contains Proprietary Information – we can enforce restricted VNET (Virtual Network) Only access to the data.

Data Encryption

Data Encryption can be applied on Rest & Transit.  Encryption on Rest is supported by TDE (Transparent Data Encryption) of Azure SQL and Encryption by CosmosDB, Storage Accounts etc.  Encryption on Transit is provided by HTTPS enable.

Storage Accounts

Storage Accounts allows grouping of data management through blobs, files, tables & queues

Create VNET & VNET Peering in Azure using CLI

In this post we can learn how to create 2 VNET & enable VNET Peering between both.

Azure VNET

Azure VNET allows private network within Azure.  VNET should specify an Address Space.  VNET creates Subnets which are Segments within the Address Space.

VNET Peering

It is possible for 2 VNETs to communicate with each other using VNET Peering.  VNET Peering bypasses Internet, Public IP Addresses & Communicate with the Local Azure Network which is faster & higher bandwidth without any encryption.  Thus the VNET Peering is faster & safer too.

VNET allows Resources (eg: VMs) communicate with each other as if they are in the same network.

VNET can be configured across regions & subscriptions too.

image

Create VNET

Open Azure CLI command interface & Run the following commands.

az login

az network vnet create –resource-group “jp_azure” –name VNET1 –address-prefix 10.1.0.0/16 –subnet-name Apps –subnet-prefix 10.1.1.0/24 –location eastUS

az network vnet create –resource-group “jp_azure” –name VNET2 –address-prefix 10.1.0.0/16 –subnet-name Apps –subnet-prefix 10.1.1.0/24 –location eastUS

az network vnet list –output table

Create VMs

Now we can create VM in each of the VNETs.

az vm create \ –resource-group “jp_azure” \ –no-wait \ –name VM1 \ –location northeurope \ –vnet-name VNET1 \ –subnet Apps \ –image win2016datacenter \ –admin-username admin \ –admin-password administrator1!

az vm create \ –resource-group “jp_azure” \ –no-wait \ –name VM2 \ –location northeurope \ –vnet-name VNET2 \ –subnet Apps \ –image win2016datacenter \ –admin-username admin \ –admin-password administrator1!

Create VNET Peering

Now we can create VNET Peering using the following commands.

az network vnet peering create \ –name VNET1-TO-VNET2 \ –remote-vnet VNET1 \ –resource-group JP-Resource \ –vnet-name VNET2 \ –allow-vnet-access

Following is for reciprocal connection.

az network vnet peering create \ –name VNET2-TO-VNET1 \ –remote-vnet VNET2 \ –resource-group JP_azure \ –vnet-name VNET1 \ –allow-vnet-access

Testing

Login to the VM1 using Public IP and Ping to the VM2 using Private IP.  If the connection succeeded it means the VNET Peering was created successfully.

Summary

In this post we have explored how to create 2 VNET & enable VNET Peering between both.

Network Security Group (NSG)

NSG protects Azure resources from Unauthorized Access.  In this post we can see the Features of Azure NSGs.

Capabilities

You can restrict Database Servers are only accessed from Application Servers thus protecting Legacy business data.

Rules can be configured to Allow access.

Rules can be configured to Deny access.

Restrictions can be set based on VNET

Flexibility

NSG offers the following flexibilities:

  • Automatically created along with Azure Resources
    • Inbound & Outbound rules are automatically created
      • eg: Port 3359 Allow Rune for VM
  • Reusability possible with multiple Azure Resources
    • Create an NSG for VM and reuse across multiple VMs
  • Tagging based restriction possible
    • eg: VirtualMachine, AppService etc.

Example

Create a VM > Observe NSG automatically created.

image

Try accessing the VM from Windows RDP. You should be able to login.

image

Delete the rule 3359.  Wait for 1 minute for the NSG rule to be reflected. Try login again.  You should be denied.

image

Note

Inbound Rules restricts Incoming Traffic requests to the device.

Outbound Rules restricts Outgoing Traffic requests from the device.

Summary

In this post we have explored the features of NSGs and performed a Test experiment.

Azure Infrastructure – Connecting On-Premise Network to Azure

One of the challenges of Organizations migrating On-Premise resources to Azure is Security. 

  • How to transfer data securely over the Internet?
  • What are the Alternatives?

VPN Gateway

Virtual Private Network is a Private Interconnected which uses Encrypted Tunnel to communicate between 2 Private Networks.  The untrusted internet problem is resolved by Encrypting the communications.

VPN Gateway is similar to Virtual Network Gateway which allows Site-to-Site, Point-to-Site and Network-to-Network connections.

  • Site-to-Site connections allow On-premise datacenter to connect to Azure Virtual Networks
  • Point-to-Site connections allow User Devices connections to Azure Virtual Networks.
  • Network-to-Network connections allow Azure Virtual Network to other Azure Virtual Networks.

ExpressRoute

Azure ExpressRoute allows secured, dedicated, high-bandwidth connections between your On-Premises and Azure.  This will bypass the Internet and hence more secured.

Following are the Features of Express Route:

  • Layer-3 Connectivity
  • Faster Access due to Peering of Networks
  • More Security
  • Higher Bandwidth
  • Bypasses Public Internet
  • Available in all Locations
  • Office365 Connectivity through Microsoft Peering

Following are the Drawbacks of Express Route:

  • ExpressRoute Circuit which is a Physical Connection needs to be created from Internet Provider
  • Cost is More

Few ExpressRoute providers are listed below:

image

Virtual Network Gateway

Virtual Network Gateway is required to connect 2 Networks either as:

  • VPN
  • ExpressRoute

When to choose VPN Gateway?

Low Bandwidth requirements

Point-to-Site scenarios

Occasional Connectivity

Moderate Data Security

When to choose ExpressRoute?

Dedicated Connection Required

High Security for Data

Faster & Continuous Access

References

https://docs.microsoft.com/en-us/learn/modules/connect-on-premises-network-with-vpn-gateway/2-connect-on-premises-networks-to-azure-using-site-to-site-vpn-gateways

https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways#a-namep2sapoint-to-site-vpn-over-sstp

Azure App Identity & Service Principal

Azure Service Principal is a Security Identity used for Apps & Background Services.  It will accomplish the Role of a User Identity require by Applications.  It is similar to Service Accounts of Windows in the past.

Advantages

Advantages of App Identity are following:

  • Allow multiple Apps to use the Same Identity
  • Can use Certificate to Authenticate instead of Passwords
  • No Password expiry overheads
  • Can restrict read/write access

image On App Registration two objects are create – App object & Service Principal object.

Setting Access at Subscription Level

We can set Access to the Service Principal object at the Subscription level.  Go to Home > Subscriptions > Access Control (IAM)

image

In the appearing window choose the App Registration created jus now & Select the Role.

image

Save changes for completing the Role assignment.

Access Scope

Access Scope is set at the following levels.

  • Subscription Level
  • Resource Group Level
  • Resource Level

References

https://docs.microsoft.com/en-us/azure-stack/operator/azure-stack-create-service-principals?view=azs-1910