Get Microsoft 365 Quick Evaluation Action is part of App Compliance Automation Tool(ACAT). With get Microsoft 365 quick evaluation Action you can now get Microsoft 365 quick evaluation of Azure Resources by report or by deployment from your Github Workflows. Since the get Microsoft 365 quick evaluation action can be added directly after the resource deployment, you can have a immediately result of the compliance status of resources deployed this time. Its now even easier to follow safe deployment practices and catch non-compliant issues.
New to ACAT? Its an Azure service that help you to get M365 compliance certificate easily. To know more check out: What is App Compliance Automation Tool(ACAT)
The definition of this Github Action is in action.yml
Note
ACAT GitHub Actions support is preview and only supports apps built on Microsoft Azure. Future updates will include functionality for apps built on other clouds.
- Azure Login Action: Authenticate using Azure Login action. The get Microsoft 365 quick evaluation action assumes that Azure Login is done using an Azure service principal that has sufficient permissions trigger and get quick evaluation on the selected scopes. Once login is done, the next set of actions in the workflow can perform tasks such as geting quick evaluation by report or by deployment. For more details on permissions, checkout 'Configure credentials for Azure login action' section in this page or alternatively you can refer the full documentation of Azure Login Action.
- Create an ACAT report(optional): Go to Azure Portal to create an ACAT report for you application, see ACAT tutorial. At least one of the 2 optional pre-requisites
Create an ACAT reportandPrepare the deployment idmust be done. - Prepare the deployment id or ids(optional): You can also get quick evaluation by your deployment, set the deployment id as output in your former deploy action, and take the deployment id as input of get Microsoft 365 quick evaluation action. At least one of the 2 optional pre-requisites
Create an ACAT reportandPrepare the deployment idsmust be done.
report-name: Optional. If you want to get Microsoft 365 quick evaluation by report, you should create a report before you run the github action and set the report-name value the name of the report you created.How to create an ACAT report.At least one of the 2 parametersreport-nameanddeployment-idsmust be filled. (If bothreport-nameanddeployment-idsare filled, the action will help get evaluation of the resources in the deployments, and update the report's resource list with the resources in the deployment).deployment-ids: Optional. If you want to get Microsoft 365 quick evaluation by deployment, you should get the id of your deployment, and pass the value todeployment-ids. At least one of the 2 parametersreport-nameanddeployment-idsmust be filled.(If bothreport-nameanddeployment-idsare filled, the action will help get evaluation of the resources in the deployments, and update the report's resource list with the resources in the deployment).
- If you deploy resources through github actions by ARM template, you can specify deployment-id as the output. Then you can use the value in the following steps, to get quick evaluation.
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"metadata": {
"..."
},
"parameters": {
"..."
},
"resources": [
"..."
],
"outputs": {
"deploymentId": {
"type": "string",
"value": "[resourceId('Microsoft.Resources/deployments',deployment().name)]"
}
}
}- If you deploy resources through github actions by bicep, you can specify deployment-id as the output.
@description('xxx')
...
...
output deploymentId string = resourceId('Microsoft.Resources/deployments', deployment().name)
- Or you can call the rest api Deployments - list at scope to get deployment ids.
# File: .github/workflows/workflow.yml
on: push
jobs:
build:
runs-on: ubuntu-latest
name: Test artifact
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Azure login
uses: Azure/[email protected]
with:
creds: ${{ secrets.AZURE_CREDENTIALS }}
- name: Get Microsoft 365 certification quick evaluation
uses: azure/microsoft-365-certification-quick-evaluation@v1
with:
report-name: 'test-report'
The above workflow will get quick evaluation by report.
# File: .github/workflows/workflow.yml
on: push
jobs:
build:
runs-on: ubuntu-latest
name: Test artifact
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Azure login
uses: Azure/[email protected]
with:
creds: ${{ secrets.AZURE_CREDENTIALS }}
- name: Deploy with ARM template
id: deployarm
uses: azure/arm-deploy@v1
with:
subscriptionId: ${{ secrets.SUBSCRIPTION_ID }}
resourceGroupName: ${{ secrets.RESOURCE_GROUP}}
template: ./deploy/Storage.template.json
parameters: storageAccountType=Standard_LRS
- run: echo ${{ steps.deployarm.outputs.deploymentId }}
- name: Get Microsoft 365 quick evaluation
uses: azure/microsoft-365-certification-quick-evaluation@v1
with:
deployment-ids: '[
"${{ steps.deployarm.outputs.deploymentId }}"
]'
The above workflow will get Microsoft 365 quick evaluation by ARM template deployment.
# File: .github/workflows/workflow.yml
on: push
jobs:
build:
runs-on: ubuntu-latest
name: Test artifact
steps:
- name: Checkout
uses: actions/checkout@v3
- name: Azure login
uses: Azure/[email protected]
with:
creds: ${{ secrets.AZURE_CREDENTIALS }}
- name: Deploy with bicep
id: deploybicep
uses: azure/arm-deploy@v1
with:
subscriptionId: ${{ secrets.SUBSCRIPTION_ID }}
resourceGroupName: ${{ secrets.RESOURCE_GROUP}}
template: ./deploy/Storage.bicep
parameters: storageAccountType=Standard_LRS
- run: echo ${{ steps.deploybicep.outputs.deploymentId }}
- name: Get Microsoft 365 quick evaluation
uses: azure/microsoft-365-certification-quick-evaluation@v1
with:
deployment-ids: '[
"${{ steps.deploybicep.outputs.deploymentId }}"
]'
The above workflow will get Microsoft 365 quick evaluation by bicep deployment.
With the Azure login Action, you can perform an Azure login using Azure service principal. The credentials of Azure Service Principal can be added as secrets in the GitHub repository and then used in the workflow. Follow the below steps to generate credentials and store in github.
-
Prerequisite: You should have installed Azure cli on your local machine to run the command or use the cloudshell in the Azure portal. To install Azure cli, follow Install Azure Cli. To use cloudshell, follow CloudShell Quickstart. After you have one of the above ready, follow these steps:
-
To create service principal that has access over subscription scope, run the below Azure CLI command and copy the output JSON object to your clipboard.
az ad sp create-for-rbac --name "myApp" --role contributor \
--scopes /subscriptions/{subscription-id} \
--sdk-auth
# Replace {subscription-id} with the subscription identifier
# The command should output a JSON object similar to this:
{
"clientId": "<appId>",
"clientSecret": "<STRING>",
"subscriptionId": "<GUID>",
"tenantId": "<GUID>",
"resourceManagerEndpointUrl": "<URL>"
(...)
}
# Assign the Contributor role to the new created service principal
az role assignment create --assignee "{appId}" --role "Resource Policy Contributor" \
--scopes /subscriptions/{subscription-id} \
# Store the output JSON object of the above az cli command as the value of secret variable, for example 'AZURE_CREDENTIALS'
- Define a 'New secret' under your GitHub repository settings -> 'Secrets' menu. Lets name it 'AZURE_CREDENTIALS'.
- Paste the contents of the clipboard as the value of the above secret variable.
- Use the secret variable in the Azure Login Action(Refer the End-to-End Sample Workflows section )
If you have any changes you’d like to see or suggestions for this action, we’d love your feedback ❤️ . Please feel free to raise a GitHub issue in this repository describing your suggestion. This would enable us to label and track it properly. You can do the same if you encounter a problem with the feature as well.
This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com.
When you submit a pull request, a CLA bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.
This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact [email protected] with any additional questions or comments.