Deploying AuthJanitor Automation to Azure
To deploy AuthJanitor to your Azure subscription, open the Azure Portal and follow the instructions below...
Click Create a Resource. Type "Function App" into the search box and select it from the dropdown. Click Create on the next screen. Enter the appropriate information into this page for your configuration, such as subscription, resource group, hostname, and region. Select .NET Core as the Runtime Stack. Select 3.1 as the Version. Click Next : Hosting.
Select an existing Storage account or create a new one. If you create a new Storage account from this screen, you will need to upgrade it to a v2 Storage Account. It is up to you how you would like to configure the hosting Plan; keep in mind, there are execution time limits as well as other pros and cons for each Plan. More information can be found here. Click Next : Monitoring.
It is strongly advised that you enable Application Insights on the AuthJanitor instance to help detect availability problems as well as failure conditions.
At this point, you can Review + Create the Function app.
Make sure your Storage Account is a v2 Storage Account. If not (or if you're not sure), navigate to Configuration from the left-side menu of the Storage Account blade. If your account is not v2, you will be prompted to Upgrade the account; click the button and complete the upgrade.
Navigate to Static Website from the left-side menu of the Storage Account blade. Click Enabled on the slider. Enter index.html as both the Index document name and the Error document path. Click Save. A new field will appear labeled Primary Endpoint. Make note of the URL here; you will use this later in the Function app configuration; this is where the user interface will be served from.
Navigate to Authentication / Authorization from the left-side menu of the Function App blade. Turn App Service Authentication on. Set Action to take when request is not authenticated to Log in with Azure Active Directory. Click Azure Active Directory under Authentication Providers.
Now you will create a new Azure Active Directory application which will be the underlying service principal behind the Administration Tool. Click Express and either create a new application or select one which already exists. Do not grant common data services permissions; we will manually grant API permissions shortly. Click Save on the Authentication / Authorization blade.
Navigate to App Registrations from the left-side menu of the Azure Active Directory blade. Click the application you just created; you may have to select All Applications from the top. Navigate to API Permissions from the left-side menu of the application blade. User.Read will already be in this list. Add the following permissions:
- Azure Active Directory Graph -> Delegated Permissions ->
User.Read - Azure Service Management ->
user_impersonation - Microsoft Graph -> Delegated Permissions ->
Application.Read.All - Microsoft Graph -> Delegated Permissions ->
AppRoleAssignment.ReadWrite.All - Microsoft Graph -> Delegated Permissions ->
User.ReadBasic.All
It is critically important to isolate permissions as much as possible; this is especially true with a powerful tool such as AuthJanitor. Avoid granting this application any rights beyond those listed above and those required to run the application itself.
Navigate to Manifest from the left-side menu of the Azure Active Directory application blade. In the manifest, add a section called appRoles:
"appRoles": [
{
"allowedMemberTypes": [
"User"
],
"description": "Auditors have read-only access to everything",
"displayName": "Auditor",
"id": "eaa89ebc-645f-4303-a3d2-c99707ecef46",
"isEnabled": true,
"lang": null,
"origin": "Application",
"value": "auditor"
},
{
"allowedMemberTypes": [
"User"
],
"description": "Global Administrators have read/write access to everything",
"displayName": "Global Administrator",
"id": "7618eef3-cc6f-4b88-9d3a-2b37800a0ce3",
"isEnabled": true,
"lang": null,
"origin": "Application",
"value": "globalAdmin"
},
{
"allowedMemberTypes": [
"User"
],
"description": "Service Operators can approve and delete Rekeying Tasks",
"displayName": "Service Operator",
"id": "40252367-aab5-4c34-b34a-482f1939b4fc",
"isEnabled": true,
"lang": null,
"origin": "Application",
"value": "serviceOperator"
},
{
"allowedMemberTypes": [
"User"
],
"description": "Secret Administrators can create and delete Managed Secrets",
"displayName": "Secret Administrator",
"id": "29c84dbb-a37a-4e05-bd56-33f57fc1e001",
"isEnabled": true,
"lang": null,
"origin": "Application",
"value": "secretAdmin"
},
{
"allowedMemberTypes": [
"User"
],
"description": "Resource Administrators can create and delete Resources",
"displayName": "Resource Administrator",
"id": "bf424eef-2457-4d46-865c-a06fb1f53b2d",
"isEnabled": true,
"lang": null,
"origin": "Application",
"value": "resourceAdmin"
}
]These are the roles supported by the application itself, but the only relevant field for the application is value. Click Save.
Since the roles are configured, add yourself as a Global Administrator to get started with your new AuthJanitor deployment.
Navigate to Enterprise Applications from the left-side menu of the Azure Active Directory blade. Select your application from the list. Navigate to Users and groups from the left-side menu of the application blade.
Click Add user. Select your user, and pick Global Administrator as the role. Click Assign. You can do this for any additional users.
If you haven't already written it down, get the Client ID, Client Secret, and Tenant ID from the Azure Active Directory application. To do this, navigate to App Registrations from the left-side menu of the Azure Active Directory blade. Select your application; you may have to first click All applications. In the Overview, you can find the Client ID and Tenant ID.
Navigate to Certificates & Secrets from the left-side menu of the application blade. Click New client secret. Specify your own description and expiry period, then click Add. A new Client Secret has been created; write down the value because it will not appear again.
Navigate to Configuration from the Function app blade. Click New Application Setting. Add 3 new settings to this application:
-
CLIENT_ID- The Client ID value from the Azure AD application -
CLIENT_SECRET- The Client Secret generated for the Azure AD application -
TENANT_ID- The Tenant ID value from the Azure AD application -
STORAGE_WEB_URL- The URL to the static website hosted by the Azure Storage Account
Click Save.
Using the Storage Explorer or a similar tool, upload the content of the published wwwroot folder from the AuthJanitor.AspNet.AdminUi project to the $web container of the Storage Account hosting the static website.
Using Visual Studio or another strategy from the Deployment Technologies Guide, publish the Function to Azure, targeting the Function App created above.
You're all set! Visit the URL for your new AuthJanitor deployment and you should be automatically prompted to consent to the permissions set up above.
