diff --git a/.github/workflows/deployAzGovViz.yml b/.github/workflows/deployAzGovViz.yml index 214b9a0..9d68faa 100644 --- a/.github/workflows/deployAzGovViz.yml +++ b/.github/workflows/deployAzGovViz.yml @@ -2,7 +2,7 @@ # First things first: # 1. Mandatory: define in line 11 # 2. Optional: enable the schedule (line 22,23) -# Documentation: https://github.com/JulianHayward/Azure-MG-Sub-Governance-Reporting +# Documentation: https://github.com/Azure/Azure-Governance-Visualizer name: DeployAzGovViz @@ -127,8 +127,8 @@ jobs: } } else { - Write-Host 'Assuming and insisting that you do not want to publish your tenant insights to the public' - Write-Host "HTML NOT published. Please configure authentication on the webApp ($($env:WebAppName))" + Write-Host 'Assuming and insisting that you do not want to publish your tenant insights to the public.' + Write-Host "HTML NOT published. Please configure authentication on the Azure Web App ($($env:WebAppName))." exit 1 } azPSVersion: "latest" diff --git a/.github/workflows/deployAzGovVizAccelerator.yml b/.github/workflows/deployAzGovVizAccelerator.yml index f3a9214..d73e448 100644 --- a/.github/workflows/deployAzGovVizAccelerator.yml +++ b/.github/workflows/deployAzGovVizAccelerator.yml @@ -32,6 +32,6 @@ jobs: subscriptionId: ${{ secrets.SUBSCRIPTION_ID }} resourceGroupName: ${{vars.RESOURCE_GROUP_NAME}} template: ./bicep/webApp.bicep - parameters: ./bicep/webApp.parameters.json webAppName=${{vars.WEB_APP_NAME}} managementGroupId=${{secrets.MANAGEMENT_GROUP_ID}} clientId=${{ secrets.AAD_CLIENT_ID }} clientSecret=${{ secrets.AAD_CLIENT_SECRET }} + parameters: ./bicep/webApp.parameters.json webAppName=${{vars.WEB_APP_NAME}} managementGroupId=${{secrets.MANAGEMENT_GROUP_ID}} clientId=${{ secrets.ENTRA_CLIENT_ID }} clientSecret=${{ secrets.ENTRA_CLIENT_SECRET }} failOnStdErr: false diff --git a/README.md b/README.md index b3832ab..3b0518d 100644 --- a/README.md +++ b/README.md @@ -1,515 +1,486 @@ -# Azure Governance Visualizer (AzGovViz) Accelerator - -## Description - -[Azure Governance Visualizer](https://github.com/JulianHayward/Azure-MG-Sub-Governance-Reporting) is a PowerShell based script that iterates your Azure Tenant´s Management Group hierarchy down to Subscription level. It captures most relevant Azure governance capabilities such as Azure Policy, RBAC and Blueprints and a lot more. From the collected data Azure Governance Visualizer provides visibility on your HierarchyMap, creates a TenantSummary, creates DefinitionInsights and builds granular ScopeInsights on Management Groups and Subscriptions. This accelerator speeds up the adoption of the script into your environment. - -## Table of Contents - -- [Azure Governance Visualizer (AzGovViz) Accelerator](#azure-governance-visualizer-azgovviz-accelerator) - - [Description](#description) - - [Table of Contents](#table-of-contents) - - [Prerequisites](#prerequisites) - - [1. Create a Service Principal (Azure AD app registration) to run AzGovViz](#1-create-a-service-principal-azure-ad-app-registration-to-run-azgovviz) - - [Azure Portal](#azure-portal) - - [PowerShell](#powershell) - - [2. Create the GitHub repository](#2-create-the-github-repository) - - [GitHub](#github) - - [PowerShell](#powershell-1) - - [3. Configure federated credentials for the Service Principal](#3-configure-federated-credentials-for-the-service-principal) - - [Azure Portal](#azure-portal-1) - - [PowerShell](#powershell-2) - - [4. Grant permissions in Azure for the AzGovViz service principal](#4-grant-permissions-in-azure-for-the-azgovviz-service-principal) - - [Azure Portal](#azure-portal-2) - - [PowerShell](#powershell-3) - - [5. Create an Azure AD application for AAD authentication for the Azure Web App](#5-create-an-azure-ad-application-for-aad-authentication-for-the-azure-web-app) - - [Azure Portal](#azure-portal-3) - - [PowerShell](#powershell-4) - - [6. Create a Resource Group and assign the right RBAC Roles](#6-create-a-resource-group-and-assign-the-right-rbac-roles) - - [Azure Portal](#azure-portal-4) - - [PowerShell](#powershell-5) - - [7. Create the GitHub secrets, variables and permissions](#7-create-the-github-secrets-variables-and-permissions) - - [GitHub](#github-1) - - [PowerShell](#powershell-6) - - [How to deploy](#how-to-deploy) - - [Configuration](#configuration) - - [Azure Web App configuration](#azure-web-app-configuration) - - [Keeping Azure Governance Visualizer code up-to-date](#keeping-azure-governance-visualizer-code-up-to-date) - - [keeping the Azure Governance Visualizer Accelerator code up-to-date](#keeping-the-azure-governance-visualizer-accelerator-code-up-to-date) - - [Sources to documentation](#sources-to-documentation) - -## Prerequisites - -### 1. Create a Service Principal (Azure AD app registration) to run AzGovViz - -#### Azure Portal - ->NOTE ->To grant API permissions and grant admin consent for the directory, you must have 'Privileged Role Administrator' or 'Global Administrator' role assigned [Assign Azure AD roles to users](https://docs.microsoft.com/azure/active-directory/roles/manage-roles-portal) - -- Navigate to 'Azure Active Directory' -- Click on '__App registrations__' -- Click on '__New registration__' -- Name your application (e.g. _AzureGovernanceVisualizer_SP_) -- Click '__Register__' -- Your App registration has been created, in the '__Overview__' copy the '__Application (client) ID__' as we will need it later to setup the secrets in GitHub -- Under '__Manage__' click on '__API permissions__' - - Click on '__Add a permissions__' - - Click on '__Microsoft Graph__' - - Click on '__Application permissions__' - - Select the following set of permissions and click '__Add permissions__' - - __Application / Application.Read.All__ - - __Group / Group.Read.All__ - - __User / User.Read.All__ - - __PrivilegedAccess / PrivilegedAccess.Read.AzureResources__ - - Click on 'Add a permissions' - - Back in the main '__API permissions__' menu you will find permissions with status 'Not granted for...'. Click on '__Grant admin consent for _TenantName___' and confirm by click on '__Yes__' - - Now you will find the permissions with status '__Granted for _TenantName___' - - ![Screenshot showing Azure AD application permissions](https://github.com/JulianHayward/Azure-MG-Sub-Governance-Reporting/raw/master/img/aadpermissionsportal_4.jpg) - -#### PowerShell - ->NOTE ->To grant API permissions and grant admin consent for the directory, you must have 'Privileged Role Administrator' or 'Global Administrator' role assigned [Assign Azure AD roles to users](https://docs.microsoft.com/azure/active-directory/roles/manage-roles-portal) - -- Install [AzAPICall](https://github.com/JulianHayward/AzAPICall) and connect to Azure - - ```POWERSHELL - $module = Get-Module -Name "AzAPICall" -ListAvailable - if ($module) { - Update-Module -Name "AzAPICall" -Force - } else { - Install-Module -Name AzAPICall - } - Connect-AzAccount - ``` - -- Initialize AzAPICall - - ```POWERSHELL - $parameters4AzAPICallModule = @{ -    #SubscriptionId4AzContext = $null #specify Subscription Id -    #DebugAzAPICall = $true -    #WriteMethod = 'Output' #Debug, Error, Host, Information, Output, Progress, Verbose, Warning (default: host) -    #DebugWriteMethod = 'Warning' #Debug, Error, Host, Information, Output, Progress, Verbose, Warning (default: host) -    #SkipAzContextSubscriptionValidation = $true #Use if the account doesn´t have any permissions on Management Groups, Subscriptions, Resource Groups or Resources - } - - $azAPICallConf = initAzAPICall @parameters4AzAPICallModule - ``` - -- Define variables - - ```POWERSHELL - $MicrosoftGraphAppId = "00000003-0000-0000-c000-000000000000" - $AzGovVizAppName = "" - ``` - -- Get Microsoft Graph permissions role Ids and create app registration - -```POWERSHELL -$apiEndPoint = $azAPICallConf['azAPIEndpointUrls'].MicrosoftGraph -$apiEndPointVersion = '/v1.0' -$api = '/servicePrincipals' -$optionalQueryParameters = "?`$filter=(displayName eq 'Microsoft Graph')&$count=true&" - -$uri = $apiEndPoint + $apiEndPointVersion + $api + $optionalQueryParameters - -$azAPICallPayload = @{ - uri= $uri - method= 'GET' - currentTask= "'$($azAPICallConf['azAPIEndpoints'].($apiEndPoint.split('/')[2])) API: Get - Groups'" - consistencyLevel= 'eventual' - noPaging= $true - AzAPICallConfiguration = $azAPICallConf - } - - $graphApp = AzAPICall @azAPICallPayload - $appRole = $graphApp.appRoles | Where-Object { $_.value -eq 'Application.Read.All' } | Select-Object -ExpandProperty id - $userRole = $graphApp.appRoles | Where-Object { $_.value -eq 'User.Read.All' } | Select-Object -ExpandProperty id - $groupRole = $graphApp.appRoles | Where-Object { $_.value -eq 'Group.Read.All' } | Select-Object -ExpandProperty id - $pimRole = $graphApp.appRoles | Where-Object { $_.value -eq 'PrivilegedAccess.Read.AzureResources' } | Select-Object -ExpandProperty id - +# Azure Governance Visualizer (AzGovViz) accelerator + +[Azure Governance Visualizer](https://github.com/Azure/Azure-Governance-Visualizer) is a PowerShell based script that iterates your Azure tenant's management group hierarchy down to the subscription level. It captures most relevant Azure governance capabilities such as Azure Policy, role-based access control (RBAC), Blueprints, and a lot more. From the collected data Azure Governance Visualizer provides visibility on your HierarchyMap, creates a TenantSummary, creates DefinitionInsights and builds granular ScopeInsights on management groups and subscriptions. + +**This accelerator speeds up the adoption of Azure Governance Visualizer into your environment.** + +## Table of contents + +- [Deployment guide](#rocket-deployment-guide) + - [1. Create a service principal (Microsoft Entra ID app registration) to run Azure Governance Visualizer](#1-create-a-service-principal-microsoft-entra-id-app-registration-to-run-azure-governance-visualizer) + - [2. Create copy of the Azure Governance Visualizer accerlator in your own GitHub repository](#2-create-copy-of-the-azure-governance-visualizer-accerlator-in-your-own-github-repository) + - [3. Configure federated credentials for the service principal created in the first step](#3-configure-federated-credentials-for-the-service-principal-created-in-the-first-step) + - [4. Grant permissions in Azure for the AzGovViz service principal created in the first step](#4-grant-permissions-in-azure-for-the-azgovviz-service-principal-created-in-the-first-step) + - [5. Create a Microsoft Entra application for user authentication to the Azure Web App that will host AzGovViz](#5-create-a-microsoft-entra-application-for-user-authentication-to-the-azure-web-app-that-will-host-azgovviz) + - [6. Create a resource group and assign necessary RBAC roles](#6-create-a-resource-group-and-assign-necessary-rbac-roles) + - [7. Create the GitHub secrets, variables, and permissions](#7-create-the-github-secrets-variables-and-permissions) + - [8. Deploy Azure Governance Visualizer Azure resources and application](#8-deploy-azure-governance-visualizer-azure-resources-and-application) +- [Try it out!](#checkered_flag-try-it-out) +- [Clean up resources](#broom-clean-up-resources) +- [Additional topics](#additional-topics) + - [Azure Web App configuration](#azure-web-app-configuration) + - [Keep the Azure Governance Visualizer code up-to-date](#keep-the-azure-governance-visualizer-code-up-to-date) + - [Keep the Azure Governance Visualizer Accelerator code up-to-date](#keep-the-azure-governance-visualizer-accelerator-code-up-to-date) +- [Sources to documentation](#sources-to-documentation) + +## :rocket: Deployment guide + +Follow these steps to deploy the Azure Governance Visualizer accelerator into your own Azure and Microsoft Entra ID tenant. Most steps have both **portal based** ( :computer_mouse: ) and **PowerShell based** ( :keyboard: ) instructions. Use whichever you feel is appropriate for your situation, they both produce the same results. + +### 1. Create a service principal (Microsoft Entra ID app registration) to run Azure Governance Visualizer + +> NOTE: To grant API permissions and grant admin consent for the directory, you must have 'Privileged Role Administrator' or 'Global Administrator' role assigned. See [Assign Microsoft Entra roles to users](https://learn.microsoft.com/entra/identity/role-based-access-control/manage-roles-portal) for instructions. + +**:computer_mouse: Use the Microsoft Entra admin center to create the service principal:** + +1. Navigate to the [Microsoft Entra admin center](https://entra.microsoft.com/) +1. Click on '**App registrations**' +1. Click on '**New registration**' +1. Name your application (e.g. _AzureGovernanceVisualizer_SP_) +1. Click '**Register**' +1. Your App registration has been created. In the '**Overview**' copy the '**Application (client) ID**' as you will need it later to setup the secrets in GitHub. +1. Under '**Manage**' click on '**API permissions**' + 1. Click on '**Add a permissions**' + 1. Click on '**Microsoft Graph**' + 1. Click on '**Application permissions**' + 1. Select the following set of permissions and click '**Add permissions**' + - **Application / Application.Read.All** + - **Group / Group.Read.All** + - **User / User.Read.All** + - **PrivilegedAccess / PrivilegedAccess.Read.AzureResources** + 1. Click on 'Add a permissions' +1. Back in the main '**API permissions**' menu you will find permissions with status 'Not granted for...'. Click on '**Grant admin consent for _TenantName_**' and confirm by click on '**Yes**'. Now you will find the permissions with status '**Granted for _TenantName_**' + +**:keyboard: Use PowerShell to create the service principal:** + +1. Install [AzAPICall](https://github.com/JulianHayward/AzAPICall) and connect to Azure + + ```powershell + $module = Get-Module -Name "AzAPICall" -ListAvailable + if ($module) { + Update-Module -Name "AzAPICall" -Force + } else { + Install-Module -Name AzAPICall + } + Connect-AzAccount + ``` + +1. Initialize AzAPICall + + ```powershell + $parameters4AzAPICallModule = @{ + #SubscriptionId4AzContext = $null #specify Subscription Id +   #DebugAzAPICall = $true + #WriteMethod = 'Output' #Debug, Error, Host, Information, Output, Progress, Verbose, Warning (default: host) + #DebugWriteMethod = 'Warning' #Debug, Error, Host, Information, Output, Progress, Verbose, Warning (default: host) + #SkipAzContextSubscriptionValidation = $true #Use if the account doesn´t have any permissions on Management Groups, Subscriptions, Resource Groups or Resources + } + + $azAPICallConf = initAzAPICall @parameters4AzAPICallModule + ``` + +1. Define variables + + ```powershell + $MicrosoftGraphAppId = "00000003-0000-0000-c000-000000000000" + $AzGovVizAppName = "" + ``` + +1. Get Microsoft Graph permissions role IDs and the create app registration + + ```powershell + $apiEndPoint = $azAPICallConf['azAPIEndpointUrls'].MicrosoftGraph + $apiEndPointVersion = '/v1.0' + $api = '/servicePrincipals' + $optionalQueryParameters = "?`$filter=(displayName eq 'Microsoft Graph')&$count=true&" + + $uri = $apiEndPoint + $apiEndPointVersion + $api + $optionalQueryParameters + + $azAPICallPayload = @{ + uri= $uri + method= 'GET' + currentTask= "'$($azAPICallConf['azAPIEndpoints'].($apiEndPoint.split('/')[2])) API: Get - Groups'" + consistencyLevel= 'eventual' + noPaging= $true + AzAPICallConfiguration = $azAPICallConf + } + + $graphApp = AzAPICall @azAPICallPayload + $appRole = $graphApp.appRoles | Where-Object { $_.value -eq 'Application.Read.All' } | Select-Object -ExpandProperty id + $userRole = $graphApp.appRoles | Where-Object { $_.value -eq 'User.Read.All' } | Select-Object -ExpandProperty id + $groupRole = $graphApp.appRoles | Where-Object { $_.value -eq 'Group.Read.All' } | Select-Object -ExpandProperty id + $pimRole = $graphApp.appRoles | Where-Object { $_.value -eq 'PrivilegedAccess.Read.AzureResources' } | Select-Object -ExpandProperty id + + $body = @" + { + "DisplayName":"$AzGovVizAppName", + "requiredResourceAccess" : [ + { + "resourceAppId" : "$MicrosoftGraphAppId", + "resourceAccess": [ + { + "id": "$appRole", + "type": "Role" + }, + { + "id": "$userRole", + "type": "Role" + }, + { + "id": "$groupRole", + "type": "Role" + }, + { + "id": "$pimRole", + "type": "Role" + } + ] + } + ] + } + "@ + + $AzGovVizAppObjectId = (AzAPICall -method POST -body $body -uri "$($azAPICallConf['azAPIEndpointUrls'].MicrosoftGraph)/v1.0/applications" -AzAPICallConfiguration $azAPICallConf -listenOn 'Content' -consistencyLevel 'eventual').id + + do { + Write-Host "Waiting for the AzGovViz service principal to get created..." + Start-Sleep -seconds 20 + $AzGovVizAppId = (AzAPICall -method GET -uri "$($azAPICallConf['azAPIEndpointUrls'].MicrosoftGraph)/v1.0/applications/$AzGovVizAppObjectId" -AzAPICallConfiguration $azAPICallConf -listenOn 'Content' -consistencyLevel 'eventual' -skipOnErrorCode 404).appId + } until ($null -ne $AzGovVizAppId) + + Write-host "AzGovViz service principal created successfully." + ``` + +1. Grant admin consent using the [Microsoft Entra admin center](https://entra.microsoft.com/#view/Microsoft_AAD_RegisteredApps/ApplicationsListBlade/quickStartType~/null/sourceType/Microsoft_AAD_IAM). + +Result: A service principal is created with the necessary API permissions and admin consent granted. The following screenshot shows the API permissions and granted status. + +![A screenshot showing API permissions assigned to the application registration you created.](https://github.com/Azure/Azure-Governance-Visualizer/raw/master/img/aadpermissionsportal_4.jpg) + +### 2. Create copy of the Azure Governance Visualizer accerlator in your own GitHub repository + +**:computer_mouse: Use the GitHub website:** + +1. Navigate to the accelerator [GitHub repository](https://github.com/azure/Azure-Governance-Visualizer-Accelerator). +1. Create a [new repository from the accelerator template](https://docs.github.com/repositories/creating-and-managing-repositories/creating-a-repository-from-a-template#creating-a-repository-from-a-template). + - Ensure the new repository is set to _Private_. + + ![Screenshot showing creating a new repository from a template on GitHub.com](./media/new_repo.png) + + ![Screenshot showing creating a private repository](./media/private_repo.png) + +**:keyboard: Use PowerShell and the GitHub CLI:** + +1. Install the [GitHub CLI](https://github.com/cli/cli#installation) +1. Login to your GitHub account. + + ```powershell + gh auth login + ``` + +1. Create a private repository from the accelerator template + + ```powershell + $directoryToCloneAccelerator = "" + $GitHubOrg = "" + $GitHubRepository = "Azure-Governance-Visualizer" + + ### Create a new repository from template + gh repo create $GitHubRepository --template Azure/Azure-Governance-Visualizer-Accelerator --private + New-Item -ItemType Directory -Path $directoryToCloneAccelerator -Force + cd $directoryToCloneAccelerator + gh repo clone "$GitHubOrg/$GitHubRepository" + Set-Location $GitHubRepository + ``` + +### 3. Configure federated credentials for the service principal created in the first step + +**:computer_mouse: Use the Microsoft Entra admin center:** + +1. Navigate to the [Microsoft Entra admin center](https://entra.microsoft.com/) +1. Click on '**App registrations**' +1. Search for the Application that you created earlier and click on it +1. Under '**Manage**' click on '**Certificates & Secrets**' +1. Click on '**Federated credentials**' +1. Click 'Add credential' +1. Select Federation credential scenario 'GitHub Actions deploying Azure Resources' +1. Fill the field 'Organization' with your GitHub organization name +1. Fill the field 'Repository' with your GitHub repository name +1. For the entity type select 'Branch' +1. Fill the field 'GitHub branch name' with your branch name +1. Fill the field 'Name' with a name (e.g. AzureGovernanceVisualizer_GitHub_Actions) +1. Click 'Add' + +**:keyboard: Use PowerShell and the GitHub CLI:** + +```powershell +$gitHubRef= ":ref:refs/heads/main" +$subject = "repo:$gitHubOrg/$GitHubRepository$gitHubRef" $body = @" - { - "DisplayName":"$AzGovVizAppName", - "requiredResourceAccess" : [ - { - "resourceAppId" : "$MicrosoftGraphAppId", - "resourceAccess": [ - { - "id": "$appRole", - "type": "Role" - }, - { - "id": "$userRole", - "type": "Role" - }, - { - "id": "$groupRole", - "type": "Role" - }, - { - "id": "$pimRole", - "type": "Role" - } - ] - } - ] - } -"@ - -$AzGovVizAppObjectId = (AzAPICall -method POST -body $body -uri "$($azAPICallConf['azAPIEndpointUrls'].MicrosoftGraph)/v1.0/applications" -AzAPICallConfiguration $azAPICallConf -listenOn 'Content' -consistencyLevel 'eventual').id - -do { - Write-Host "Waiting for the AzGovViz service principal to get created..." - Start-Sleep -seconds 20 - $AzGovVizAppId = (AzAPICall -method GET -uri "$($azAPICallConf['azAPIEndpointUrls'].MicrosoftGraph)/v1.0/applications/$AzGovVizAppObjectId" -AzAPICallConfiguration $azAPICallConf -listenOn 'Content' -consistencyLevel 'eventual' -skipOnErrorCode 404).appId -} until ($null -ne $AzGovVizAppId) - -Write-host "AzGovViz service principal created successfully." - -``` - -- Grant admin consent using the Azure AD portal - - ![Screenshot showing Azure AD application permissions](https://github.com/JulianHayward/Azure-MG-Sub-Governance-Reporting/raw/master/img/aadpermissionsportal_4.jpg) - -### 2. Create the GitHub repository - -#### GitHub - -- Navigate to the accelerator [GitHub repository](https://github.com/azure/Azure-Governance-Visualizer-Accelerator) -- Create a [new repository from the accelerator template](https://docs.github.com/repositories/creating-and-managing-repositories/creating-a-repository-from-a-template#creating-a-repository-from-a-template) - - ![Screenshot showing creating a new repository from a template on GitHub.com](./media/new_repo.png) - - ![Screenshot showing creating a private repository](./media/private_repo.png) - ->NOTE -> The new repository's visibility needs to be set as Private. - -#### PowerShell - -- [Install GitHub CLI](https://github.com/cli/cli#installation) - -- Login to your GitHub account - - ```POWERSHELL - gh auth login - ``` - -- Create a private repository from the Accelerator template - - ```POWERSHELL - ### Define variables - $directoryToCloneAccelerator = "" - $GitHubOrg = "" - $GitHubRepository = "Azure-Governance-Visualizer" - - ### Create a new repository from template - gh repo create $GitHubRepository --template Azure/Azure-Governance-Visualizer-Accelerator --private - New-Item -ItemType Directory -Path $directoryToCloneAccelerator -Force - cd $directoryToCloneAccelerator - gh repo clone "$GitHubOrg/$GitHubRepository" - Set-Location $GitHubRepository - - ``` - -### 3. Configure federated credentials for the Service Principal - -#### Azure Portal - -Navigate to 'Azure Active Directory' - -- Click on '__App registrations__' -- Search for the Application that we created earlier and click on it -- Under '__Manage__' click on '__Certificates & Secrets__' -- Click on '__Federated credentials__' -- Click 'Add credential' -- Select Federation credential scenario 'GitHub Actions deploying Azure Resources' -- Fill the field 'Organization' with your GitHub Organization name -- Fill the field 'Repository' with your GitHub repository name -- For the entity type select 'Branch' -- Fill the field 'GitHub branch name' with your branch name -- Fill the field 'Name' with a name (e.g. AzureGovernanceVisualizer_GitHub_Actions) -- Click 'Add' - -#### PowerShell - - ```POWERSHELL - $gitHubRef= ":ref:refs/heads/main" - $subject = "repo:$gitHubOrg/$GitHubRepository$gitHubRef" - $body = @" - { - "audiences": [ +{ + "audiences": [ "api://AzureADTokenExchange" - ], - "subject":"$subject", - "issuer":"https://token.actions.githubusercontent.com", - "name":"AzGovVizCreds" - } + ], + "subject":"$subject", + "issuer":"https://token.actions.githubusercontent.com", + "name":"AzGovVizCreds" +} "@ + AzAPICall -method POST -body $body -uri "$($azAPICallConf['azAPIEndpointUrls'].MicrosoftGraph)/v1.0/applications/$AzGovVizAppObjectId/federatedIdentityCredentials" -AzAPICallConfiguration $azAPICallConf -listenOn 'Content' -consistencyLevel 'eventual' - ``` +``` -### 4. Grant permissions in Azure for the AzGovViz service principal +### 4. Grant permissions in Azure for the AzGovViz service principal created in the first step -#### Azure Portal +> NOTE: To assign roles, you must have '**Microsoft.Authorization/roleAssignments/write**' permissions on the target management group scope (such as the built-in RBAC role '**User Access Administrator**' or '**Owner**') ->NOTE ->To assign roles, you must have '__Microsoft.Authorization/roleAssignments/write__' permissions on the target Management Group scope (such as the built-in RBAC Role '__User Access Administrator__' or '__Owner__') +**:computer_mouse: From the Azure portal:** -- Create a '__Reader__' [RBAC Role assignment](https://docs.microsoft.com/azure/role-based-access-control/role-assignments-portal) on the target Management Group scope for the identity that shall run Azure Governance Visualizer +Create a '**Reader**' [RBAC role assignment](https://learn.microsoft.com/azure/role-based-access-control/role-assignments-portal) on the target management group scope for the service principal that will run Azure Governance Visualizer. -#### PowerShell +**:keyboard: Use PowerShell:** - ```POWERSHELL - $role = "Reader" - $managementGroupId = "" - New-AzRoleAssignment ` - -ApplicationId $AzGovVizAppId ` - -RoleDefinitionName $role ` - -Scope /providers/Microsoft.Management/managementGroups/$managementGroupId - ``` +```powershell +$managementGroupId = "" +New-AzRoleAssignment ` +-ApplicationId $AzGovVizAppId ` +-RoleDefinitionName "Reader" ` +-Scope /providers/Microsoft.Management/managementGroups/$managementGroupId +``` -### 5. Create an Azure AD application for AAD authentication for the Azure Web App +### 5. Create a Microsoft Entra application for user authentication to the Azure Web App that will host AzGovViz -#### Azure Portal +**:computer_mouse: From the Microsoft Entra admin center:** -- Create an [app registration](https://learn.microsoft.com/azure/app-service/configure-authentication-provider-aad#-step-1-create-an-app-registration-in-azure-ad-for-your-app-service-app) in Azure AD for your Azure App Web app +1. Create an [app registration](https://learn.microsoft.com/entra/identity-platform/quickstart-register-app#register-an-application) in Microsoft Entra ID for your Azure App Web App. -- In the Redirect URIs section, select Web for platform and type the URI in the following format: "https://.azurewebsites.net/.auth/login/aad/callback" -- Click on _Authentication_ and under _Implicit grant and hybrid flows_, enable ID tokens to allow OpenID Connect user sign-ins from App Service. Select Save. + In the Redirect URIs section, select Web for platform and type the URI in the following format: "https://.azurewebsites.net/.auth/login/aad/callback" +1. Click on _Authentication_ and under _Implicit grant and hybrid flows_, enable ID tokens to allow OpenID Connect user sign-ins from App Service. Select Save. - ![Screenshot showing enabling Open ID in app registration](./media/app_registration_openID.png) + ![Screenshot showing enabling Open ID in app registration](./media/app_registration_openID.png) -- From the left navigation, select Expose an API > Add > Save. +1. From the left navigation, select Expose an API > Add > Save. - ![Screenshot showing exposing an API](./media/app_registration_expose_api.png) + ![Screenshot showing exposing an API](./media/app_registration_expose_api.png) - ![Screenshot showing exposing an API](./media/app_registration_expose_api_add.png) + ![Screenshot showing exposing an API](./media/app_registration_expose_api_add.png) -- Click on _Add a scope_ and provide the values as the screenshot. +1. Click on _Add a scope_ and provide the values as the screenshot. - ![Screenshot showing adding a scope to the API](./media/app_registration_expose_api_addScope.png) + ![Screenshot showing adding a scope to the API](./media/app_registration_expose_api_addScope.png) -#### PowerShell +**:keyboard: Use PowerShell:** - ```POWERSHELL - # 2-60 Alphanumeric, hyphens and Unicode characters.Can't start or end with hyphen. A web site must have a globally unique name - $webAppName = "" - $WebApplicationAppName = "" +```powershell +# 2-60 Alphanumeric, hyphens and Unicode characters. Can't start or end with hyphen. A web site must have a globally unique name. +$webAppName = "" +$WebApplicationAppName = "" - $body = @" - { - "DisplayName":"$WebApplicationAppName", - "web": - { +$body = @" +{ + "DisplayName":"$WebApplicationAppName", + "web": { "redirectUris": [ - "https://$webAppName.azurewebsites.net/.auth/login/aad/callback" + "https://$webAppName.azurewebsites.net/.auth/login/aad/callback" ], - "implicitGrantSettings": - { - "enableIdTokenIssuance": true - } - } + "implicitGrantSettings": { + "enableIdTokenIssuance": true } + } +} "@ + $webAppSP = AzAPICall -method POST -body $body -uri "$($azAPICallConf['azAPIEndpointUrls'].MicrosoftGraph)/v1.0/applications" -AzAPICallConfiguration $azAPICallConf -listenOn 'Content' -consistencyLevel 'eventual' $webAppSPAppId = $webAppSP.appId $webAppSPObjectId = $webAppSP.Id do { - Write-Host "Waiting for the Azure WebApp app registration to get created..." - Start-Sleep -seconds 30 - $webApp = AzAPICall -uri "$($azAPICallConf['azAPIEndpointUrls'].MicrosoftGraph)/v1.0/applications/$webAppSPObjectId" -AzAPICallConfiguration $azAPICallConf -listenOn 'Content' -consistencyLevel 'eventual' - + Write-Host "Waiting for the Azure WebApp app registration to get created..." + Start-Sleep -seconds 30 + $webApp = AzAPICall -uri "$($azAPICallConf['azAPIEndpointUrls'].MicrosoftGraph)/v1.0/applications/$webAppSPObjectId" -AzAPICallConfiguration $azAPICallConf -listenOn 'Content' -consistencyLevel 'eventual' } until ( $null -ne $webApp) -Write-host "Azure WebApp app registration created successfully." - - #### Add an API scope for the Web App - $body = @" - { - "identifierUris" : [ - "api://$webAppSPAppId" - ], - "api": - { - "oauth2PermissionScopes": [ - { - "value": "user_impersonation", - "adminConsentDescription": "AzGovViz Web App Azure AD authentication", - "adminConsentDisplayName": "AzGovViz Web App Azure AD authentication", - "type": "User", - "id": "$webAppSPAppId" - } - ] - } - } -"@ - +Write-host "Azure Web App app registration created successfully." +# Add an API scope for the Web App +$body = @" +{ + "identifierUris" : [ + "api://$webAppSPAppId" + ], + "api": { + "oauth2PermissionScopes": [ + { + "value": "user_impersonation", + "adminConsentDescription": "AzGovViz Web App Microsoft Entra ID authentication", + "adminConsentDisplayName": "AzGovViz Web App Microsoft Entra ID authentication", + "type": "User", + "id": "$webAppSPAppId" + } + ] + } +} +"@ AzAPICall -method PATCH -body $body -uri "$($azAPICallConf['azAPIEndpointUrls'].MicrosoftGraph)/v1.0/applications/$webAppSPObjectId" -AzAPICallConfiguration $azAPICallConf -listenOn 'Content' -consistencyLevel 'eventual' - #### Generate client secret - $body = @" - { - "passwordCredential":{ +# Generate client secret +$body = @" +{ + "passwordCredential":{ "displayName": "AzGovVizWebAppSecret" - } - } + } +} "@ $webAppSPAppSecret = (AzAPICall -method POST -body $body -uri "$($azAPICallConf['azAPIEndpointUrls'].MicrosoftGraph)/v1.0/applications/$webAppSPObjectId/addPassword" -AzAPICallConfiguration $azAPICallConf -listenOn 'Content' -consistencyLevel 'eventual').secretText - ``` - -### 6. Create a Resource Group and assign the right RBAC Roles - -#### Azure Portal - ->NOTE ->To assign roles, you must have '__Microsoft.Authorization/roleAssignments/write__' permissions on the target Management Group scope (such as the built-in RBAC Role '__User Access Administrator__' or '__Owner__') - -- Create a [new Resource Group](https://learn.microsoft.com/azure/azure-resource-manager/management/manage-resource-groups-portal#create-resource-groups) in Azure -- [Assign the following roles](https://learn.microsoft.com/azure/role-based-access-control/role-assignments-portal) to the AzGovViz Service Principal the on the newly created Resource Group. - - [Website Contributor](https://learn.microsoft.com/azure/role-based-access-control/built-in-roles#website-contributor) - - [Web Plan Contributor](https://learn.microsoft.com/azure/role-based-access-control/built-in-roles#web-plan-contributor) - -#### PowerShell - ->NOTE ->To assign roles, you must have '__Microsoft.Authorization/roleAssignments/write__' permissions on the target Management Group scope (such as the built-in RBAC Role '__User Access Administrator__' or '__Owner__') - - ```POWERSHELL - $subscriptionId = "" - $resourceGroupName = "Name of the Resource Group where the Azure Web App will be created>" - $location = "" - - Select-AzSubscription -SubscriptionId $subscriptionId - New-AzResourceGroup -Name $resourceGroupName -Location $location - New-AzRoleAssignment -ApplicationId $AzGovVizAppId -RoleDefinitionName "Web Plan Contributor" -ResourceGroupName $resourceGroupName - New-AzRoleAssignment -ApplicationId $AzGovVizAppId -RoleDefinitionName "WebSite Contributor" -ResourceGroupName $resourceGroupName - - ``` ->NOTE ->Make sure that the resource provider _Microsoft.Web_ is registered on the subscription where the web app hosting AzGovViz will be hosted. +``` -### 7. Create the GitHub secrets, variables and permissions +### 6. Create a resource group and assign necessary RBAC roles -#### GitHub +> NOTES: +> +> To assign roles, you must have '**Microsoft.Authorization/roleAssignments/write**' permissions on the target management group scope (such as the built-in RBAC role '**User Access Administrator**' or '**Owner**'). +> +> Make sure that the resource provider _Microsoft.Web_ is registered on the subscription where the Azure Web App hosting AzGovViz will be deployed. -- Create the following [GitHub secrets](https://docs.github.com/actions/security-guides/encrypted-secrets#creating-encrypted-secrets-for-a-repository) on the repository +**:computer_mouse: From the Azure portal:** -| Secret | Value | -| ----------------------- | ---------------------------------------------------------------------------------------------------- | -| __CLIENT_ID__ | Application Id of the identity that shall run Azure Governance Visualizer | -| __AAD_CLIENT_ID__ | Application Id of the identity that will be used to configure Azure AD authentication to the Azure Web App | -| __AAD_CLIENT_SECRET__ | Secret of the identity that will be used to configure Azure AD authentication to the Azure Web App | -| __SUBSCRIPTION_ID__ | Subscription Id | -| __TENANT_ID__ | Tenant Id | -| __MANAGEMENT_GROUP_ID__ | Management group Id | +1. Create a [new resource group](https://learn.microsoft.com/azure/azure-resource-manager/management/manage-resource-groups-portal#create-resource-groups) in Azure. +1. [Assign the following roles](https://learn.microsoft.com/azure/role-based-access-control/role-assignments-portal) to the AzGovViz service principal the on the newly created resource group. + - [Website Contributor](https://learn.microsoft.com/azure/role-based-access-control/built-in-roles#website-contributor) + - [Web Plan Contributor](https://learn.microsoft.com/azure/role-based-access-control/built-in-roles#web-plan-contributor) -- Create the following [GitHub variables](https://docs.github.com/actions/learn-github-actions/variables#creating-configuration-variables-for-an-organization) on the repository +**:keyboard: Use PowerShell:** -| Variable | Value | -| ----------------------- | ---------------------------------------------------------------- | -| __RESOURCE_GROUP_NAME__ | Name of the pre-created resource group to host the Azure Web App | -| __WEB_APP_NAME__ | Globally unique name of the Azure Web App | +```powershell +$subscriptionId = "" +$resourceGroupName = "Name of the resource group where the Azure Web App will be created>" +$location = "" -- Enable GitHub actions to [create and approve pull requests](https://docs.github.com/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#preventing-github-actions-from-creating-or-approving-pull-requests) on the repository. +Select-AzSubscription -SubscriptionId $subscriptionId +New-AzResourceGroup -Name $resourceGroupName -Location $location +New-AzRoleAssignment -ApplicationId $AzGovVizAppId -RoleDefinitionName "Web Plan Contributor" -ResourceGroupName $resourceGroupName +New-AzRoleAssignment -ApplicationId $AzGovVizAppId -RoleDefinitionName "WebSite Contributor" -ResourceGroupName $resourceGroupName +``` -#### PowerShell +### 7. Create the GitHub secrets, variables, and permissions + +**:computer_mouse: From the GitHub website:** + +1. Create the following [GitHub secrets](https://docs.github.com/actions/security-guides/encrypted-secrets#creating-encrypted-secrets-for-a-repository) on the repository. + + | Secret | Value | + | :----- | :---- | + | **CLIENT_ID** | Application ID of the identity that will run Azure Governance Visualizer | + | **ENTRA_CLIENT_ID** | Application ID of the identity that will be used to configure user authentication to the Azure Web App | + | **ENTRA_CLIENT_SECRET** | Secret of the identity that will be used to configure user authentication to the Azure Web App | + | **SUBSCRIPTION_ID** | Azure subscription ID | + | **TENANT_ID** | Microsoft Entra tenant ID | + | **MANAGEMENT_GROUP_ID** | Azure management group ID | + +1. Create the following [GitHub variables](https://docs.github.com/actions/learn-github-actions/variables#creating-configuration-variables-for-an-organization) on the repository. + + | Variable | Value | + | ----------------------- | ---------------------------------------------------------------- | + | **RESOURCE_GROUP_NAME** | Name of the pre-created resource group to host the Azure Web App | + | **WEB_APP_NAME** | Globally unique name of the Azure Web App | + +1. Enable GitHub actions to [create and approve pull requests](https://docs.github.com/repositories/managing-your-repositorys-settings-and-features/enabling-features-for-your-repository/managing-github-actions-settings-for-a-repository#preventing-github-actions-from-creating-or-approving-pull-requests) on the repository. + +**:keyboard: Use PowerShell and the GitHub CLI:** + +```powershell +$subscriptionId = "" +$tenantId = "" +$managementGroupId = $managementGroupId +$resourceGroupName = $resourceGroupName +$clientId = $AzGovVizAppId +$webAppClientId = $webAppSPAppId +$webAppClientSecret = $webAppSPAppSecret + +# Create GitHub repository secrets and variables +gh secret set 'CLIENT_ID' -b $clientId +gh secret set 'ENTRA_CLIENT_ID' -b $webAppClientId +gh secret set 'ENTRA_CLIENT_SECRET' -b $webAppClientSecret +gh secret set 'SUBSCRIPTION_ID' -b $subscriptionId +gh secret set 'TENANT_ID' -b $tenantId +gh secret set 'MANAGEMENT_GROUP_ID' -b $managementGroupId +gh variable set 'RESOURCE_GROUP_NAME' -b $resourceGroupName +gh variable set 'WEB_APP_NAME' -b $webAppName + +# Configure GitHub actions permissions +gh api -X PUT /repos/$GitHubOrg/$GitHubRepository/actions/permissions/workflow -F can_approve_pull_request_reviews=true +``` -- Create the needed secrets, variables and permissions +### 8. Deploy Azure Governance Visualizer Azure resources and application - ```POWERSHELL - ### Define variables - $subscriptionId = "" - $tenantId = "" - $managementGroupId = $managementGroupId - $resourceGroupName = $resourceGroupName - $clientId = $AzGovVizAppId - $aadClientId = $webAppSPAppId - $aadClientSecret = $webAppSPAppSecret +1. Navigate to _Actions_ in your newly created repository. - ### Create GitHub repository secrets and variables - gh secret set 'CLIENT_ID' -b $clientId - gh secret set 'AAD_CLIENT_ID' -b $aadClientId - gh secret set 'AAD_CLIENT_SECRET' -b $aadClientSecret - gh secret set 'SUBSCRIPTION_ID' -b $subscriptionId - gh secret set 'TENANT_ID' -b $tenantId - gh secret set 'MANAGEMENT_GROUP_ID' -b $managementGroupId - gh variable set 'RESOURCE_GROUP_NAME' -b $resourceGroupName - gh variable set 'WEB_APP_NAME' -b $webAppName + ![Screenshot showing the GitHub actions pane](./media/actions_pane.png) - ### Configure GitHub actions permissions - gh api -X PUT /repos/$GitHubOrg/$GitHubRepository/actions/permissions/workflow -F can_approve_pull_request_reviews=true - ``` +1. Run the _DeployAzGovVizAccelerator_ workflow to initialize the accelerator, deploy the Azure Web App and configure Microsoft Entra authentication for it. -## How to deploy + ![Screenshot showing deploying the DeployAzGovVizAccelerator workflow](./media/run_deploy_accelerator_action.png) -To deploy the accelerator after having the pre-requisites ready, you need to perform the following steps: + ![Screenshot showing the DeployAzGovVizAccelerator workflow executing](./media/deploy_accelerator_action_running.png) -- Navigate to _Actions_ in your newly created repository + This workflow will trigger another workflow to sync the latest AzGovViz code to your repository. - ![Screenshot showing the GitHub actions pane](./media/actions_pane.png) + ![Screenshot showing the SyncAzGovViz workflow](./media/sync_AzGovViz_workflow.png) -- Run the _DeployAzGovVizAccelerator_ workflow to initialize the accelerator, deploy the Azure Web App and configure Azure AD authentication for it + You will have to add the [AzGovViz parameters](https://github.com/Azure/Azure-Governance-Visualizer#parameters) you need into the _DeployAzGovViz_ workflow and enable the schedule option if you want to continuously run Azure Governance Visualizer. - ![Screenshot showing deploying the DeployAzGovVizAccelerator workflow](./media/run_deploy_accelerator_action.png) + ![Screenshot showing the path of the deployAzGovViz workflow](./media/deployAzGovViz_path.png) - ![Screenshot showing the DeployAzGovVizAccelerator workflow executing](./media/deploy_accelerator_action_running.png) + ![Screenshot showing editing the AzGovViz parameters](./media/AzGovViz_param_editing.png) -- This workflow will trigger another workflow to sync the latest AzGovViz code to your repository + ![Screenshot showing editing the AzGovViz schedule](./media/cron_job.png) - ![Screenshot showing the SyncAzGovViz workflow](./media/sync_AzGovViz_workflow.png) + As an example, you can add the _NoPIMEligibility_ parameter if you don't have PIM. -- You will have to add the [AzGovViz parameters](https://github.com/JulianHayward/Azure-MG-Sub-Governance-Reporting#parameters) you need into the _DeployAzGovViz_ workflow and enable the schedule option if you want to continuously run Azure Governance Visualizer. + ![Screenshot showing editing the AzGovViz parameters](./media/adding_noPIM_parameter.png) - ![Screenshot showing the path of the deployAzGovViz workflow](./media/deployAzGovViz_path.png) +1. Then, run the _DeployAzGovViz_ workflow to deploy AzGovViz and publish it to the Azure Web App - ![Screenshot showing editing the AzGovViz parameters](./media/AzGovViz_param_editing.png) + ![Screenshot showing deploying AzGovViz](./media/deploy_AzGovViz_workflow.png) - ![Screenshot showing editing the AzGovViz schedule](./media/cron_job.png) + ![Screenshot showing the AzGovViz workflow completion](./media/deployAzGovViz_complete.png) -- As an example, I will add the _NoPIMEligibility_ parameter since I don't have PIM + ![Screenshot showing the AzGovViz web app](./media/azure_web_app.png) - ![Screenshot showing editing the AzGovViz parameters](./media/adding_noPIM_parameter.png) + ![Screenshot showing the AzGovViz web app published](./media/azgovviz_published.png) -- Then, run the _DeployAzGovViz_ workflow to deploy AzGovViz and publish it to the Azure Web App +## :checkered_flag: Try it out! - ![Screenshot showing deploying AzGovViz](./media/deploy_AzGovViz_workflow.png) +TODO - Provide instructions on launching the visualizer. - ![Screenshot showing the AzGovViz workflow completion](./media/deployAzGovViz_complete.png) +## :broom: Clean up resources - ![Screenshot showing the AzGovViz web app](./media/azure_web_app.png) +If you were deploying the Azure Governance Visualizer for exploratory purposes, you'll want to delete the created Azure resources to prevent undesired costs from accruing and remove the related Microsoft Entra ID objects. Follow these steps to delete all resources created as part of this reference implementation. - ![Screenshot showing the AzGovViz web app published](./media/azgovviz_published.png) +TODO -## Configuration +## Additional topics ### Azure Web App configuration -- You can configure some aspects of the Azure Web application where AzGovViz is published by editing the _webApp.parameters.json_ file in the _bicep_ folder. +You can configure some aspects of the Azure Web application where AzGovViz is published by editing the _webApp.parameters.json_ file in the _bicep_ folder. - ![Screenshot showing the Azure Web app parameters file](./media/webapp_params.png) +![Screenshot showing the Azure Web app parameters file](./media/webapp_params.png) -### Keeping Azure Governance Visualizer code up-to-date +### Keep the Azure Governance Visualizer code up-to-date -- To keep the Azure Governance Visualizer's code up-to-date, the workflow _SyncAzGovViz_ runs on a schedule to check for new versions. The default setting is that this is enabled to push updates automatically to your repository. If you need to control those new version updates, you will have to set _AutoUpdateAzGovViz_ to false so you would get a Pull Request every time there is a new version to review. +To keep the Azure Governance Visualizer's code up-to-date, the workflow _SyncAzGovViz_ runs on a schedule to check for new versions. The default setting is that this is enabled to push updates automatically to your repository. If you need to control those new version updates, you will have to set _AutoUpdateAzGovViz_ to false so you would get a pull request every time there is a new version to review. - ![Screenshot showing syncAzGovViz workflow code with autoupdate set to true](./media/autoupdate_azgovviz.png) +![Screenshot showing syncAzGovViz workflow code with autoupdate set to true](./media/autoupdate_azgovviz.png) -### keeping the Azure Governance Visualizer Accelerator code up-to-date +### Keep the Azure Governance Visualizer Accelerator code up-to-date -- To keep the Azure Governance Visualizer Accelerator code up-to-date, the workflow _SyncAccelerator_ runs on a schedule to check for new versions. Everytime there is a new update to the accelerator's code, you would get a Pull Request submitted to your repository and the new release will be merged to a _releases_ folder where you can move to newer versions of this accelerator at your own pace. +To keep the Azure Governance Visualizer Accelerator code up-to-date, the workflow _SyncAccelerator_ runs on a schedule to check for new versions. Everytime there is a new update to the accelerator's code, you would get a pull request submitted to your repository and the new release will be merged to a _releases_ folder where you can move to newer versions of this accelerator at your own pace. ## Sources to documentation -For more information on Azure Governance Visualizer, please visit the [official docs](https://github.com/JulianHayward/Azure-MG-Sub-Governance-Reporting). +For more information on Azure Governance Visualizer, please visit the [official docs](https://github.com/Azure/Azure-Governance-Visualizer). diff --git a/SECURITY.md b/SECURITY.md index e138ec5..1bcc4ef 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -1,34 +1,34 @@ - + -## Security +# Security -Microsoft takes the security of our software products and services seriously, which includes all source code repositories managed through our GitHub organizations, which include [Microsoft](https://github.com/microsoft), [Azure](https://github.com/Azure), [DotNet](https://github.com/dotnet), [AspNet](https://github.com/aspnet), [Xamarin](https://github.com/xamarin), and [our GitHub organizations](https://opensource.microsoft.com/). +Microsoft takes the security of our software products and services seriously, which includes all source code repositories managed through our GitHub organizations, which include [Microsoft](https://github.com/microsoft), [Azure](https://github.com/Azure), [DotNet](https://github.com/dotnet), [AspNet](https://github.com/aspnet), and [Xamarin](https://github.com/xamarin). -If you believe you have found a security vulnerability in any Microsoft-owned repository that meets [Microsoft's definition of a security vulnerability](https://aka.ms/opensource/security/definition), please report it to us as described below. +If you believe you have found a security vulnerability in any Microsoft-owned repository that meets [Microsoft's definition of a security vulnerability](https://aka.ms/security.md/definition), please report it to us as described below. ## Reporting Security Issues **Please do not report security vulnerabilities through public GitHub issues.** -Instead, please report them to the Microsoft Security Response Center (MSRC) at [https://msrc.microsoft.com/create-report](https://aka.ms/opensource/security/create-report). +Instead, please report them to the Microsoft Security Response Center (MSRC) at [https://msrc.microsoft.com/create-report](https://aka.ms/security.md/msrc/create-report). -If you prefer to submit without logging in, send email to [secure@microsoft.com](mailto:secure@microsoft.com). If possible, encrypt your message with our PGP key; please download it from the [Microsoft Security Response Center PGP Key page](https://aka.ms/opensource/security/pgpkey). +If you prefer to submit without logging in, send email to [secure@microsoft.com](mailto:secure@microsoft.com). If possible, encrypt your message with our PGP key; please download it from the [Microsoft Security Response Center PGP Key page](https://aka.ms/security.md/msrc/pgp). -You should receive a response within 24 hours. If for some reason you do not, please follow up via email to ensure we received your original message. Additional information can be found at [microsoft.com/msrc](https://aka.ms/opensource/security/msrc). +You should receive a response within 24 hours. If for some reason you do not, please follow up via email to ensure we received your original message. Additional information can be found at [microsoft.com/msrc](https://www.microsoft.com/msrc). Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue: - * Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.) - * Full paths of source file(s) related to the manifestation of the issue - * The location of the affected source code (tag/branch/commit or direct URL) - * Any special configuration required to reproduce the issue - * Step-by-step instructions to reproduce the issue - * Proof-of-concept or exploit code (if possible) - * Impact of the issue, including how an attacker might exploit the issue +* Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.) +* Full paths of source file(s) related to the manifestation of the issue +* The location of the affected source code (tag/branch/commit or direct URL) +* Any special configuration required to reproduce the issue +* Step-by-step instructions to reproduce the issue +* Proof-of-concept or exploit code (if possible) +* Impact of the issue, including how an attacker might exploit the issue This information will help us triage your report more quickly. -If you are reporting for a bug bounty, more complete reports can contribute to a higher bounty award. Please visit our [Microsoft Bug Bounty Program](https://aka.ms/opensource/security/bounty) page for more details about our active programs. +If you are reporting for a bug bounty, more complete reports can contribute to a higher bounty award. Please visit our [Microsoft Bug Bounty Program](https://aka.ms/security.md/msrc/bounty) page for more details about our active programs. ## Preferred Languages @@ -36,6 +36,6 @@ We prefer all communications to be in English. ## Policy -Microsoft follows the principle of [Coordinated Vulnerability Disclosure](https://aka.ms/opensource/security/cvd). +Microsoft follows the principle of [Coordinated Vulnerability Disclosure](https://aka.ms/security.md/cvd). diff --git a/SUPPORT.md b/SUPPORT.md index 291d4d4..15a510f 100644 --- a/SUPPORT.md +++ b/SUPPORT.md @@ -1,25 +1,9 @@ -# TODO: The maintainer of this repo has not yet edited this file - -**REPO OWNER**: Do you want Customer Service & Support (CSS) support for this product/project? - -- **No CSS support:** Fill out this template with information about how to file issues and get help. -- **Yes CSS support:** Fill out an intake form at [aka.ms/onboardsupport](https://aka.ms/onboardsupport). CSS will work with/help you to determine next steps. -- **Not sure?** Fill out an intake as though the answer were "Yes". CSS will help you decide. - -*Then remove this first heading from this SUPPORT.MD file before publishing your repo.* - # Support -## How to file issues and get help - -This project uses GitHub Issues to track bugs and feature requests. Please search the existing -issues before filing new issues to avoid duplicates. For new issues, file your bug or -feature request as a new Issue. +## How to file issues and get help -For help and questions about using this project, please **REPO MAINTAINER: INSERT INSTRUCTIONS HERE -FOR HOW TO ENGAGE REPO OWNERS OR COMMUNITY FOR HELP. COULD BE A STACK OVERFLOW TAG OR OTHER -CHANNEL. WHERE WILL YOU HELP PEOPLE?**. +This project uses GitHub Issues to track bugs and feature requests. Please search the existing issues before filing new issues to avoid duplicates. For new issues, file your bug or feature request as a new issue. -## Microsoft Support Policy +## Microsoft support policy -Support for this **PROJECT or PRODUCT** is limited to the resources listed above. +Support for Azure Governance Visualizer (AzGovViz) Accelerator is limited to the resources listed above. diff --git a/bicep/webApp.bicep b/bicep/webApp.bicep index f5c7f73..d12de34 100644 --- a/bicep/webApp.bicep +++ b/bicep/webApp.bicep @@ -8,7 +8,7 @@ param location string = resourceGroup().location @description('The SKU of App Service Plan.') param sku string -@description('The Runtime stack of current web app') +@description('The Runtime stack of the web app') param runtimeStack string @description('App Service Plan name') @@ -20,22 +20,19 @@ param kind string = 'Windows' @description('The public network access of the web app') param publicNetworkAccess string -@description('The tenant id of the subscription (used for AAD authentication)') +@description('The Microsoft Entra tenant ID of the Azure subscription (used for user authentication)') param tenantId string = subscription().tenantId -@description('The client id of the AAD application (used for AAD authentication)') +@description('The client ID of the Microsoft Entra application (used for user authentication)') param clientId string -@description('The client secret of the AAD application (used for AAD authentication)') +@description('The client secret of the Microsoft Entra application (used for user authentication)') @secure() param clientSecret string -@description('The AzGovViz management group id') +@description('The AzGovViz management group ID') param managementGroupId string -var loginEndpointUri = environment().authentication.loginEndpoint -var defaultDocument = 'AzGovViz_${managementGroupId}.html' - resource appServicePlan 'Microsoft.Web/serverfarms@2022-03-01' = { name: appServicePlanName location: location @@ -57,51 +54,47 @@ resource webApp 'Microsoft.Web/sites@2022-03-01' = { publicNetworkAccess: publicNetworkAccess windowsFxVersion: runtimeStack defaultDocuments: [ - defaultDocument + 'AzGovViz_${managementGroupId}.html' ] } } identity: { type: 'SystemAssigned' } -} -resource authSettings 'Microsoft.Web/sites/config@2022-03-01' = { - parent: webApp - name: 'authsettingsV2' - properties: { - globalValidation: { - requireAuthentication: true - redirectToProvider: 'azureActiveDirectory' - unauthenticatedClientAction: 'RedirectToLoginPage' - } - identityProviders: { - azureActiveDirectory: { - enabled: true - registration: { - openIdIssuer: '${loginEndpointUri}/${tenantId}/v2.0' - clientId: clientId - clientSecretSettingName: 'AzureAdClientSecret' + resource authSettings 'config' = { + name: 'authsettingsV2' + properties: { + globalValidation: { + requireAuthentication: true + redirectToProvider: 'azureActiveDirectory' + unauthenticatedClientAction: 'RedirectToLoginPage' + } + identityProviders: { + azureActiveDirectory: { + enabled: true + registration: { + openIdIssuer: '${environment().authentication.loginEndpoint}/${tenantId}/v2.0' + clientId: clientId + clientSecretSettingName: 'AzureAdClientSecret' + } } } } } -} -resource webAppSettings 'Microsoft.Web/sites/config@2022-03-01' = { - parent: webApp - name: 'appsettings' - properties: { - AzureAdClientSecret: clientSecret + resource appsettings 'config' = { + name: 'appsettings' + properties: { + AzureAdClientSecret: clientSecret + } } -} - -resource WebAppPublishSettings 'Microsoft.Web/sites/basicPublishingCredentialsPolicies@2022-09-01' = { - parent: webApp - name: 'scm' - properties: { - allow: true + resource webAppPublishSettings 'basicPublishingCredentialsPolicies' = { + name: 'scm' + properties: { + allow: true + } } }