## Overview

It looks like there are two generally supported methods (and one that seems supported but I couldn't figure out) for granting third parties remote access to interact Azure.

1. Generate a Service Management Certificate and give the customer a `.crt` file to upload to each subscription. This requires us to retain our corresponding `.pem` file and the subscription ID to which the certificate was uploaded.
1. In the customer's Active Directory directory, register an application (service principal) and assign approprite roles for each subscription. This requires us to retain the following customer details:
    - Tenant ID (or AD directory ID) for the customer's Azure account
    - Client ID (the app ID (preferred) or app home URL) for the created service principal
    - Secret (or password) for the created service principal
1. The magical elusive multi-tenant application (service principal)...

The Service Management Certificate solution in Azure's documentation [starts with a warning](https://docs.microsoft.com/en-us/azure/azure-api-management-certs), though, which suggests it may be too powerful, and I did not find any way of limiting its abilities:

> Be careful! These types of certificates allow anyone who authenticates with them to manage the subscription they are associated with.

I found that warning repeated in other places in the documentation, and that's probably a good indication that we should not be using it. Other examples I've read suggest that this is a legacy solution that can effectively be replaced by using an application (service principal). I am including its example usage below for completeness.

Azure documentation implies in several places that you can configure an app to be multi-tenant, but after many failed attempts and documentation dead-ends, I have not yet been able to successfully configure an app in one tenant that can reach into another when working with the SDK. I am leaving that exercise out of this document with the hope that someone can figure it out in the future. Having a true multi-tenant application would be vastly superior (security-wise) to us retaining credentials into each of our customer's accounts.

For what it's worth, though, I found one other company who offers automation services for Azure, and they require their customers to create an appliction (service principal) and they save the IDs and secret/password. Other integrations have apps published in the Azure Marketplace; perhaps that's what we need to do, but it requires submitting a Marketplace Nomination Form with a $99 registration fee. I'm not sure if that's right for us...

## Using the Service Management Certificate

Generate certificate files and upload the `.cer` file to the customer subscription.

```
openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout mycert.pem -out mycert.pem
openssl x509 -inform pem -in mycert.pem -outform der -out mycert.cer
```

More docs: [Certificates overview for Azure Cloud Services](https://docs.microsoft.com/en-us/azure/cloud-services/cloud-services-certs-create) and [Use service management from Python](https://docs.microsoft.com/en-us/azure/cloud-services/cloud-services-python-how-to-use-service-management)

In [7]:
from azure.servicemanagement import ServiceManagementService

subscription_id = '31fd9fff-46e4-4bdf-8994-7ca536e34d3a'
certificate_path = '/Users/brasmith/mycert.pem'

sms = ServiceManagementService(subscription_id, certificate_path)

result = sms.list_locations()
print([location.name for location in result])

['East US', 'West US', 'South Central US', 'Central US', 'North Central US', 'East US 2', 'North Europe', 'West Europe', 'Southeast Asia', 'East Asia', 'Japan West', 'Japan East', 'Brazil South', 'Australia Southeast', 'West US 2', 'West Central US', 'Australia East', 'Central India', 'South India', 'West India', 'Canada Central', 'Canada East', 'UK West', 'UK South', 'Korea Central', 'Korea South', 'France Central', 'France South']


## Using the Application/Service Principal

The customer may set up the application (service principal) by following [these instructions using the web portal GUI](https://docs.microsoft.com/en-us/azure/azure-stack/azure-stack-create-service-principals) or [these instructions using the Azure CLI](https://docs.microsoft.com/en-us/cli/azure/create-an-azure-service-principal-azure-cli).

In [9]:
from getpass import getpass
from pprint import pprint
from azure.common.credentials import ServicePrincipalCredentials
from azure.mgmt.subscription import SubscriptionClient

subscription_id = '31fd9fff-46e4-4bdf-8994-7ca536e34d3a'
tenant_id = '85fa570e-8b49-4eed-8bdf-3f3a72c89932'
app_id = '416d0248-c33c-4401-95df-4c8e4052c610'
secret = getpass()

credentials = ServicePrincipalCredentials(
    client_id=app_id,
    secret=secret,
    tenant=tenant_id
)
subscription_client = SubscriptionClient(credentials)
subscription = subscription_client.subscriptions.get(subscription_id)
pprint(subscription.as_dict())

locations = subscription_client.subscriptions.list_locations(subscription_id)
print([location.name for location in locations])

········
{'authorization_source': 'RoleBased',
 'display_name': 'Pay-As-You-Go',
 'id': '/subscriptions/31fd9fff-46e4-4bdf-8994-7ca536e34d3a',
 'state': 'Enabled',
 'subscription_id': '31fd9fff-46e4-4bdf-8994-7ca536e34d3a',
 'subscription_policies': {'location_placement_id': 'Public_2014-09-01',
                           'quota_id': 'PayAsYouGo_2014-09-01',
                           'spending_limit': 'Off'}}
['eastasia', 'southeastasia', 'centralus', 'eastus', 'eastus2', 'westus', 'northcentralus', 'southcentralus', 'northeurope', 'westeurope', 'japanwest', 'japaneast', 'brazilsouth', 'australiaeast', 'australiasoutheast', 'southindia', 'centralindia', 'westindia', 'canadacentral', 'canadaeast', 'uksouth', 'ukwest', 'westcentralus', 'westus2', 'koreacentral', 'koreasouth', 'francecentral', 'francesouth', 'australiacentral', 'australiacentral2']
