## Overview

It looks like there are two generally supported methods (and one that seems supported but I couldn't figure out) for granting third parties remote access to interact Azure.

1. Generate a Service Management Certificate and give the customer a `.crt` file to upload to each subscription. This requires us to retain our corresponding `.pem` file and the subscription ID to which the certificate was uploaded.
1. In the customer's Active Directory directory, register an application (service principal) and assign approprite roles for each subscription. This requires us to retain the following customer details:
    - Tenant ID (or AD directory ID) for the customer's Azure account
    - Client ID (the app ID (preferred) or app home URL) for the created service principal
    - Secret (or password) for the created service principal
1. The magical elusive multi-tenant application (service principal)...

The Service Management Certificate solution in Azure's documentation [starts with a warning](https://docs.microsoft.com/en-us/azure/azure-api-management-certs), though, which suggests it may be too powerful, and I did not find any way of limiting its abilities:

> Be careful! These types of certificates allow anyone who authenticates with them to manage the subscription they are associated with.

I found that warning repeated in other places in the documentation, and that's probably a good indication that we should not be using it. Other examples I've read suggest that this is a legacy solution that can effectively be replaced by using an application (service principal). I am including its example usage below for completeness.

Azure documentation implies in several places that you can configure an app to be multi-tenant, but after many failed attempts and documentation dead-ends, I have not yet been able to successfully configure an app in one tenant that can reach into another when working with the SDK. I am leaving that exercise out of this document with the hope that someone can figure it out in the future. Having a true multi-tenant application would be vastly superior (security-wise) to us retaining credentials into each of our customer's accounts.

For what it's worth, though, I found one other company who offers automation services for Azure, and they require their customers to create an appliction (service principal) and they save the IDs and secret/password. Other integrations have apps published in the Azure Marketplace; perhaps that's what we need to do, but it requires submitting a Marketplace Nomination Form with a $99 registration fee. I'm not sure if that's right for us...

## Using the Service Management Certificate

Generate certificate files and upload the `.cer` file to the customer subscription.

```
openssl req -x509 -nodes -days 365 -newkey rsa:1024 -keyout mycert.pem -out mycert.pem
openssl x509 -inform pem -in mycert.pem -outform der -out mycert.cer
```

More docs: [Certificates overview for Azure Cloud Services](https://docs.microsoft.com/en-us/azure/cloud-services/cloud-services-certs-create) and [Use service management from Python](https://docs.microsoft.com/en-us/azure/cloud-services/cloud-services-python-how-to-use-service-management)

In [7]:
from azure.servicemanagement import ServiceManagementService

subscription_id = '31fd9fff-46e4-4bdf-8994-7ca536e34d3a'
certificate_path = '/Users/brasmith/mycert.pem'

sms = ServiceManagementService(subscription_id, certificate_path)

result = sms.list_locations()
print([location.name for location in result])

['East US', 'West US', 'South Central US', 'Central US', 'North Central US', 'East US 2', 'North Europe', 'West Europe', 'Southeast Asia', 'East Asia', 'Japan West', 'Japan East', 'Brazil South', 'Australia Southeast', 'West US 2', 'West Central US', 'Australia East', 'Central India', 'South India', 'West India', 'Canada Central', 'Canada East', 'UK West', 'UK South', 'Korea Central', 'Korea South', 'France Central', 'France South']


## Using the Application/Service Principal

The customer may set up the application (service principal) by following [these instructions using the web portal GUI](https://docs.microsoft.com/en-us/azure/azure-stack/azure-stack-create-service-principals) or [these instructions using the Azure CLI](https://docs.microsoft.com/en-us/cli/azure/create-an-azure-service-principal-azure-cli).

In [9]:
from getpass import getpass
from pprint import pprint
from azure.common.credentials import ServicePrincipalCredentials
from azure.mgmt.subscription import SubscriptionClient

subscription_id = '31fd9fff-46e4-4bdf-8994-7ca536e34d3a'
tenant_id = '85fa570e-8b49-4eed-8bdf-3f3a72c89932'
app_id = '416d0248-c33c-4401-95df-4c8e4052c610'
secret = getpass()

credentials = ServicePrincipalCredentials(
    client_id=app_id,
    secret=secret,
    tenant=tenant_id
)
subscription_client = SubscriptionClient(credentials)
subscription = subscription_client.subscriptions.get(subscription_id)
pprint(subscription.as_dict())

locations = subscription_client.subscriptions.list_locations(subscription_id)
print([location.name for location in locations])

········
{'authorization_source': 'RoleBased',
 'display_name': 'Pay-As-You-Go',
 'id': '/subscriptions/31fd9fff-46e4-4bdf-8994-7ca536e34d3a',
 'state': 'Enabled',
 'subscription_id': '31fd9fff-46e4-4bdf-8994-7ca536e34d3a',
 'subscription_policies': {'location_placement_id': 'Public_2014-09-01',
                           'quota_id': 'PayAsYouGo_2014-09-01',
                           'spending_limit': 'Off'}}
['eastasia', 'southeastasia', 'centralus', 'eastus', 'eastus2', 'westus', 'northcentralus', 'southcentralus', 'northeurope', 'westeurope', 'japanwest', 'japaneast', 'brazilsouth', 'australiaeast', 'australiasoutheast', 'southindia', 'centralindia', 'westindia', 'canadacentral', 'canadaeast', 'uksouth', 'ukwest', 'westcentralus', 'westus2', 'koreacentral', 'koreasouth', 'francecentral', 'francesouth', 'australiacentral', 'australiacentral2']


In [None]:
# registering an application

#az ad app create --display-name {app name} --homepage https://{your domain}/{app name} --identifier-uris https://{your domain}/{app name} --password {your password} --available-to-other-tenants true


In [45]:
# Accessing resource with OAUTH token
import adal
from msrestazure.azure_active_directory import AdalAuthentication
from msrestazure.azure_cloud import AZURE_PUBLIC_CLOUD
from msrestazure.azure_active_directory import AADTokenCredentials

# 1. Use adal to fetch token
auth_code = 'AQABAAIAAAC5una0EUFgTIF8ElaxtWjTI5Nu0SSvixfROsnbBobx2KqQVMhftYG6zBZXZWW8VoO4cEFu4WRGVb4QBbuaCZ5H9O_8kjn9BbelAk1QsGDZ2VJCyQYWyBRmzy1lvx63Euc0POBv8R7DcIZDZIQkIKQ7OFHULI66fRnvnOxrlBuwJNIgclXvfJi9_xhKEOGqGERTyrFe_olbm4hPDqjgaF_T9PpupqMrUsBLOw51nAC3nmuq1kXdXW0nwCu13FNv5Ghfjj3YOSR7okIganHOU63W0fgYF63ww_0g1YiyOVP70k-14Y8WieAl8tKWd5FcMCSUrDjS9_tgA0OCmxQIxWh4BaYZyqUkvdjPna9iok09uYcPtqqTgDyJxH92fCKJpGb6DLH1raxL_k1GPaOs-F_do_jLcaAR6h_AV6qskHWGz-I4nDUfj_oRFW3xsbb92V9ikri0ZlvCLk7lRYvidbufSs-pzOlllw62D7xDVy0floPB4wQP5SvFXGQ1C9sRSFlZ96IRlt5ZWx1-jz0B9_cO6cgWNZDkTHKTSiQ3BEhfR0mI8ubfeho0IS4CcZY4_qjJgHDaNdfpzXTEhpuLs4w2thCO5WKkdYMw1IPmvH6gGry9gN0Px4JuHUWNH9iys5k6Sf2JHRxDUAqzfwjPzf9XEgabOyyLab74ainISNwdb8dh1AUoqcuZuy40eAjM1RZeNEz19m93W-WuEONEIKwRpyYT1_Nbloauzia5qATsdtCxRpfKLLOdQywgcTDwa2t5K6bHDmlmDfU-uETC63SeugWM39fnDjvbcxLZcZcznRnxO6ief9Xsuf4mLU5UtJ6yx3T0z4c-DIHulu4VN4ZFpqPQKfPH0mCnMjP185MTrBZ4-aloZmu7a-UdP-8G_DKqmfyfr2Ilerxht01TlP99EIUnVM1rGKkzpQvhOi49cpznWDMiGXtDe_m_4NnN32oHp_iMUQcnybz6pFeYik6uTGFlLt9-z5kickWo7N-Eckp2O_x9L3w_cR0lNMlPXWFS2ycC9_j37B4P7FBqcP3UaNEBB3gDUjpKSYmZJkFOR8KxAzYDWxMWlxquzuDFVlogAA'
redirect_uri = 'http://127.0.0.1:8000/oidc/callback/'

# this is brad's tenant
tenant_id = '85fa570e-8b49-4eed-8bdf-3f3a72c89932'

# this is brad's multitenant appliction client id
client_id = '836ace98-9581-4ff3-a866-76f266186252'
client_secret = '?$RE>D&!&(#M)#Q=Q>Si;^Co[GQ]=B^>m[#)+]#0#B&^{2;(ng$'

login_endpoint = AZURE_PUBLIC_CLOUD.endpoints.active_directory


resource = AZURE_PUBLIC_CLOUD.endpoints.active_directory_resource_id

context = adal.AuthenticationContext(login_endpoint + '/' + tenant_id)
credentials = AdalAuthentication(
    context.acquire_token_with_authorization_code,
    auth_code,
    redirect_uri,
    resource,
    client_id,
    client_secret)
# 2. use token in AADTokenCredentials to access client information,

# 3. ???


In [46]:
import os
from pprint import pprint
from azure.common.credentials import ServicePrincipalCredentials
from azure.mgmt.resource import ResourceManagementClient
from azure.mgmt.compute import ComputeManagementClient

# this is bizhang's subscription
subscription_id = 'c59c7cfb-bf7b-45f6-ad64-9f18fd05faf7'

resource_client = ResourceManagementClient(credentials, subscription_id)
compute_client = ComputeManagementClient(credentials, subscription_id)


In [47]:
# resource_client.resources does not include resource group info 
# which we need to get to the vm, so we have to start by getting all the groups
for groups in resource_client.resource_groups.list(): 

    resources = resource_client.resources.list_by_resource_group(groups.name)
    for resource in resources:
        pprint(resource)

CloudError: Azure Error: InvalidAuthenticationTokenTenant
Message: The access token is from the wrong issuer 'https://sts.windows.net/85fa570e-8b49-4eed-8bdf-3f3a72c89932/'. It must match the tenant 'https://sts.windows.net/f0e14f31-0c05-482e-9a59-62ede39c13c1/' associated with this subscription. Please use the authority (URL) 'https://login.windows.net/f0e14f31-0c05-482e-9a59-62ede39c13c1' to get the token. Note, if the subscription is transferred to another tenant there is no impact to the services, but information about new tenant could take time to propagate (up to an hour). If you just transferred your subscription and see this error message, please try back later.

In [51]:
pprint(AZURE_PUBLIC_CLOUD.endpoints.active_directory_resource_id)


'https://management.core.windows.net/'


In [94]:
import requests

auth_code = 'AQABAAIAAAC5una0EUFgTIF8ElaxtWjT3F3qiJFsAhrzD0EKUA5_TqfTj2Z6hrSs-keoe8RH9P_qSmMIs2SnR8DBTYQDy_K9xjol3BELKmPpE0pOSfy4ZYdSdKsGtRED_cBJpbQ4_LGBpNs0y0DCyYtCprStV-dcENy6OTrgC7ga4x20cjzeZZVummO3aJWyKDBK2FcDe_0I-ZLbZigqp76J9Di74D3qdnAAYH3hMWvBU1EgwYR84rPhK0IP3eDShrzeAy1KAMI3Gg5oTzXgPR6Oept5XYK-oE9c07JtVcmmJ5NeHXLWUzDmbHUTw9gdQM84qOMMwDYG8aNXKOSOzReJHbAHH6hyb71znsltVcdXyXtuf8-2SZ34drtYVXhq4P1wcyhKwIOttkmnl87usXuI1ksSiJfmOzGEoEZ0NGdgin_Vn9JH93dM4EBGw6kgEJuqGgbgu8sEabPHhoQA4Gu4HUv7yaO359_LRBAFAuAd6b_bFdO3nLxOngg_W1N5tAfvhtV3PFKomU74MWeVhfmrGXuyiwq6QD40Joy-VdxQRm-2ZEOTOn4EnRbccohq3ieZL8hVs9v3zRD3LdDGb4m3te3Nd7mpJSIwSok-9nd94U6_ce60VbXN5ZhT0brXrdCw1jUf67_RZhlt4hJr0sa4ByBXTyBtegqDwznuT7230hU_6azW3UXLMU2uSJ4oPmlOl2WlZtjiMEUVYoIlF-Q1lwR2bwTW-A-MIxVqszlEmfR5DfuaExc8gmL6dHuos6w-xlOJzHKKbZ5n2MK1d9gXW0mOxZ2aA0y4M5uSh0Dph7X23Oloot1iqaD3FdYR0u7LggElbJte9dm5nnwljS4hDpbGpNdHoTZ6W7pJ9tkoDHZMQuNVnH5JDgF8n8QunlsZntkBX-FI3saJWuWdddW89-d8_6zN0OUdKUaQ6YPtkUSfma9nOltISIjZh3EZZchbiJG9ZZDH_Ibihycw7qjdiA_9GcAX5BAWKa98QCEurT_Qhyn3IPknSlJRf33dhvepz1WTq47uaqflNy2M_woFk78GbvQ5mv77UMxqna4nvwhStpxKZUA-wANFDr7ODLVM73y2yZkgAA'

redirect_uri = 'http://127.0.0.1:8000/oidc/callback/'


payload = {'grant_type': 'authorization_code', 
           'code': auth_code, 
           'redirect_uri': redirect_uri, 
           'client_secret': client_secret,
           'client_id': client_id,
           'scopes': ['profile'],
           'resource'}

r = requests.post(
    "https://login.microsoftonline.com/85fa570e-8b49-4eed-8bdf-3f3a72c89932/oauth2/v2.0/token", 
    data=payload
)


In [95]:
print(r.json())

{'error': 'invalid_grant', 'error_description': 'AADSTS70002: Error validating credentials. AADSTS70008: The provided authorization code or refresh token is expired. Send a new interactive authorization request for this user and resource.\r\nTrace ID: a7714304-43ba-4ac3-a966-92b20e621600\r\nCorrelation ID: e45fdaf1-4cd6-4ad0-afd1-d9300c402f44\r\nTimestamp: 2018-12-13 15:37:32Z', 'error_codes': [70002, 70008], 'timestamp': '2018-12-13 15:37:32Z', 'trace_id': 'a7714304-43ba-4ac3-a966-92b20e621600', 'correlation_id': 'e45fdaf1-4cd6-4ad0-afd1-d9300c402f44'}


In [100]:
resp = requests.get(
    'https://management.azure.com/subscriptions/c59c7cfb-bf7b-45f6-ad64-9f18fd05faf7/providers/microsoft.authorization/permissions?api-version=2015-07-01',
    #'https://graph.microsoft.com/v1.0/users',
    headers={
        "Authorization": "Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Im5iQ3dXMTF3M1hrQi14VWFYd0tSU0xqTUhHUSIsImtpZCI6Im5iQ3dXMTF3M1hrQi14VWFYd0tSU0xqTUhHUSJ9.eyJhdWQiOiIwMDAwMDAwMi0wMDAwLTAwMDAtYzAwMC0wMDAwMDAwMDAwMDAiLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC84NWZhNTcwZS04YjQ5LTRlZWQtOGJkZi0zZjNhNzJjODk5MzIvIiwiaWF0IjoxNTQ0NzExMzUzLCJuYmYiOjE1NDQ3MTEzNTMsImV4cCI6MTU0NDcxNTI1MywiYWNyIjoiMSIsImFpbyI6IkFTUUEyLzhKQUFBQWtiUWpEK0t4MThOQnRmT29XUTlaQ1R6VmdxS2pqV1JEWnFOVW8wYm5VTFE9IiwiYWx0c2VjaWQiOiIxOmxpdmUuY29tOjAwMDM0MDAxMTIxOTkwRTYiLCJhbXIiOlsicHdkIl0sImFwcGlkIjoiODM2YWNlOTgtOTU4MS00ZmYzLWE4NjYtNzZmMjY2MTg2MjUyIiwiYXBwaWRhY3IiOiIxIiwiZW1haWwiOiJiaWhhbnpoQG91dGxvb2suY29tIiwiaWRwIjoibGl2ZS5jb20iLCJpcGFkZHIiOiI2Ni4xODcuMjMzLjIwMiIsIm5hbWUiOiJiaWhhbnpoIiwib2lkIjoiYmVkNjIxOGMtYTEyZi00ZjFmLWIwOWUtOGE0YzFjYjRhZGEyIiwicHVpZCI6IjEwMDMzRkZGQUU0MUE2MEIiLCJzY3AiOiJVc2VyLlJlYWQiLCJzdWIiOiJBLWwwdnMyRjJsMzV1T0I2R0tlV3ZleHlpbWZXUmJSWkxoQWQxdnQ5MWVVIiwidGVuYW50X3JlZ2lvbl9zY29wZSI6Ik5BIiwidGlkIjoiODVmYTU3MGUtOGI0OS00ZWVkLThiZGYtM2YzYTcyYzg5OTMyIiwidW5pcXVlX25hbWUiOiJsaXZlLmNvbSNiaWhhbnpoQG91dGxvb2suY29tIiwidXRpIjoidl9PYWhGa0xsRXFBSmRUSHJPMUlBQSIsInZlciI6IjEuMCJ9.Ru0b6x6B2ojuCl4kxWI0g52ZIheNmjw3qjZy2dPB4pM1B_2vgKf7piNF1wJ2qNYwLCNM_e_ykZkO52fRLVdkpwRJddpO1YO6pQ0qnZNRHwbOvL2bqI7qA5hqo9CBHlR_JnX3b0HmcFmLJbwl7ZoIoMRaLgqPDcgkiIUg0cTbkE0WfUiMOJ6eXY7XKsTAtz9OTwZDaZfmBdNWdjNVu4mJjnZawH848DUqPNMZrS42G6Enu46G43zyRrpl0x-sJ1gSoKvcZCvFeudVu4CEXaZhdEP049xjd39PaHvgu9ORr1yizaclzPeaBEfwQxVlQ069zzf3bbaOjeoElAqs4sc9pg"
    })

In [99]:
pprint(resp.json())

{'error': {'code': 'ExpiredAuthenticationToken',
           'message': "The access token expiry UTC time '12/13/2018 3:39:13 "
                      "PM' is earlier than current UTC time '12/13/2018 "
                      "3:51:29 PM'."}}
