Welcome to my blog, stay tunned :

Orchestrating access to Azure KeyVault

Hi,

As you might know, Azure Key Vault is a set of repositories one can use to store key/value pairs of secrets, certificates etc. in order to facilitate the maintenance of this information. Key Vault comes with "Keys" and "Secrets" but I'm only going to focus on the "Secrets" part. Storing secrets is an easy game as you can achieve this using the Azure Key Vault Cmdlets (https://msdn.microsoft.com/en-us/library/dn868052.aspx) that allow you to interact with the Vault. But once you've stored all the secrets, you need to make them available to applications. Vault makes this possible by granting the SPN corresponding to the Azure AD App, access to the Vault via the Set-AzureRmKeyVaultAccessPolicy cmdlet.
So far so good but which approach should we adopt? There are several possibilities among which, granting access to Key Vault directly to the business Azure Active Directory App. While this approach works, it is not the most effective for the following reasons:

  • Granting access directly to the business App will end-up in a chaos once you’ll have a lot of different apps. You’ll also need to grant each of this apps individual access to the Vault which will make the maintenance tedious.
  • At Azure AD App level, one can create secrets and associate permissions to the App but you can’t restrict a given secret to a specific set of permissions. In order to access Key Vault, you must create a secret so that the App can use the ClientCredential flow, but since the secret you create isn’t restricted specifically to Key Vault, it also allows developers to access other resources, and therefore, they could as well bypass Key Vault to consume theses resources, and that’s not really what you intended.

Case Study : opportunity to leverage Spotlight & Alchemy’s NLP capabilities within an open source SharePoint auto-tagger

Hi,

This blog post deviates a bit from my usual topics but as I recently had to make an analysis in the context of a master degree I'm attending at night, I thought it might be an interesting reading for some folks, so I'm publishing the paper I wrote for a particular course.

  • The paper is here
  • The associated video can be found on Youtube

KeyVaultClientException: Operation "get" is not allowed

Hi,

If you happen to encounter any security exception with keyvault, make sure you pay attention to how you grant access to the Azure Active Directory Application. To grant access to the application, make sure you grant it to the corresponding service principal and not to the app itself.

One of my team mate went through the application endpoint of the Graph Explorer this way:

https://graph.windows.net/tenant/applications

Managing expiration of Azure Active Directory Application Client Secrets

Hi,

As I am more and more using Azure Active Directory Applications to consume online services such as SharePoint Online, Yammer etc., I found myself annoyed with the duration of the client secrets.

As you know, when creating an app from the UI, you can set permissions and create a secret key with the GUI:

but it only lets you chose either 1 year either 2 years with a startdate being the creation date.

Azure Application Permissions vs SharePoint Add-In permissions, the obvious that's not so obvious

Hi,

I don't know if you've ever played with Azure Active Directory Application permissions to consume SharePoint Online but you should know that the major advantage they offer compared to Add-Ins is that you can grant Azure Applications access to SharePoint in a transparent way for end users since you don't need to install anything in SharePoint.

NuGet package for Yammer Export API

Hi,

I have developed a NuGet package that helps exporting data from Yammer. It's a simple .NET wrapper that consumes the Yammer export API. It allows you to retrieve either :

  • Files (metadata only or metadata+binaries)
  • Administrators
  • Groups
  • Inbound Threads, meaning external messages in which internal users take part
  • Outbound Threads, meaning internal messages in which external users take part
  • Messages
  • Networks
  • Topics
  • Pages
  • Users

Nuget package for DBPedia Spotlight

Hi,

I have developed a small .NET wrapper for DBPedia Spotlight in order to facilitate the consumption of their web service. Once you've downloaded the package in your solution, you can easily use it the following way:

  static void Main(string[] args)
        {
            SpotlightRequestConfig cfg = new SpotlightRequestConfig(
                "Somme text", "http://spotlight.sztaki.hu:2222/rest/");
            cfg.AddFilterOnType(DBPediaTypes.Person);
            cfg.AddFilterOnType(DBPediaTypes.Place);

My Top 3 SharePoint Online oddities

Hi,

Here is my list of the weirdest issues I have experienced with SharePoint Online. Some of them are also reproduceable on-prem, some are not. I don't know if these are bugs or "by design" issues.

List with unique permissions in App Web

Did you know that if you want to have list with unique permissions in an App-Web (being part of an Add-In deployment), you must ask at least the Manage List permission in the App Manifest.

A missing piece in the Azure Application Proxy but there is hope

Hi,

At the time of writing, the Azure Application Proxy makes it easy to pubish an on-prem web application to Azure. There are tons of resources explaining how to do that and it is a straightforward process.