Forum Widgets
Latest Discussions
Azure Function managed identity is raising this error "Access Denied"
We have an Azure Function on .NET 8.0. and we enabled the managed identity of the Azure Function. Then we run those commands as per this official MS link https://learn.microsoft.com/en-us/sharepoint/dev/apis/webhooks/sharepoint-webhooks-using-azd-template#grant-the-function-app-access-to-sharepoint-online:- Power shell command: # This script requires the modules Microsoft.Graph.Authentication, Microsoft.Graph.Applications, Microsoft.Graph.Identity.SignIns, which can be installed with the cmdlet Install-Module below: # Install-Module Microsoft.Graph.Authentication, Microsoft.Graph.Applications, Microsoft.Graph.Identity.SignIns -Scope CurrentUser -Repository PSGallery -Force Connect-MgGraph -Scope "Application.Read.All", "AppRoleAssignment.ReadWrite.All" $managedIdentityObjectId = "d3e8dc41-94f2-4b0f-82ff-ed03c363f0f8" # 'Object (principal) ID' of the managed identity $scopeName = "Sites.Selected" $resourceAppPrincipalObj = Get-MgServicePrincipal -Filter "displayName eq 'Office 365 SharePoint Online'" # SPO $targetAppPrincipalAppRole = $resourceAppPrincipalObj.AppRoles | ? Value -eq $scopeName $appRoleAssignment = @{ "principalId" = $managedIdentityObjectId "resourceId" = $resourceAppPrincipalObj.Id "appRoleId" = $targetAppPrincipalAppRole.Id } New-MgServicePrincipalAppRoleAssignment -ServicePrincipalId $managedIdentityObjectId -BodyParameter $appRoleAssignment | Format-List And this pnp command: Connect-PnPOnline -Url "https://YOUR_SHAREPOINT_TENANT_PREFIX.sharepoint.com/sites/YOUR_SHAREPOINT_SITE_NAME" -Interactive -ClientId "YOUR_PNP_APP_CLIENT_ID"` Grant-PnPAzureADAppSitePermission -AppId "3150363e-afbe-421f-9785-9d5404c5ae34" -DisplayName "YOUR_FUNC_APP_NAME" -Permissions Manage Here is the code for the Azure Function, which uses the login user credential if I am inside development machine and uses the Azure Function managed identity on the hosted app: if (Environment.GetEnvironmentVariable("AZURE_FUNCTIONS_ENVIRONMENT") == "Development")` { var credential = new InteractiveBrowserCredential(); // or AzureCliCredential graphClient = new GraphServiceClient(credential); } else { var credential = new DefaultAzureCredential(); // Managed Identity graphClient = new GraphServiceClient(credential); var token = await new DefaultAzureCredential().GetTokenAsync( new TokenRequestContext(new[] { "https://graph.microsoft.com/.default" }) ); _logger.LogInformation("Token acquired: " + token.Token.Substring(0, 20) + "..."); } //Call to get the "Call Transfer Log Data" sharepoint list data` try { var sitePath = "e**87"; var listId = "6*`*`*`*`"; var allItems = new List<ListItem>(); // Initial page request with Expand = fields var page = await graphClient .Sites[sitePath] .Lists[listId] .Items .GetAsync(config => { config.QueryParameters.Top = 100; config.QueryParameters.Expand = new string[]{ "fields($select=*)" }; }); allItems.AddRange(page?.Value ?? []); // code goes here... } Then I verified the setting, but running this command: Get-PnPAzureADAppSitePermission -Site "<Site URL>" I get this result: Id : ***...-.... Roles : {Manage} App : Microsoft.Azure.Functions – 3150363e-afbe-421f-9785-9d5404c5ae34 In the development environment, the code is working fine, while in the hosted Azure Function, the code raised an exception: Access Denied Any advice? It seems I use all the needed settings.
Active Directory Users Remapping in DevOps Server 2022
Hi All, We had a ransomware attack on our AD server and DevOps server. Luckily I had a backup of the DevOps server which I restored back after formating both the servers. I did not change anything after format hostname of DevOps & AD server, IP address, the domain name , created same user names in active directory, everything I have kept identical. After installation and configuring DevOps AD users are not able to log in to DevOps. It keeps asking for credentials whenever a user tries to connect. Is there any option in TFS to remap active directory users? Please let me know. There are so many project created in TFS and its impossible for us to go and add AD users again on each project. Regards Imran Shaikh
Sentinel: How to edit a data parser (Cisco Meraki Data Parser)
Hello, I'm new MS Sentinel. I've installed the Cisco Meraki (using REST API) Data Connector and its status shows "Connected". I can see data coming in. However, I keep getting a message that I need to edit the Cisco Meraki Data Parser to replace "Server 1", "Server 2", etc. with the actual names of our devices. I can see it here: This sounds easy, but I cannot find any way to edit the data parser. Can anyone tell me where/how to edit this data parser in Sentinel or Azure?Azure Billing Credit - No Explanation
Hello, I have a customer who received a larger credit on their February bill without any explanation. The customer is seeking clarification on the reason behind this credit. We compared the Azure billing and Azure portal cost management and noticed discrepancies in charges for compute and some PaaS services. Unfortunately, support has not been able to provide any answers or assistance. Could you please suggest a way to identify the source of this credit and the reason for it? Is there a specific team or group that might be able to assist us in resolving this issue? Thank you in advance for your help! Terru
Set multiple values in devops library variable
Hi I need to pass multiple values in Library variable in DevOps. Currently my YAML looks like below. Contents: | RepoFolder1\*.txt RepoFolder2\*.csv RepoFolder3\*.py I want to create variable and pass above values to library variable in DevOps like below. Contents: $(Source_Files) Somehow Library variable is plain text, and it is not allowing multiline. How to achieve this. Thanks, Siva.
'Azure NPS Extension for Azure MFA' licensing
We have interest in installing the Azure NPS extension for Azure MFA to protect our on premise remote access VPN solution. This VPN solution is a simple firewall that provides remote access (client) VPN to our users and is used in combination with our local Win2019 Network Policy Server which acts as radius to enable the users to authenticate with their AD credentials. Those AD credentials are also synced from our local AD to Azure AD Free using Azure AD connect. I'm trying to determine if I need extra licensing for the extension. The documentation says: "The NPS Extension for Microsoft Entra multifactor authentication is available to customers with licenses for Microsoft Entra multifactor authentication" When I click that last link it has a table that, amongst other things, says it's available to "All Microsoft 365 plans" Most of our users have Exchange Online plans, some users have Office 365 Business standard plans. Both user groups already have MFA enabled and working when for example, logging in to Outlook webmail https://outlook.office.com with their synced AD identity. Do we need extra licenses in order to install and use Azure NPS extension for Azure MFA or not? Thanks in advanceAzure Event Grid Domain Creation: Overcoming AZ CLI's TLS Parameter Limitations with Workaround
Introduction: The Intersection of Security Policies and DevOps Automation In the modern cloud landscape, organizations increasingly enforce strict security requirements through platform policies. One common requirement is mandating latest TLS versions for example TLS 1.2 across all deployed resources to protect data in transit. While this is an excellent security practice, it can sometimes conflict with the available configuration options in deployment tools, particularly in the Azure CLI. This blog explores a specific scenario that many Azure DevOps teams encounter: how to deploy an Azure Event Grid domain when your organization has a custom policy requiring latest version considering TLS 1.2, but the Azure CLI command doesn't provide a parameter to configure this setting. The Problem: Understanding the Gap Between Policy and Tooling What Is Azure Event Grid? Azure Event Grid is a serverless event routing service that enables event-driven architectures. It manages the routing of events from various sources (like Azure services, custom applications, or SaaS products) to different handlers such as Azure Functions, Logic Apps, or custom webhooks. An Event Grid domain provides a custom topic endpoint that can receive events from multiple sources, offering a way to organize and manage events at scale. The Policy Requirement: Many organizations implement Azure Policy to enforce security standards across their cloud infrastructure. A common policy might look like this: { "policyRule": { "if": { "allOf": [ { "field": "type", "equals": "Microsoft.EventGrid/domains" }, { "anyOf": [ { "field": "Microsoft.EventGrid/domains/minimumTlsVersion", "exists": false }, { "field": "Microsoft.EventGrid/domains/minimumTlsVersion", "notEquals": "1.2" } ] } ] }, "then": { "effect": "deny" } } } This policy blocks the creation of any Event Grid domain that doesn't explicitly set TLS 1.2 as the minimum TLS version. The CLI Limitation: Now, let's examine the Azure CLI command to create an Event Grid domain: az eventgrid domain | Microsoft Learn TLS property is unrecognized with the latest version of AZ CLI version. Current Status of This Limitation: It's worth noting that this limitation has been recognized by the Azure team. There is an official GitHub feature request tracking this issue, which you can find at => Please add TLS support while creation of Azure Event Grid domain through CLI · Issue #31278 · Azure/azure-cli Before implementing this workaround described in this article, I recommend checking the current status of this feature request. The Azure CLI is continuously evolving, and by the time you're reading this, the limitation might have been addressed. However, as of April 2025, this remains a known limitation in the Azure CLI, necessitating the alternative approach outlined below. Why This Matters: This limitation becomes particularly problematic in CI/CD pipelines or Infrastructure as Code (IaC) scenarios where you want to automate the deployment of Event Grid domain resources. Workaround: You can utilize below ARM template and deploy it through AZ CLI in your deployment pipeline as below: Working ARM template: { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "parameters": { "domainName": { "type": "string", "metadata": { "description": "Name of the Event Grid Domain" } }, "location": { "type": "string", "defaultValue": "[resourceGroup().location]", "metadata": { "description": "Azure region for the domain" } } }, "resources": [ { "type": "Microsoft.EventGrid/domains", "apiVersion": "2025-02-15", "name": "[parameters('domainName')]", "location": "[parameters('location')]", "properties": { "minimumTlsVersionAllowed": "1.2" } } ] } Please note I've used latest API version from below official Microsoft documentation : Microsoft.EventGrid/domains - Bicep, ARM template & Terraform AzAPI reference | Microsoft Learn Working AZ CLI command: az deployment group create --resource-group <rg> --template-file <armtemplate.json> --parameters domainName=<event grid domain name> You can store this ARM template in your configuration directory with replacement for Azure CLI command. It explicitly sets TLS 1.2 for Event Grid domains, ensuring security compliance where the CLI lacks this parameter. For example: az deployment group create --resource-group <rg> --template-file ./config/<armtemplate.json> --parameters domainName=<event grid domain name> Disclaimer: The sample scripts provided in this article are provided AS IS without warranty of any kind. The author is not responsible for any issues, damages, or problems that may arise from using these scripts. Users should thoroughly test any implementation in their environment before deploying to production. Azure services and APIs may change over time, which could affect the functionality of the provided scripts. Always refer to the latest Azure documentation for the most up-to-date information. Thanks for reading this blog! I hope you've found this workaround valuable for addressing the Event Grid domain TLS parameter limitation in Azure CLI. 😊
Error BCP036: The property "gateway" expected a value of type "string"
We're getting the error when we're trying to deploy On Premise Data Gateway API Connection: Error BCP036: The property "gateway" expected a value of type "string" but the provided value is of type "object" This was the initial properties file of the API connection we're trying to deploy We then updated the value of the gateway property into a string But got this error "ConnectionGatewayReferenceMissing","message":"The gateway reference connection parameter is missing for the on-premise connection request." Are we missing an attribute? This never happened before. It looks like there have been changes that happened some time this week to Azure API connection deployment
search/codesearchresults not able to get more than 2000 results?
when I send a POST API request to "https://MYAZUREINSTANCE/tfs/COLLECTION/MYPROJECT/_apis/search/codesearchresults?api-version=7.0" with this payload { "searchText": "ext:dll", "$skip": 1000, "$top": 1000, "filters": [ { "name": "ProjectFilters", "values": [ "MYPROJECT" ] }, { "name": "RepositoryFilters", "values": [ "$/MYPROJECT" ] } ], "searchFilters": { "ProjectFilters": [ "MYPROJECT" ], "RepositoryFilters": [ "$/MYPROJECT" ] } } the API returns the file data correctly. but I have more than 2000 such files. if I set "$skip": 2000, it returns an error stating that the $skip must be between 0 and 1000.... How do I get the rest of the files?
