All posts by Julie Lerman

Using Azure Active Directory Accounts with a Subscription Tied to a Personal (aka Live) Account

This blog post is about a very particular problem you might have with some Azure services if your Azure subscription is tied to a personal account and not an Office 365 or Microsoft 365 identity. And the set of Azure services is not random. It is a set of Azure services that rely an Azure Active Directory for credential management – referred to as Managed Identity.

I ran into this when working with the Azure Key Vault, but you might hit it with Azure Blob Storage or some other services.

I want to first describe how my Microsoft and Azure accounts are set up and how I encountered the problem then share how I was able to solve it.

I have also written an article on using Azure Key Vault from an ASP.NET Core application but I chose a simpler path for the article which was to use an Azure Subscription that was tied to an Office 365 account. That article is in the Code Magazine May/June 2021 issue. (I’ll share the link when it’s live). In this blog post I am going to focus on the problem of the personal account. You can find details about accessing the Key Vault from the application in the article.

My Microsoft and Azure Accounts

My Azure Subscriber account is my personal Microsoft account that is associated with live.com. It’s not a live.com email address. You see the big difference when you log into a Microsoft property. You enter your email address and then specify that it’s either a work/school account or a personal account. Mine is one of those personal accounts.

I log in to visualstudio.com, my Visual Studio subscription and my Microsoft MVP account with that same personal account.  I’ve been working this way for a very long time.

Working with an Azure Active Directory dependent service: Azure Key Vault

I was writing a small ASP.NET Core app and wanted to store its secrets– some connection strings – in an Azure Key Vault to keep them out of my source code.

I started by creating a key vault in Azure. Key vaults are accessed through an access policy — a combination of an Azure Active Directory user and a selected set of permissions. When you create a new Key Vault and your Azure subscription account is an O365 account, a new access policy will be automatically be created giving the subscriber account’s identity broad access to that key vault.  Because my subscription was not tied to an O365 identity, I had to manually create an access policy for the user that is the subscription owner.

Back in Visual Studio, I wove the Azure.Extensions.Aspnetcore.Configuration.Secrets package into my application to let it  read from the key vault. This also requires referencing the  Azure.Identity NuGet package.

The secrets API asks the identity API to discover any managed identities on your machine if they are not fed directly to the application.

Here’s the critical code for accessing the key vault that I added into my app:

config.AddAzureKeyVault(
   new Uri("https://fourtwentyfive.vault.azure.net"),
   
new DefaultAzureCredential());

This tells my app to communicate with my particular Azure Key Vault and use whatever credentials it can find. In my case, debugging in Visual Studio, that is the credentials I used to log in to Visual studio.

The Error of My Ways

And this is where the problem begins! When the debugger attempts to access the key vault with those credentials it throws an error.                 

Azure.Identity.AuthenticationFailedException: 'SharedTokenCacheCredential authentication failed: AADSTS9002332: Application ‘[application’s id]'(Azure Key Vault) is configured for use by Azure Active Directory users only. Please do not use the /consumers endpoint to serve this request.

That’s because even though the key vault created an access policy with my Live account, it’s a trap. It won’t work. Azure Active Directory cannot manage Live accounts. It can only manage Office 365 or Microsoft 365 accounts. Full stop.

I do have an O365 account. But I didn’t want to change my subscriber account to one of my two identities tied to my O365 account for fear of messing up everything that’s dependent on my old Live login–my MVP access, my visualstudio.com access, etc.

Therefore I needed to add one of my Office 365 identities into my Azure Active directory.

Tying an O365 Identity to my Azure Subscription

I have two identities in my O365 account – julia and jlerman. The jlerman account has the same exact email address as my Live account. Let me help you avoid suffering through another failure. Don’t try to add in an O365 identity that has the same email address as the personal identity. This was the first path I chose. The code failed in the same place but this time I got an HTTP 401 error result — Unauthorized client access.

But I was successful when using my other identity: julia.

How to do this was complicated and I would never have figured it out on my own. I’m grateful for guidance from a fellow Microsoft Regional Director, Joe Homnick, (rd.microsoft.com/en-us/joe-homnick) who is a lot more experienced with Azure security than I ever want to be! In fact, I didn’t understand the problem very well and I’m sure my explanation to him was very misleading, but he was able to figure out what I was trying to describe. Unfortunately, Joe couldn’t just point me to a document because apparently none exists. He documented the steps for me in an email along with screenshots. That’s a pal!

So the rest of this blog post is simply relaying what Joe taught me.

Also, I’m doing this via the Azure portal rather than a lot of mysterious Azure CLI commands. But you can achieve the same using the Azure CLI or PowerShell.

Step 1: Adding the O365 email address as a guest user with Global Administrator privileges

In the portal, go the Azure Active Directory, then Users.

  • Select New guest user
  • Select Create user. (Not “invite user”).
  • Under identity, add a user name. I called mine julia365. Azure will populate the domain name tied to your subscription’s Azure Active Directory.
  • Give your user a name. Mine is “Julia 365”. Xoru5917
  • Set a password for this user. You can let the portal auto-generate or supply your own.
  • The only other task (an important one) on this page is to set a role for this user. Click on User next to Roles and filter on global to select Global Administrator.

Then you can create the user.

The user principal name will be funky looking. It is formatted as an email address with the name of the user (with no spaces) and the domain is a compressed version of the identity for the subscription and then onmicrosoft.com.

So if my subscriber identity is [email protected], the new user’s principal name will be [email protected] It’s not an email address, just an identity.

The identity issuer is also jlermansomedomain.onmicrosoft.com.

 

Step 2: Adding the new guest as a secondary subscription owner on the account

Having the user is not enough for the authentication to take place though. The user has to be recognized as a subscription owner. Azure allows you to set up secondary subscription owners.

You’ll need to start by going to the subscription properties. You can find Subscriptions in the search bar if needed. If you have multiple subscriptions, be sure to select the one you intend to use for your application. Once in the subscription properties, select the Access control (IAM) option. Then from it’s menu, Role assignments and then Add.

In the Add role assignment form, select Owner from the Role drop-down. Leave the Assign access to option at its default (User, group, or service principal). You’ll see all of the users listed. Select the newly created one and then save. It will get added very quickly.

Step 3: Log in to the portal with the new identity

If you click on your login info on the top right corner of the portal, you may already have an easy option available for switching to the new account for logging in.

Otherwise, you’ll need to sign out then sign in with the new credentials.

Step 4: Add the new identity to the service’s access policies.

In my case, I returned to the key vault and created a new access policy for the new identity.

Step 5: Switch Visual Studio user to the new identity in order to run/debug from VS

This is important since remember that when running or debugging from Visual Studio, the Azure Managed Identities API will read that login as a possible credential source. You’ll first need to sign out and then sign in again with the clunky identity you created in AAD. With my example, that would be [email protected]

With these changes, not only did I finally get past that failing line of code, but the app accessed the key vault and read my secrets (a database connection string in my case) and was able to use the secret to connect to the database.

I hope this helps someone else down the road!

 

 

 

 

 

 

 

 

 

 

Come Join Me Online Next Week!

I’ve got a pile of live on-line engagements next week and it will be fun if you can come join any of them.

EF Core Community Standup, 
March 10, 1pm EST

First up is an AMA (Ask Me Anything) style Q&A with the EF Core team and me .All of the past standups from the team (and guests) are on  YouTube. Here’s the link to the collection: https://aka.ms/efstandups. I believe the team will set up the “stage” for the upcoming standup at the top of that list, but you can always watch past ones and learn so much. 

Docker Community All Hands , March 11 11am EST

First hour will be company and product updates.
Second hour will be a collection of demos, workshops and lightning talks on various channels. I expect to be doing a lightning talk on Docker tooling in Visual Studio and another one on the VS Code Docker extension. Details here

The 425 Show, March 12 , 11am EST

This is a live show focused on Azure Active Directory, a topic I know nothing about! However, the hosts, Christos Matkas and John Patrick Davidson are experts. Together we are going to secure the data access for a web app that I’ve built using EF Core. Should be fun! Here’s the YouTube channel where you can connect

Entity Framework Core 5 Resources I’ve Created Recently

EF Core 5.0 was released in November 2020.

Whether you are new to EF / EF Core or moving from an earlier version, I’ve been pretty busy creating a number of useful resources for you whether you prefer to learn by video, reading or listening!

Also, I keep links to all of my conference talk and other videos in this YouTube PlayList

(Video) Pluralsight Course: 
Entity Framework Core: Getting Started
pub. Dec 15, 2020
4.5 hours
(Article) Code Magazine Special Issue:
EF Core 5: Building on the Foundation
pub. Nov 2020
This image has an empty alt attribute; its file name is Snag_f17c5f.png (Video) Pluralsight Webinar Recorded:
Preparing Your Move to Entity Framework Core 5: What’s New and What’s Improved
pub Nov 25, 2020
1 hr plus 20 minutes of Q&A

(Podcast) DevTalk with Kerry Lathrop
53: ON ENTITY FRAMEWORK CORE. WITH JULIE LERMAN
pub. Dec 28, 2020
47 minutes

This image has an empty alt attribute; its file name is Snag_fdce7c.png

(Podcast)
Software Engineering Radio
IEEE Computer Society
Episode 435: Julie Lerman on Object Relational Mappers and Entity Framework
Interview with Jeremy Jung
pub. Nov 17, 2020
1 hr

(Video) ASP.NET Monsters
MONSTERS WEEKLY 200B – CONVERSATIONS WITH JULIE LERMAN

pub. 12/21/20
48 minutes

 

 

Someone Masquerading as me on Indeed and LinkedIn

I have recently been contacted by multiple people who have been getting scam virtual assistant job offers on Indeed and LinkedIn from someone using the email address [email protected] And they are attempting some standard scammy tasks like “here’s a check” (which is fake) ” please deposit it then transfer $ to [some weird place]”. Please don’t be taken in. It is not me. I don’t have accounts on any of those websites. Indeed.com has been alerted and have done something about that account. If you have been contacted by anyone like this, let me know.  And I’m so sorry. 🙁 

Follow My Explorations into AWS for .NET Developers

Earlier this year, a friend who is a dev advocate for .NET on AWS reached out to me to see if I had any awareness at all about the support Amazon Web Services has for .NET developers and .NET applications. My answer was a definite no. I’m an Azure fan girl and had never even thought about .NET on AWS. When he started rattling off some of what’s available, APIs, tooling and a dedicated team, I was surprised.

And curious.

So I have spent quite a bit of time sating that curiosity. I’ve written two articles that were published in Code Magazine this summer and recently published a course on Pluralsight. I still love Azure (and all my friends who work on Azure), but I’m glad to have deeper familiarity of other options. This makes me a better developer as well as a better consultant to my clients.

My focus has not been on deep DevOps or comparisons to Azure. I just wanted to see how things work and try it out. And I was definitely impressed.

I did all of the work in Visual Studio on my Windows machine because there is a very feature rich extension called AWS Toolkit for Visual Studio. There are also extension for VS Code, JetBrains’ Rider and other IDEs (not just for .NET). The ones for VS Code and Rider are more focused on serverless apps so they don’t have all of the features of the one for Visual Studio.

Since I’ve already created so much content, I’m not going to reiterate it all here but I wanted to be sure you are aware of the articles and the course and…the fact that there is such a thing as .NET on AWS. Whether, like me, you are curious, or like others, you are a .NET developer who has been tasked to learn about using AWS, I hope you find them interesting. Here’s what I’ve created thus far:

Discovering AWS for .NET Developers
Article, May/June 2020 Code Magazine

This is about first foray. Creating an account, installing the toolkit into Visual Studio, creating a SQL Server database (on AWS), pointing a .NET Core 3.1 App with EF Core to use that database, then (using the AWS toolkit), publishing the application to AWS.

Transform Your ASP.NET Core API into AWS Lambda Functions
Article. July/August 2020 Code Magazine

This is the next foray. I took the application from the first article, transformed it into an AWS serverless application (mostly by adding a few files provided by a project template), then publishing it to AWS. In the end, AWS creates a Lambda serverless function in front of the API, which means you get the benefit of the billing that is only based on calls coming through function. That compares to the cost of having the application running and waiting for requests 24/7. 

Fundamentals of Building .NET Applications on AWS
Pluralsight course, 2.5 hours. Published Aug 7, 2020

The course leans on what I learned through the articles but also allowed me to spend more time explaining and teaching additional information. In the course, I walk through creating an account, installing the toolkit, creating the SQL Server database, publishing the .NET Core/EF Core app and publishing the serverless app. There is an additional lesson which is about publishing the application as docker containers, fully managed by AWS via a service called Fargate. There’s a lot more detail than the articles and I’m really walking you through  step by step from start to end for each task.

I hope you’ll find the articles and course helpful and interesting, especially, if like me, you had no idea all of this support for .NET devs exist from AWS. 

Resize Windows’ Screen Resolution with a Touch of a Stream Deck Button

I have a lovely pair wide screen monitors with 1080p resolution. However, when recording software training courses for Pluralsight, we are asked to use a resolution of 1280×720 so that text and code are legible across a variety of devices and sizes.

Therefore, when recording a course, which may take me many many weeks, I tend to leave one of my monitors at 1280×720. But I’m constantly doing other things on that monitor such as email or writing and that resolution is discomforting.

There is no easy way to change the resolution other than going into system settings. But I now have a super easy way to change that monitor’s resolution back and forth.

Like many of us who are now creating content at home (although I am not streaming on twitch like many of my friends) I recently added an Elgato Stream Deck controller to my toolkit, along with some key lights, too! I use the stream deck to control the lights while recording  video that requires that I be in it.

Step 1: Find a command line tool for affecting screen resolution.

There are some apps and there are a few CLI tools. After asking around on Twitter, I learned about Display Changer 2, used by two very trusted nerds (and friends): 

However, there are TWO versions of Display Changer and DC2 is the programmable one. So not knowing there was a simpler version, I got stuck on a path that was way more complicated than I needed. I learned how to create xml configuration files for various display settings, then create a PowerShell script to execute DC2 against those config files. But Stream Deck can’t run PowerShell files, so then I had to create a batch file to run the PS1 file. It was madness but I was determined and got it all working. And then blogged the very complicated path. Oy vey!

Then back to my brainy pal who said…well, y’know….:

Now this is my pal from whom I learned YET A BETTER WAY to load utensils into a dishwasher that I am now obsessed with (the dishwasher trick, that is. I do like Glenn, but no, I’m not obsessed with him)! So I always trust him, but I looked at that and thought “DC2 doesn’t have these switches and what is DC64?”.

I went back to 12noon’s website and realized that the “Display Changer” is different than “Display Changer II” and is a simpler tool to work with. Even though I felt like such a dope for getting stuck on the complicated path, I was happy for the MUCH EASIER way!  So if you haven’t ever configured a Stream Deck button, let’s finish this up with Glenn’s easy street way.

Step 2: Identify the Monitor

I’d recommend practicing the command at the command line before just shoving it into Stream Deck. Also, since I was aiming for my secondary monitor, I needed to use the 
dccmd -listmonitors
command to find out how to address that monitor. Turns out it’s 
"\\.\DISPLAY2"

So the command to change that monitor’s resolution to 1280×720 is:

"C:\Program Files (x86)\12noon Display Changer\dc.exe" -monitor="\\.\DISPLAY2" -width=1280 -height=720

Step 3: Configure Stream Deck buttons to run the batch files

In the Stream Deck app, drag the System/Open option onto the button you want to configure for 720p.

In the settings, leave Title blank.

In the App/File setting, paste in your command:

"C:\Program Files (x86)\12noon Display Changer\dc.exe" -monitor="\\.\DISPLAY2" -width=1280 -height=720

In the icon selector, you can choose Create New Icon to design then download an icon for your button.

Setup another button to change the monitor back to your default resolution. Mine is 1080p.

"C:\Program Files (x86)\12noon Display Changer\dc.exe" -monitor="\\.\DISPLAY2" -width=1920-height=1080

Originally these were the icons I crated for my buttons. They are good enough for me and bright colors.

This image has an empty alt attribute; its file name is streamdeck_key_720p-3.png   This image has an empty alt attribute; its file name is streamdeck_key_1080p-2.png

But Glenn was unimpressed and created some new ones and sent them to me. I’m sure he’ll be happy for me to share them.

This image has an empty alt attribute; its file name is key_julie_720.png   This image has an empty alt attribute; its file name is key_julie_1080.png

Here’s the Stream Deck with it’s new buttons. The setup works like a charm!

MSDN Mag Data Points Column Archives in Microsoft Docs

With MSDN Magazine shutting down, all of the content has been archived on the Microsoft docs site.

You can get to a listing of magazines by issue at https://docs.microsoft.com/en-us/archive/msdn-magazine/msdn-magazine-issues

And if you are looking specifically for my Data Points column archives, here is a link to the list of those articles:

https://docs.microsoft.com/en-us%5Carchive%5Cmsdn-magazine%5Cauthors%5CJulie_Lerman

Pluralsight is totally free for the month of April

While many of you who read my blog are already Pluralsight subscribers with work or personal subscriptions, there are so many who do not have access. So Pluralsight is opening up the entire library of over 7,000 courses for people to watch while stuck at home. And you do not need to use a credit card to sign up.*

So whether you want to watch one my my courses such as 

Or any of the other 7,000+ courses from some of the most knowledgeable devs who happen to be great at teaching ….

Have at it!

There is also a free plan for business accounts.

Business Free April Details: “To support your team’s skill development during these new challenges, for a limited time we’ve extended our free team trial from 14 days to 30 days.”

*The fine print: Free April is open to anyone who is not a current, active subscriber. New free accounts and reactivated accounts opened through April 30, 2020 will have access to Pluralsight’s library of video courses through April. Payment information will not be required for new free accounts opened through April 30, 2020. New free accounts opened after May 1, 2020, will only have access to a portion of Pluralsight’s library and will require payment information.

November Conferences: BuildStuff in Lithuania and GOTO in Copenhagen

I have one last conference trip coming up in 2019 which is a two-fer.

First, I’ll be at BuildStuff in Vilnius Lithuania Nov 13-17. I’m excited to be giving a keynote, “Living with Your Legacy”. If you are planning to attend but haven’t registered yet, you can use my last name “LERMAN” as a discount code. Register here. Twitter hashtag is #BUILDSTUFFLT.

From Lithuania, I’ll then be traveling to Copenhagen for GOTO Copenhagen. (Nov 18-20). This conference also has a discount code, “speakerfriend”. The twitter hashtag for this conference is #gotocph.