[Engineering task] Build automation around session revoke #4636
Description
Task type
Test
Description
Build an API to revoke user/app sessions
Solution
First get a locked user :
https://msidlab.com/api/CreateTempUser?usertype=Basic
To revoke sessions :
The code for the revoke is hosted in this function app for testing. You can find the full code below
how to call into this API?
You can use the same information that we use to authenticate to lab API for this new API as well.
How to set this up?
Once you have copy pasted the below code to a function app, specifically one that triggers a PowerShell code. Then you need to do the following changes.
Go to KUDU : https://idlabslabapi.scm.azurewebsites.net/DebugConsole/?shell=powershell
Here you will see these files,
Edit the requirements.psd1 and add the following, this enables us to use the AZ modules so we can run Azure Administration PowerShell commands
Then edit the profile.ps1 file and add the following. AZ comes with a million modules, so instead of loading them all we are simply loading the ones the script needs.
Finally, the app ($ApplicationId = 'e8f7e05f-3ae8-4307-bc34-b26aec3bb4bf'), is registered in msidlab4.com and we use that as a SP to execute these commands in msidlab4.com
Full code (not final) :
using namespace System.Net
# Input bindings are passed in via param block.
param($Request, $TriggerMetadata)
# Write to the Azure Functions log stream.
Write-Host "PowerShell HTTP trigger function processed a request."
# Interact with query parameters or the body of the request.
$name = $Request.Query.Name
if (-not $name) {
$name = $Request.Body.Name
}
# Get the username from the query string
$username = $Request.Query.Username
if (-not $username) {
$username = $Request.Body.Username
}
$secretValue = [System.Environment]::GetEnvironmentVariable("AppSecret", [System.EnvironmentVariableTarget]::Process)
$SecurePassword = ConvertTo-SecureString -String $secretValue -AsPlainText -Force
$TenantId = 'f645ad92-e38d-4d1a-b510-d1b09a74a8ca';
$ApplicationId = 'e8f7e05f-3ae8-4307-bc34-b26aec3bb4bf';
$Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $ApplicationId, $SecurePassword
$connection = Connect-AzAccount -ServicePrincipal -TenantId $TenantId -Credential $Credential -ErrorAction Stop
# Fetch a specific Azure AD User by UserPrincipalName and select their ObjectId
if ($username) {
$user = Get-AzADUser -UserPrincipalName $username
if (-not $user) {
$result = "User not found."
} else {
$userObjectId = $user.Id | Out-String
}
} else {
$result = "No username provided."
}
# Conditional logic for username starting with "Locked_"
if ($username -and $username.StartsWith("Locked_")) {
Revoke-AzureADUserAllRefreshToken -ObjectId $userObjectId
$result = "Refresh tokens revoked for user."
}
else {
$result = "Reset can be performed only for locked users."
}
# Associate values to output bindings by calling 'Push-OutputBinding'.
Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
StatusCode = [HttpStatusCode]::OK
Body = $result
})