Merge pull request #698 from microsoft/geearl/7547-credential-lifetime-hotfix-3

Geearl/7547 credential lifetime hotfix 3

Author: dayland

Makefile

@@ -65,4 +65,4 @@ functional-tests: extract-env ## Run functional tests to check the processing pi
 	@./scripts/functional-tests.sh	
 
 run-migration: ## Migrate from BICEP to Terraform
-	python ./scripts/merge-databases.py
+	python ./scripts/merge-databases.py

docs/deployment/deployment.md

@@ -81,6 +81,8 @@ ENABLE_CUSTOMER_USAGE_ATTRIBUTION <br>CUSTOMER_USAGE_ATTRIBUTION_ID | No | By de
 ENABLE_DEV_CODE | No | Defaults to `false`. It is not recommended to enable this flag, it is for development testing scenarios only.
 APPLICATION_TITLE | No | Defaults to "". Providing a value for this parameter will replace the Information Assistant's title in the black banner at the top of the UX.
 MAX_CSV_FILE_SIZE | Yes | Defaults to 20. This value limits the size of CSV files in MBs that will be supported for upload in the Tabular Data Assistant UX feature.
+PASSWORD_LIFETIME | No | Defaults to 365. The number of days that passwords associated with created identities are set to expire after creation. Change this setting if needed to conform to you policy requirements
+
 
 ## Log into Azure using the Azure CLI
 

docs/images/app_registration.png

@@ -206,4 +206,18 @@ Image search is currently only supported with regions that support dense caption
 ### Solution
 These are only in the Logic App Preview Designer. Switching to the Generally Available Designer will resolve these errors. They are purely visual errors in the Preview Designer and have no impact on how the Logic App functions.
 
-![Image of Logic App Error](./images/sharepoint-preview-designer-known-issue.png)
+![Image of Logic App Error](./images/sharepoint-preview-designer-known-issue.png)
+
+---
+
+## Error: CredentialInvalidLifetimeAsPerAppPolicy: Credential lifetime exceeds the max value allowed as per assigned
+### Solution
+Your organization's policy places a limit on the lifetime of an identities password. In your copy of Local.env there is a setting called PASSWORD_LIFETIME. This value is used when creating or updating the identity password and has a default value of the number of days the password will exist before expiring. Change this value to a number of days that your organization allows.
+
+To view the value after deploying go the Microsoft Entra ID page from the Azure Portal home page. Then search your tenant for infoasst_mgmt_access_<your-5-character-suffix> as shown in the image below.
+
+![Image of Entra App Registration](./images/credential-lifespan.png)
+
+Next click on the App Registration value, and then the page will open for that applciuation registration. Then select Clients & Secrets from the left menu. You will then see the expiry date of the password that was applied through Terraform.
+
+![Image of Entra App Registration](./images/app_registration.png)

docs/images/credential-lifespan.png

@@ -34,6 +34,7 @@ resource "azuread_application_password" "aad_mgmt_app_password" {
   count           = var.isInAutomation ? 0 : 1
   application_id  = azuread_application.aad_mgmt_app[0].id
   display_name    = "infoasst-mgmt"
+  end_date_relative = "${var.password_lifetime * 24}h"
 }
 
 resource "azuread_service_principal" "aad_mgmt_sp" {

docs/knownissues.md

@@ -31,4 +31,8 @@ variable "aadMgmtServicePrincipalId" {
 variable "aadMgmtClientSecret" {
   type      = string
   sensitive = true
+}
+
+variable "password_lifetime" {
+  type      = number
 }

infra/core/aad/entra.tf

@@ -30,6 +30,7 @@ module "entraObjects" {
   aadMgmtClientId                   = var.aadMgmtClientId
   aadMgmtServicePrincipalId         = var.aadMgmtServicePrincipalId
   aadMgmtClientSecret               = var.aadMgmtClientSecret
+  password_lifetime                 = var.password_lifetime
 }
 
 module "logging" {

infra/core/aad/variables.tf

@@ -497,7 +497,14 @@ variable "enableDevCode" {
   type    = bool
   default = false
 }
+
 variable "maxCsvFileSize" {
   type    = string
   default = "20"
+}
+
+variable "password_lifetime" {
+  type    = number
+  default = 365
+  description = "The number of days used as the lifetime for passwords"  
 }

infra/main.tf

@@ -145,3 +145,7 @@ export ENABLE_DEV_CODE=false
 
 # If you are deploying the solution with the ability to use the Tabular Data Assistant feature, you can set the following values to configure max file size of csv files to be uploaded.
 export MAX_CSV_FILE_SIZE="20" #default is 20MB
+
+# A value used in terraform deployment to set the expiry of passwords measure in days.
+# Change this setting if needed to conform to you policy requirements
+export PASSWORD_LIFETIME=365