Azure OpenAI recipes for Azure API Management Service
I've just published a new post on my blog: Azure OpenAI recipes for Azure API Management Service. In this post, I cover various recipes for integrating Azure OpenAI with Azure API Management, including setting up backend resources, implementing throttling, round-robin calls, and generating reports. Check it out and let me know your thoughts! https://nicolgit.github.io/aoai-recipes-for-apim/
Troubleshooting Azure Function App Proxy with Private Blob Container Access for Static Web App
Recently, I shared a problem I’m facing in my testing environment with a friend. I’ve decided to bring this issue to an open forum discussion to gather additional insights. I hope you can help me figure out what might be missing in my configuration. **Context:** I’m trying to replicate a solution in my test environment but encountering difficulties in a specific scenario. **Scenario:** I have a Function App acting as a proxy for a Static Web App hosted in a Blob Container. This Blob Container is set to private access, meaning public access is disabled. **The Problem:** The goal is for my Function App to authorize users and direct them correctly to the Static Web App. However, it’s not working as expected. **What I’ve tried so far:** 1. Configured Managed Identity for the Function App and granted the necessary permissions to the Blob Container. 2. Properly set up authentication and created the App Registration, which works flawlessly. 3. Verified that the proxy functions correctly when the Blob Container’s public access is enabled. **Current behavior:** - When public access to the Blob Container is enabled, everything works fine. - When public access is disabled, even with the proxy configured, access fails, and an error message "resource not found" is returned. **My questions are:** 1. Do I need to configure something additional in the proxy definition file? 2. Is there a specific setting, like a private endpoint or something similar, that I should implement to resolve this issue? **Additional considerations:** I haven’t configured a private endpoint yet, but I’m considering whether this would be the most appropriate solution for my case. My initial expectation was that granting the necessary permissions to the Function App via Managed Identity would solve the issue, but it hasn’t. I appreciate any guidance or suggestions you can provide!
Update App Registration Client Secret Using Microsoft Graph REST API v1.0
Hello, I have a customer who wants to set the App registration Client Secret to 1 year. Here are the customer's requirements: For existing application registrations under ‘Certificates & Secrets’ pane, any new secrets added by owners should have the duration limited to one year. If the owner tries to set the duration greater than one year and clicks ‘Add’ button, the action should not be allowed with proper error displayed. The same behavior should also be applicable to new application registration specific secrets. It should not impact any existing secret that is present (greater or less than one year) for current application registrations. We need a way to enable and disable the global policy in case we want to disable it if something doesn’t work as expected. We don’t want to impact anything else wrt application registrations or anything in service principles. Based on the article you shared; Microsoft Entra application management policy API overview - Microsoft Graph v1.0 | Microsoft Learn Below is the script we are trying to use to add the global policy and set as default policy with isEnabled = true. As we cannot test in a different tenant, can you please confirm the snippet below will work for the above requirements? MgPolicyAppManagementPolicy | select * $policy = @{ "displayName" = "Enforce Max Lifetime for Secrets" "description" = "Policy to enforce a maximum lifetime of 1 year for any new secrets." "applicationRestrictions" = @{ "passwordCredentials" = @{ "maxLifetime" = "P365D" # ISO 8601 duration format for 1 year } } } New-MgPolicyAppManagementPolicy -BodyParameter $policy Update-MgPolicyDefaultAppManagementPolicy -id <ABOVE_POLICY_ID -IsEnabled $true I tried to test it in my own tenant, but I ran to a permission issue. Can someone please confirm if this snippet works against the customer's requirements? Thanks.
API Management service secure configuration for Standard v2 SKU
Hi all, I am transitioning an API Managment gateway from the Developer SKU to something Production ready. The Standard V2 SKU is the first tier that supports vnet integration which we require. The OWASP API security framework used by MS recommends that external connectivity to service configuration endpoints is disabled However, Direct Management API access is not supported in this tier (and the ps cmdlets are just wrappers for API calls) So it seem it is not possible to disable public access to these endpoints in this sku. Is this the case? and if so, how is it possible to safely configure an APIMG using this sku? any pointers appreciated... Chris
How to Generate JWT in Azure API Management
Hello Members, I'm trying to secure a backend external API through Azure API Management platform. The backend API needs and validates the request using a JWT(JSON Web Token). I have spent quite some time in searching and trying different option on how to generate a JWT token in APIM before calling the backend API, but yet to get it working. I have working JavaScript code which can generate JWT for backend, but JavaScript is not supported in APIM. Have anyone tried/implemented this before? PS: The JWT generation just require UserId, Secret and key. No calls to backend. Similar to one here: https://jwt.io/Former Employer Abuse
My former employer, Albert Williams, president of American Security Force Inc., keeps adding my outlook accounts, computers and mobile devices to the company's azure cloud even though I left the company more than a year ago. What can I do to remove myself from his grip? Does Microsoft have a solution against abusive employers?
Setting up Azure for Adobe Analytics File Retrieval
I'm not sure if this is the right forum for this or if I am going to word this correctly but I will give it a try. Adobe Analytics has a feature where you can import what they call Classification files. It's basically additional data you can import to augment your analytics data. To do this you need to set up an account in their interface. We are looking to use Azure SAS. Below is the information this account setup asks for Once this account is created you set up a Location in Adobe Analytics The Location Account is the one set up in the previous step. This is all fine, but you will notice that you don't tell Adobe where the file is. At least I don't think you do. Adobe doesn't provide any guidance as what needs to be done on the Azure side. They provide links to Azure documentation, but I am told that the documentation is not great. Or maybe we are just overlooking something. I am wondering how you would set up Azure to be able to store the file and allow Adobe to access it? I hope this makes sense. If you need additional details, I'll be happy to get them.
