Monday, January 25, 2021

Adding a custom domain to a static site

(written on Feb 2nd and back published to Jan 25th)

 Now that we have our static site, it would be more convenient to use a custom domain than the <xxx>.<xxx>.web.core.windows.net address that is provisioned by default.  There is a guide and we should be able to do it as our guest user, so log back into the portal using your guest account and click on the storage account under Recent resources

In the search box type custom and click on <custom domain>

Once there, you will be given a place to type in your custom domain and type in the domain name you are going to use.  I have been playing around with the domain caffeinatedcreations.com for some time now and use it for experiments such as this.  I will talk about how to get a domain name in another article, but for now I am just going to type in www.caffeinatedcreations.com into the domain name box and then in the section 1 above that box you need to highlight the address of the site and put it on your clipboard
Now, following the instructions you need to create a CNAME for your url and point it to the captured address.  For me, I do this in CloudFlare.  I host all of my DNS there, regardless of where I buy my domain name.  It is fast and convenient and free.  So, I set up a CNAME with the name www and paste in my site address of guestsite.z13.web.core.windows.net and click <save>

Then I go back to Azure Portal and click <save>
Now, I can see my site by going to www.caffeinatedcreations.com!  Well, not quite yet.  If you just put in the address, many browsers will try to go to http://www.caffeinatedcreations.com which will fail with an error message because HTTPS is required by default on our static site:
Going to https://www.caffeinatedcreations.com is better, but you should (using a modern browser) be given some harsh warning like this
because the SSL certificate doesn't match the url you are using.  This is a GREAT THING!  Using Pale Moon, you can click through and see your site by clicking on <i understand the risks> and then on <add exception>
Uncheck the <permanently store this exception> and then on <confirm security exception> 
And you are in

But at what cost?  It is inconvenient.  What do we do to fix this?  Add our domain name to an SSL certificate and put it on the site.  We will work on that next time.

Sunday, January 24, 2021

Giving a guest user rights to create a static site

(written on Jan 31st and back published to Jan 24th)

We created a new external user, granted that user rights, and then that user deleted the resources it had rights to.  Now let's grant rights to create a specific resource type and see if we can get a new static site created and managed by our guest user.

So, log into the Azure Portal using the subscription owner and click on <all resources>

Click on the <add>
type storage account in the search box and click on <storage account>
Click on <create>
Then click on <create new> below the resource group and we will add a new one by naming it and clicking on <ok>
Now scroll down and type in the storage account name and click on <review + create>
Then click <create>
Click <go to resource>
Click on <access control (iam)>
Click <+ add> and <add role assignment>
Choose Contributor as the role and then click on your guest account and click <save>
Now log out of the portal and log back in using your guest account.  I am going to give PaleMoon a spin for this section.  Once you are logged in, click on <all resources>
Then click on your service account name
Type <static> in the search box and then click on <static website>
Click on <enabled>
Then type index.html in the Index document name and error.html in the Error document path and click <save> 
Note the url listed in the Primary endpoint so that we can use it later (mine is https://guestsite.z13.web.core.windows.net/).  You can click the 'stacked document' icon to have it copied to your clipboard, I did.
Now, click back to the base information for the resource using the name in the breadcrumb at the top
And open in Storage Explorer within your browser by clicking on <storage explorer (preview)> or if you have access to install software and want to use a local program you can click on <open in explorer> to launch it locally
Open up <blob containers> and <$web> and then click <upload>
Click on the folder icon
and then browse to the two html files we created much earlier, select them, and click <open>
Click <upload>
Once they finish it will look something like this
Open a new tab and confirm that your site is up and we are done!
Note that you are using https which means you are using a secure pipe between the server hosting your page and your browser.












Saturday, January 23, 2021

Accessing an Azure Function as a contributor

(Written on January 24th and posted back to the 23rd.  I am behind, but catching up!)

We have our new user assigned as a contributor on our Azure Function.  What can we do with it?  Log into the portal using the guest email address and click on you Azure Function under the Recent resources banner

Click on the <stop> button and then on <yes>
And the function stops.
No real surprise there. Now click on the elipses (the three dots) and then on <delete>
Type in the name of your function and click <delete>
And the function is gone, just like that.  Did you expect that?  A contributor has a lot of power.
It still shows up in our Recent resources but it is really gone.  Can we create a new one to put in it's place?  Click <+ create a resource>
Type function in the search box and click on <function app>
Click <create>
Looking good so far!  The dropdown for the resource groups is empty so click on <create new> and start typing in your new resource name and BAM! you are stopped cold
Surprised?  When we granted rights to this account, we only granted contributor rights to the Azure Function.  We didn't grant any global rights for the user.  In fact, click on home and then our <all resources>
And look at the juicy error we see
We don't even have enough rights to list the available resources!  Pretty good.


Friday, January 22, 2021

Logging in with our external user

Ok, we created our new email address and assigned it access to the resource.  Now we need to log into the email account and accept the access and see how it looks.

Log in my typing in your user name and password and clicking <enter>

Click on the mailbox icon in the top and on the email from Microsoft and click <accept invitation> in the mail body
This will open a new window where you will be asked to create a Microsoft identity for your new email address.  It will already have your email address, it will just ask you to add a password and click <next>
As an aside, I was surprised to see that the password has a maximum limit that I hit with my head.  If you don't hit this then you aren't trying hard enough on your passwords!
Once we create our account, we are emailed a verification code that we will need to enter and then click <finish>
The verification code comes in an email and is a one time use
Click <no> on the stay signed in 
Click the <accept> the permission notification
Then we start the MFA dance because our Azure Directory requires it.  Click <next>
Note, this is only enabling Multi-Factor Authentication on the Microsoft Identity portion of our new email address.  It doesn't keep our base email secure, and security is a chain where the weakest link exposes everything.  Ok, click on <i want to use a different authenticator app> 
Click <next>
Scan your QR code in Authy and click <next>
Enter the authentication code listed on Authy for the new account and click <next> (missing image)
Click on <done>
Enter your code and then click <verify>
Click <no> on the Stay signed in? screen
Decline the tour by clicking <maybe later>
Click on the hamburger in the top left and the <all resources>
But we don't see our resource?
What is going on?  Guess what, a new Azure Directory was created for our new account and we are in it by default.  We just need to change over to the one with the resource.  Click on the silhouette in the top right and <switch directory>
Close the recommendation window by clicking on the X in the top right
Then use the hamburger to get to <all resources> or just click it on the screen
And there is the Azure Function!
That was a long walk to get there, but next time we will see what a contributor has rights to do.

(This was created on 1-24 and back dated.  I have been working long weekends and getting behind.)