May Azure AD V1.0 endpoint be used for GDPR compliancy?


By now, everybody should have heard about GDPR. While not being a lawyer, I think I can summarize it this way: any identifiable personal information as well as sensitive personal information is subject to GDPR regulation.  This first and foremost implies informing the user about which usage is done with his personal data.

The major asset to comply with GDPR is the consent. By letting users consent about what is done with their personal information, you should be on the safe path. However, GPDR comes with strong requirements such as: every distinctive usage should come with its own consent and could be revoked at any time by the end user, which means that you cannot simply bundle everything in one basket and ask the user to consent to the whole thing, even if doing this, is already better than nothing. Continue reading

Posted in Azure, Azure Active Directory | Tagged , , | Leave a comment

VSTS extension to provision Azure Active Directory Apps in an automated way


I have published an extension on the VSTS Marketplace that helps automating the deployment of Azure Active Directory Applications for business applications. The task comes with several built-in templates that cover most of the topologies.  It helps dealing with:

  • Deploy webapi type of Azure Active Directory Applications
  • Deploy native client type of Azure Active Directory Applications
  • Deploy custom APIs with custom application roles
  • Deploy custom APIs with custom oauth2Permissions
  • Enable the implicit grant flow
  • Request GroupMembershipClaims
  • Request both Delegate & Application permissions to other resources
  • Generate App Identifiers and App Secrets and store them into Azure Key Vault
  • Grant read access onto provisioned Azure Key Vault secrets to MSI-enabled Azure App Services
  • Handle User & Group assignments to app roles

More on the marketplace

Happy automation!


Posted in Azure | Leave a comment

Controlling Azure Costs with proper tagging and the billing APIs


At the time of writing this blog post, it is hard to be entirely satisfied with the existing Azure cost control solutions such as Cloudyn or the Microsoft Azure Consumption Insights Power BI app, should you envision a very granular way of analyzing costs.

Indeed, both Cloudyn and the Power BI app help to analyze costs per subscription and even per resource group to some extent but none of these solution focuses on tags, although tags are the only way you can really tie all things together, as for instance tagging whatever Azure Resource with a project code that’d be the identifier of the associated project you’re running. Having a granular way of calculating costs allows you to come back to your stakeholders with what they are consuming and potentially charge them back.

Limitations of existing solutions

Currently, in Cloudyn, not all tags are brought back in the UI as it seems that only tags associated to VMs are surfaced, which is far from representing all kind of costs incurred by your activities, although VMs are indeed costly resources. With the Power BI app, tags are there but on their original form, meaning an arbitrary array of tags for each tagged resource. I say arbitrary as some tags are added by Azure itself. Therefore, it is very hard if not impossible to exploit this in reports, even when using Advanced Filtering. Continue reading

Posted in Azure | Tagged , , , , | Leave a comment

Build the ultimate chatbot


For this episode, I have created another chatbot that is aimed at helping factory workers to intervene on machines whenever they encounter operating problems. This factory comes with a specific jargon and workers are surrounded by permanent noise which can obfuscate worker statements when they give vocal orders. We’ll tackle these constraints by leveraging the Custom Speech service with the bot framework. We’ll also see how Custom Speech differs from Speech Priming that I talked about in episode 8.

If you’re not yet familiar with the bot framework and the cognitive services in general, I strongly advise you to watch my other episodes as I will only focus on Custom Speech and I will not explain things I have already explained in the previous episodes.

Happy AI!

Posted in Azure, Azure Cognitive Services | Tagged , , , | Leave a comment

Cognitive Services Episode 8 – Leveraging speech services with chatbots


Now that we built a chatbot using most of the NLP-related APIs and that we saw how to categorize incidents based on end users screenshots thanks to the custom vision service, it’s time to see how to add speech to this bot! We’ll see several flavors of speech services and we’ll see how to fine tune speech-enabled bots with speech priming.

You can watch this episode on Channel9

Happy coding!

Posted in Azure, Azure Cognitive Services | Tagged , , | Leave a comment

DevOps – Using Azure MSI with VSTS – step by step


[Update] In the meantime, I have created a free VSTS task that does all what’s explained below.

Microsoft recently announced Azure Managed Service Identity (MSI) which in a nutshell, is a way to avoid storing credentials in code or in locations such as the web.config, the app service settings etc…thanks to an automatically provisoned Service Principal (bootstrap identity) that you can leverage using the App Service (or other components supporting MSI).

As Microsoft highlights in the above article, even Azure Key Vault didn’t really solve the problem of disclosing credentials since your code needed credentials to get access to the Vault. Therefore, any developer could have written a console app, connect  & retrieve the actual secret values from the Vault.

Continue reading

Posted in Azure, Azure Active Directory, Azure Key Vault | Tagged , , , | Leave a comment

DevOps trick – Provision Azure Active Directory Apps in a highly controlled way – step by step


[Update] In the meantime, I created a free VSTS marketplace extension that does all what’s explained below and even more.

Recently, I wrote a short blog post on how to provision Azure Active Directory (AAD) Apps in a highly controlled way, so I will not repeat all I said there, but it a nutshell, the idea is to make sure DevOps can automate the creation/update/deletion of AAD Apps entirely from VSTS while not being able to interact with non-DevOps apps.

Here is a step by step process on how to get there. Note that almost everything could be done from VSTS but, often, in organizations, the below tasks will involve different people & even different teams, hence the reason I decouple all the tasks. Continue reading

Posted in Azure, Azure Active Directory | Tagged , , , | 3 Comments