Create PAM (Privileged Access Management) Mobile Apps with PowerApps


Maybe you already read my last blog post about using PowerApps for Microsoft Identity Manager where you find a definitions file for the Lithnet RestAPI for MIM to create a custom API for PowerApps. If not, please do so for some basic information’s.

I also will present the MIM and PAM PowerApps solution with some detailed information on the next MIM Team User Group meeting on June 15.

This time I give to all of you the swagger JSON definition file for the Privileged Access Management (PAM) RestAPI around with a demo PowerApp.

The swagger JSON and YAML files contains all the API calls that PAM provides, so you can do the following:

  • Get a list of all PAM roles you are a candidate for
  • Get the PAM role request history
  • Request a PAM role and also Cancel your request before TTL exceeds
  • Get a list of all PAM role requests you should approve
  • Approve of Reject a PAM role request

Since PowerApps is still a preview feature you might have some issues like I have, but I was able to test all scenarios mentioned above.

So this is how the attached app looks like:

01

02

03

04

05

 

Requirements:

By default, after installing the PAM scenario all API calls are using Windows Integrated Authentication, but you cannot use that with PowerApps. So you need to switch your PAM web.config to use Basic Authentication and of course change to SSL if not already done:

06

For this it might be the best to create an additional PAM API web service site in IIS one with Basic Auth and the original one with Windows Integrated Auth.

Make sure that the PAM API with Basic Auth (and SSL of course) can be reached from the internet, for my testing purposes I used Azure App Proxy in Pass-through mode to publish the API.

Next create the custom API connector with the JSON file provided by this article, modify the hostname before uploading. See previous blog post on how to do so.

Next create a connection from that connector with the authentication data of a PAM user (like PAM\priv.peter), you can omit the PAM domain name if you set that as the default on Basic Auth in IIS console.

Build your own app based on the connector or upload the demo app I provided by uploading the .msapp file to PowerApps Studio.

08

 

Important:

If you uploaded the demo app, go to edit mode and click on “Content -> Data Source” and remove the data source called “PAM”, then add the data source you created with the JSON file above from you PowerApps account. Otherwise the Apps tries to connect to my Connector for which you don’t have permissions. Your own Connector will also appear as “PAM” because that’s the internal name of the connector (see title property).

07

 

Note:

The demo app still lacks some features, like clearing properties after role request and also some data source updates after approvals. I currently did not get managed on how to do so. Also it may be a good idea to load RestAPI data into collection in PowerApps to save some API calls and work with that data. Because some listings use GUID to DisplayName resolving by again call the API listings might be a little slow.

The demo app is not intended to be used in a productive environment, it only show the functionality of the API and how to implement that.

 

Appendix:

Here is the swagger JSON definition:

{
    "swagger": "2.0",
    "info": {
        "version": "1.0",
        "title": "Lithnet",
        "description": "Lithnet Resource Management Web Service",
        "contact": {
            "name": "Ryan Newington",
            "url": "http://lithnetrmws.codeplex.com"
        }
    },
    "host": "pamserver.westeurope.cloudapp.azure.com:8086",
    "schemes": [
        "https"
    ],
    "produces": [
        "application/json"
    ],
    "securityDefinitions": {
        "basicAuth": {
            "type": "basic",
            "description": "HTTP Basic Authentication. Works over `HTTP` and `HTTPS`"
        }
    },
    "paths": {
        "/v1/resources/": {
            "get": {
                "security": [
                    {
                        "basicAuth": []
                    }
                ],
                "tags": [
                    "person"
                ],
                "summary": "Get Resources by ObjectType",
                "description": "List resources",
                "operationId": "ListResourcesByObjectType",
                "consumes": [
                    "application/json"
                ],
                "produces": [
                    "application/json"
                ],
                "parameters": [
                    {
                        "name": "objectType",
                        "in": "query",
                        "required": true,
                        "type": "string"
                    }
                ],
                "responses": {
                    "200": {
                        "description": "Result found",
                        "schema": {
                            "type": "array",
                            "items": {
                                "$ref": "#/definitions/resource"
                            }
                        }
                    },
                    "400": {
                        "description": "Bad request"
                    }
                }
            }
        }
    },
    "definitions": {
        "resource": {
            "type": "object",
            "properties": {
                "AccountName": {
                    "type": "string"
                },
                "DisplayName": {
                    "type": "string"
                },
                "MailNickname": {
                    "type": "string"
                },
                "ObjectType": {
                    "type": "string"
                },
                "ObjectID": {
                    "type": "string"
                },
                "PostalCode": {
                    "type": "string"
                },
                "Address": {
                    "type": "string"
                },
                "Domain": {
                    "type": "string"
                },
                "OfficeLocation": {
                    "type": "string"
                },
                "JobTitle": {
                    "type": "string"
                },
                "EmployeeType": {
                    "type": "string"
                },
                "Department": {
                    "type": "string"
                },
                "Manager": {
                    "type": "string"
                },
                "FirstName": {
                    "type": "string"
                },
                "Assistant": {
                    "type": "string"
                },
                "City": {
                    "type": "string"
                },
                "Email": {
                    "type": "string"
                },
                "Country": {
                    "type": "string"
                },
                "LastName": {
                    "type": "string"
                },
                "OfficePhone": {
                    "type": "string"
                },
                "EmployeeID": {
                    "type": "string"
                },
                "MobilePhone": {
                    "type": "string"
                },
                "Photo": {
                    "type": "string",
                    "format": "byte"
                },
                "Scope": {
                    "type": "string"
                },
                "Type": {
                    "type": "string"
                },
                "Description": {
                    "type": "string"
                },
                "ExplicitMember": {
                    "type": "array",
                    "items": {
                        "type": "string"
                    }
                },
                "ComputedMember": {
                    "type": "array",
                    "items": {
                        "type": "string"
                    }
                }
            }
        }
    }
}

 

Here is the swagger YAML definition:

swagger: '2.0'
info:
  version: '1.0'
  title: Lithnet
  description: Lithnet Resource Management Web Service
  contact:
    name: Ryan Newington
    url: 'http://lithnetrmws.codeplex.com'
host: 'mimrestapi-peterwinlivestapfprivat.msappproxy.net'
schemes:
- "https"
produces:
- "application/json"
securityDefinitions:
  basicAuth:
    type: basic
    description: HTTP Basic Authentication. Works over `HTTP` and `HTTPS`
paths:
  '/v1/resources/':
    get:
      security:
      - basicAuth: []
      tags:
        - person
      summary: Get Resources by ObjectType
      description: List resources
      operationId: ListResourcesByObjectType
      consumes:
        - application/json
      produces:
        - application/json
      parameters:
        - name: objectType
          in: query
          required: true
          type: string
      responses:
        '200':
          description: Result found
          schema:
            type: array
            items:
              $ref: '#/definitions/resource'
        '400':
          description: Bad request
definitions:
  resource:
    type: object
    properties:
      AccountName:
        type: string
      DisplayName:
        type: string
      MailNickname:
        type: string
      ObjectType:
        type: string
      ObjectID:
        type: string
      PostalCode:
        type: string
      Address:
        type: string
      Domain:
        type: string
      OfficeLocation:
        type: string
      JobTitle:
        type: string
      EmployeeType:
        type: string
      Department:
        type: string
      Manager:
        type: string
      FirstName:
        type: string
      Assistant:
        type: string
      City:
        type: string
      Email:
        type: string
      Country:
        type: string
      LastName:
        type: string
      OfficePhone:
        type: string
      EmployeeID:
        type: string
      MobilePhone:
        type: string
      Photo:
        type: string
        format: byte
      Scope:
        type: string
      Type:
        type: string
      Description:
        type: string
      ExplicitMember:
        type: array
        items:
          type: string
      ComputedMember:
        type: array
        items:
          type: string

 

Download the demo PowerApp as .msapp file from my OneDrive.

 

Advertisements

About Peter Stapf
Senior Consultant Identity and Access MVP (Enterprise Mobility)

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: