Monday, 26 May 2025

Playwright Post 6 - Automating Canvas App MFA login for Playwright unattended for Canvas apps

Overview:  Modern security makes automating logins requiring MFA rather difficult.  This post looks at possible approaches to automate the login.

Option 1. Turn off MFA—not really, but you can set a conditional rule in EntraId to not perform MFA. This is not an option in many enterprises.

Option 2. Time-based One-Time Password (TOTP)—Microsoft Authenticator makes this pretty difficult. At least I can't do it, as the APIS are relatively limited. This is kind of expected, as it's a security measure.

Option 3. Programmatically acquire an access token without browser automation, use MSAL with a client secret or certificate (for confidential clients). 

Option 4.  Use Playwright to record the login and intercept the access token once logged in.  Then you can store it and use it.  There are a few easy options to get the session:

4.1. Retrieve the access token from the response once logged in

4.2. Retrieve from your local storage:

  const token = await page.evaluate(() => {
    return window.localStorage.getItem('adal.idtoken') || window.sessionStorage.getItem('adal.idtoken');
  });
4.3. Retrieve the token using Playwrite at the command run level

Note: This adds the token to my repository. Don't save the token to your repository if you don't realise that the Access/Bearer token will expire depending on what your EntraId sets. The default is 1 hour.

Option 4.3.1. Like option 4.3, use the refresh token to silently generate a new Access token. You store the refresh token during the recorded login (by default, it lasts for 90 days) to generate a new access token when you need it.

Option 4.3.2.  Take it further back to generate the refresh token using the access code you get at the original login, renew the "refresh token", and generate a new access token to run your tests.

If you decide to store your access token, refresh token or code, don't store them in your code repo.  You know why if you got this far.

Thought: as a refresh token works for 90 days on a sliding scale, I've never used the option 4.3.2, as by storing the refresh token, all I need to do is to extend the refresh token by using it to get an access token and the refresh token has 90 days from that point. 

This is the plan I'm thinking of using:
  1. Store the refresh token in Azure Key Vault (AKV).
  2. Your app retrieves the refresh token from AKV.
  3. Uses the refresh token to get a new access token.
  4. Store the new access token to run my ALM/CI/CD playwright tests
Posted by Paul Beck at 07:06 0 comments
Labels: , , , , , ,

Tuesday, 20 May 2025

Entra AAD Security Groups - Remember

Overview: I have lost count of the number of poor Active Directory and Azure Active Directories I have seen.  I don't think I've ever seen a good Active Directory actually.  Certainly nothing large over 5K users. 

I'm working with a multinational, and we need to improve the security.  Things are a little all over the place, oddly named and inconsistent, basically the normal for an 300k internal user enterprise with history and multiple aquations.

I identify a coupe of properties that will really create a nice hierarchy, issue is I'm using more than the allowed 5k Dynamic AAD Security Groups.  

Group Types to be aware of relating to Entra

1. Static AAD Security Groups

Got to add the users manually, or at least automate the process for anything but the smallest of Entra users.

Static AAD Security groups can be nested.

3. Dynamic AAD Security Groups

Up to 5,000 dynamic groups.

You can inherit Security groups or be inherited (no nesting).

3. Distribution AAD Groups

Used for email and calendars, not security.

4. O365 Groups/Teams Groups

They can inherit O365 groups or AAD Security groups.  They are managed within the org so not the best idea to place heavy security on manually managed teams. 

Resolution:

I have a full hierarchy of users within divisions and subdivisions.  By adding users statically via automation to there lowest level AAD Security Group.  Then I can add the child groups.  This gives me multiple groups that have more and more users in as we go up the hierarchy.  Additive groups with positive security gives me the best options.  

Future Wishes:

If only Entra supported more dynamic AAD Groups per tenant or allowed Dynamic groups to be nested in static AAD groups



Posted by Paul Beck at 22:59 0 comments
Labels: , ,

Monday, 12 May 2025

Playwright Post 5 - Understanding how Playwright Works

Playwright as a tool consists of two main parts.

Part 1: Playwright Library: This is the automation of a browser using the Page Object Model (POM). It provides a uniform API to run against the 3 main browser engines, automating tasks like navigating, clicking, filling in form data, and validating content on a web page. Classes include APIRequest, APIResponse, and BrowserContext. The worker process runs the API calls sequentially. Unified library API calls are sent to the browser context, which runs unaware of the calling context.  

Top link runs in Node.js and makes API library calls, there is no timing between the Node.js (Controller) and the browser instance (running Chromium instance)

Part 2: Test Runner: This part runs the Playwright tests.


Playwright Series

Posted by Paul Beck at 16:23 0 comments
Labels: ,

Friday, 9 May 2025

App Insights for Power Platform - Part 4 - Managed Environment Logging

Overview: You can setup logging on Managed Environments to send logs into Azure Monitor via Application Insights. This video shows the setup in under 2 minutes. 


Series:

App Insights for Power Platform - Part 1 - Series Overview 

App Insights for Power Platform - Part 2 - App Insights and Azure Log Analytics 

App Insights for Power Platform - Part 3 - Canvas App Logging (Instrumentation key)

App Insights for Power Platform - Part 4 - Managed Environment Logging (New 2025-05-09)

App Insights for Power Platform - Part 5 - Logging for APIM 

App Insights for Power Platform - Part 6 - Power Automate Logging

App Insights for Power Platform - Part 7 - Monitoring Azure Dashboards 

App Insights for Power Platform - Part 8 - Verify logging is going to the correct Log analytics

App Insights for Power Platform - Part 9 - Power Automate Licencing

App Insights for Power Platform - Part 10 - Custom Connector enable logging

App Insights for Power Platform - Part 11 - Custom Connector Behaviour from Canvas Apps Concern

Posted by Paul Beck at 20:08 0 comments
Labels: , , , ,

Wednesday, 30 April 2025

MS Fabric OneLake Shortcuts

 "Shortcuts in Microsoft OneLake allow you to unify your data across domains, clouds, and accounts by creating a single virtual data lake for your entire enterprise.MS Learn

It allows open storage format data to be stored in the source system, metadata is added to OneLake, and the data can be queried; the load is predominantly performed against the source system, e.g., Dataverse/Dynamics.

Clarification: A shortcut is automatically added to MS Fabric for each Dataverse.  Dataverse creates Parquet files (est 5-10% extra data storage, counts against Dataverse storage).  Via the shortcut, report writers or data engineers can access the Dataverse data as though it is inside MS Fabric's OneLake.

Understand: Dataverse creates Parquet files that MS Fabric can look at to generate dataset data.

"Shortcuts are objects in OneLake that point to other storage locations.MS Learn

External shortcuts (data is held at the source system) supports any open format storage format, including: 

  • Apache Iceberg Tables via Snowflake,
  • Parquet files on SnowFlake,
  • Microsoft Dataverse
  • Azure Data Lake Storage (ADLS), 
  • Google Cloud Storage, 
  • Databricks, 
  • Amazon S3 (including Iceberg tables),
  • Apache Spart (Iceberg)
Internal shortcuts supported:
  • SQL Databases: Connect to SQL databases within the Fabric environment.
  • Lakehouses: Reference data within different lakehouses.
  • Warehouses: Reference data stored in data warehouses.
  • Kusto Query Language (KQL) Databases: Connect to data stored in KQL databases.
  • Mirrored Azure Databricks Catalogs: Access data from mirrored Databricks catalogs.
I think these are also Internal shortcuts:
  • PostgreSQL
  • MySQL
  • MongoDB

Example High Level Architecture

External shortcuts with snowflake and Dataverse.


Posted by Paul Beck at 08:59 0 comments
Labels: , , , , , ,

Tuesday, 29 April 2025

PowerBI reporting against ProjectWise (Project Insights)

Overview: Integration with Bentley is fairly complex but the project ProjectWise Project Insights provides a Power BI Custom Connector.  The connector is not certified by Microsoft but it can be used for gaining reporting insights.

Introduction to ProjectWise's Project Insights

These are the instructions I followed and it still works

Power BI report - Simple - Using ProjectWise Project Insights                                        

ProjectWise Posts:

Introduction to ProjectWise and BIM

ProjectWise from Bentley - extend with Powershell

Postman Collection to connect to Bentley's REST API for ProjectWise (WSG)

PowerBI reporting against ProjectWise (Project Insights) - This post
Posted by Paul Beck at 17:06 0 comments
Labels: ,

Postman Collection to connect to Bentley's REST API for ProjectWise (WSG)

Overview: Here is a short recording showing how to connect postman to ProjectWise's API's (WSG).

Here is the postman collection: Tutorial on connecting to ProjectWise APIs using Postman

A short video (1.5min) if you want to play with the two endpoint I used:


ProjectWise Posts by me:

Introduction to ProjectWise and BIM

ProjectWise from Bentley - extend with Powershell

Postman Collection to connect to Bentley's REST API for ProjectWise (WSG) (this post)

Power BI reporting against ProjectWise (Project Insights) 

Posted by Paul Beck at 16:32 0 comments
Labels: , ,
Subscribe to: Posts (Atom)