Developer Troubleshooting

1. In the Azure portal, search for Automation Accounts and open the service.
2. Click + Create.
3. Select Subscription: TATER Security (3d36e4d4-…).
4. Select or create Resource Group: rg-tater-prod.
5. Enter an Account name (e.g. aa-tater-cb).
6. Choose Region: East US.
7. Click Review + Create, then Create.

1. Open your Automation Account in the portal.
2. In the left menu under Settings, click Identity.
3. On the System assigned tab, set the Status toggle to On.
4. Click Save, then confirm the prompt.
5. The Object (principal) ID that appears is the Managed Identity ID — copy it for RBAC assignments.

Repeat for each resource (Automation Account, Key Vault, Storage Account):

1. Open the target resource in the portal.
2. In the left menu click Access control (IAM).
3. Click + Add → Add role assignment.
4. On the Role tab, search for the role name and select it.
5. Click Next. On the Members tab, set Assign access to = Managed identity.
6. Click + Select members. In the panel, choose Managed identity type = Automation Account and select your account.
7. Click Select → Review + assign → Review + assign.

1. Switch the portal to the client's directory (top-right avatar → Switch directory).
2. Navigate to Microsoft Entra ID → App registrations → + New registration.
3. Set Name: e.g. TATER-CB-ComplianceScanner.
4. Set Supported account types: Accounts in this organizational directory only.
5. Leave Redirect URI blank. Click Register.
6. Copy the Application (client) ID and Directory (tenant) ID — you'll need both.

1. Open the app registration in the Entra portal.
2. Click Certificates & secrets in the left menu.
3. On the Certificates tab, click Upload certificate.
4. Select the .cer (public key) file you generated with OpenSSL. Do not upload the PFX — the portal only accepts the public key here.
5. Add an optional description, then click Add.
6. Copy the Thumbprint displayed.

1. Open the app registration → API permissions.
2. Click + Add a permission → Microsoft Graph → Application permissions.
3. Search for and add each permission listed below.
4. After adding all permissions, click Grant admin consent for [tenant] and confirm.

Required permissions:

• User.Read.All
• Group.Read.All
• Directory.Read.All
• Policy.Read.All
• Reports.Read.All
• AuditLog.Read.All
• RoleManagement.Read.Directory
• IdentityRiskyUser.Read.All
• UserAuthenticationMethod.Read.All
• Organization.Read.All
• DeviceManagementConfiguration.Read.All
• DeviceManagementManagedDevices.Read.All
• DeviceManagementServiceConfig.Read.All

# Must be authenticated to the CLIENT's tenant
az login --tenant <client-tenant-id>

# Get a Graph API token for the client tenant
GRAPH_TOKEN=$(az account get-access-token \
  --resource https://graph.microsoft.com/ \
  --query accessToken -o tsv)

# Find the Exchange Online service principal in the client tenant
EXO_SP=$(curl -s -H "Authorization: Bearer $GRAPH_TOKEN" \
  "https://graph.microsoft.com/v1.0/servicePrincipals?\$filter=appId eq '00000002-0000-0ff1-ce00-000000000000'" \
  | python3 -c "import sys,json; print(json.load(sys.stdin)['value'][0]['id'])")

# Exchange.ManageAsApp role ID (constant across all tenants)
ROLE_ID="dc50a0fb-09a3-484d-be87-e023b12c6440"

# Assign the role
curl -s -X POST \
  -H "Authorization: Bearer $GRAPH_TOKEN" \
  -H "Content-Type: application/json" \
  "https://graph.microsoft.com/v1.0/servicePrincipals/$SP_OID/appRoleAssignments" \
  -d "{\"principalId\":\"$SP_OID\",\"resourceId\":\"$EXO_SP\",\"appRoleId\":\"$ROLE_ID\"}"

echo "Done. Verify with: GET /servicePrincipals/$SP_OID/appRoleAssignments"

# Exchange Administrator role template ID (constant)
EXCH_ROLE_TEMPLATE="29232cdf-9323-42fd-ade2-1d097af3e4de"

# Activate the role (required if no members yet)
curl -s -X POST \
  -H "Authorization: Bearer $GRAPH_TOKEN" \
  -H "Content-Type: application/json" \
  "https://graph.microsoft.com/v1.0/directoryRoles" \
  -d "{\"roleTemplateId\":\"$EXCH_ROLE_TEMPLATE\"}"

# Get the activated role ID
ROLE_OBJ=$(curl -s -H "Authorization: Bearer $GRAPH_TOKEN" \
  "https://graph.microsoft.com/v1.0/directoryRoles?\$filter=roleTemplateId eq '$EXCH_ROLE_TEMPLATE'" \
  | python3 -c "import sys,json; print(json.load(sys.stdin)['value'][0]['id'])")

# Add the service principal as a member
curl -s -X POST \
  -H "Authorization: Bearer $GRAPH_TOKEN" \
  -H "Content-Type: application/json" \
  "https://graph.microsoft.com/v1.0/directoryRoles/$ROLE_OBJ/members/\$ref" \
  -d "{\"@odata.id\":\"https://graph.microsoft.com/v1.0/directoryObjects/$SP_OID\"}"

# Verify (should return HTTP 204 on success)
echo "Expected 204 No Content"

1. Open the Automation Account → Shared Resources → Variables.
2. Click + Add variable.
3. Enter the Name and Value from the table above.
4. Set Type to String.
5. For the ApiKey variable, enable Encrypted.
6. Click Create. Repeat for all 10 variables.

1. Open the Automation Account → Shared Resources → Modules.
2. Click + Add a module.
3. Select Browse from gallery.
4. Search for ExchangeOnlineManagement. Click the result, then click Select.
5. Set Runtime version to 5.1, then click Import.
6. Wait for Status to change from Importing to Available (~5-10 min).
7. Repeat for Az.Automation (runtime 5.1).

Initial import:

1. Open the Automation Account → Runbooks → + Create a runbook.
2. Enter the Name (e.g. Scan-M365Cloud).
3. Set Runbook type to PowerShell and Runtime version to 5.1.
4. Click Create.
5. In the editor, paste the runbook content (or use the toolbar's Import file option to upload the .ps1 file).
6. Click Save, then Publish.

Updating an existing runbook:

1. Click the runbook name to open it.
2. Click Edit to open the editor.
3. Paste the new content or use Import file.
4. Click Save, then Publish. Confirm the overwrite prompt.

1. Open the runbook (e.g. Scan-M365Cloud).
2. In the left menu under Resources, click Webhooks.
3. Click + Add Webhook → Create new webhook.
4. Enter a Name (e.g. CB-ScanTrigger).
5. Set Expires to a date 5 years out (e.g. 2031-01-01).
6. Copy the URL now — it is only shown once.
7. Click Create → OK.
8. Store the URL in the org record: TATER → Organizations → [Org] → Scan Infrastructure → Webhook URL.

1. Open func-tater-sec-api in the portal.
2. In the left menu under Settings, click Environment variables.
3. Click + Add to add a new setting, or click an existing setting name to edit it.
4. Enter the Name and Value.
5. Click Apply, then Confirm at the top of the page to save all changes. The app will restart.

1. Build the zip locally first: npm ci && npx tsc in the api/ directory, then delete api/dist/node_modules/ if it exists, then zip the api/ folder contents.
2. In the portal, open the Function App → Deployment Center.
3. Click the FTPS credentials tab to get credentials, or use the Manual deploy option if available.
4. Alternatively, drag the zip into the Kudu console at https://func-tater-sec-api.scm.azurewebsites.net/ZipDeployUI.

1. Open the Function App → Settings → Custom domains.
2. Ensure the custom domain is already verified (listed in the table).
3. Click the pencil icon on the domain row, then Update binding.
4. Under Certificate source, choose Import from Key Vault or Upload certificate (.pfx).
5. If uploading: select the .pfx file and enter the password.
6. Click Validate + add.

1. Switch the portal subscription to TATER Security (3d36e4d4-…).
2. Search for DNS zones and open tatersecurity.com.
3. Click + Record set.
4. Set the Name, Type (A, CNAME, TXT), and Value.
5. Click OK.

Current DNS records:

Posh-ACME generates the cert via DNS-01 challenge. After renewal, upload the new PFX through the portal:

1. Run the posh-ACME renewal command (CLI tab) to generate the new cert files.
2. Open func-tater-sec-api → Settings → Custom domains.
3. Click the pencil icon on tatersecurity.com.
4. Under Certificate source, choose Upload certificate (.pfx).
5. Select the new .pfx file from ~/.local/share/posh-acme/acme-v02.../tatersecurity.com/ (macOS/Linux) and enter the cert password (blank by default).
6. Click Validate + add.