# Automatic Jira ticket creation for Azure application admin consent requests

If you are an Azure administrator you are probably aware that it can be pretty dangerous to let users give permissions consent to **any** Azure application that is in the wild. Because it can lead to [illicit consent grant attack](https://docs.microsoft.com/en-us/microsoft-365/security/office-365-security/detect-and-remediate-illicit-consent-grants?view=o365-worldwide) which seems to be more and more popular among the hackers. 

One of the solutions to this problem is to [require admin consent](https://docs.microsoft.com/en-us/azure/active-directory/manage-apps/configure-admin-consent-workflow). If you enable this feature, whenever a user wants to grant consent to not yet allowed application, admins will be notified to allow/deny such request via **email**.

This is OK, but if you are using JIRA as your support ticket solution, wouldn't it be nice to also automatically create **Jira ticket**? 😉

Such Jira ticket can contain information like: 
- the name of the application
- requested permissions
- who requested the consent
- whether it is created by a verified publisher
- the reason why the user wants to use this application
- etc

And the result can look like 👇
![image.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1648060146465/lNi8jD1Tb.png)

---

# Prerequisites
- Account with permissions to create Jira ticket + its [API token](https://support.atlassian.com/atlassian-account/docs/manage-api-tokens-for-your-atlassian-account/)
- Azure Service principal (Enterprise Application) with permissions to read *Azure admin consent requests* and *Azure application information* (to get publisher information)
- My [AzureADStuff](https://www.powershellgallery.com/packages/AzureADStuff) module
- A scheduled task that will run periodically PowerShell script that will check for new admin consent request and if so, create Jira ticket

> 
How to create a Jira ticket isn't part of this article, but can be found at [how-to-create-a-jira-ticket-using-powershell](https://doitpsway.com/how-to-create-a-jira-ticket-using-powershell).

## Prepare service principal (Azure Application) for making Graph API calls
To be able to work with Azure non-interactively, we need to create a service principal account that will be used in our PowerShell script to gather all data we need.

1. Log in to the Azure portal
2. Create a new App Registration (`IT_Azure_Consent_Read` in my case)
![image.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1648208659757/kxgdn-hbW.png)
3. Grant application following application Graph API permissions:
 - ConsentRequest.Read.All
 - Directory.Read.All
 - ServicePrincipalEndpoint.Read.All
 - **Don't forget to grant admin consent too!**
![image.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1648208763243/DJzBZr8zv.png)
4. Create application secret or certificate so we can authenticate as this application
![image.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1648476766677/TenS6uoLu.png)
Store this secret password at the **safe **place for later use!
> 
If you want to use certificate to authentication, you can use function `Add-AzureADAppCertificate` which is part of the [AzureADStuff](https://www.powershellgallery.com/packages/AzureADStuff) module.
It can be used like `Add-AzureADAppCertificate -appObjectId <IT_Azure_Consent_ReadAppObjectId> -password (Read-Host -AsSecureString)`

## Getting admin consent requests
To get all admin consent requests use **Get-AzureADAppConsentRequest** PowerShell function 😉 which is part of my module [AzureADStuff](https://www.powershellgallery.com/packages/AzureADStuff).

> 
The function uses these URLs to get the required data:
- `https://graph.microsoft.com/beta/identityGovernance/appConsent/appConsentRequests
` for reading admin consent requests
- `https://graph.microsoft.com/beta/servicePrincipals?$select=appId,verifiedPublisher` for reading application publisher data

The result of the `Get-AzureADAppConsentRequest` can look like this 👇
![image.png](https://cdn.hashnode.com/res/hashnode/image/upload/v1648065906728/9pdiWX-Fc.png)

---

# Put it all together
To summarize it a little bit, we have:
- Azure application (`IT_Azure_Consent_Read`) with appropriate permissions to get admin consent requests from the Azure and know its secret, to be able to authenticate and
- `Get-AzureADAppConsentRequest` function to actually get the admin consent requests data.

Now we need to put it together and create a PowerShell script that
- will be run on schedule (using Task Scheduler),
- check new admin requests and if find some, creates Jira tickets for every one of them,
- saves processed requests in the XML file (to be able to track the changes),
- closes Jira tickets for solved requests + adds comment about who accepted/rejected the request

And the result can look like this
[AzureAD_admin_consent_requests_Jira_ticket_creation.ps1](https://github.com/ztrhgf/useful_powershell_scripts/blob/main/AzureAD_admin_consent_requests_Jira_ticket_creation.ps1)

> 
`AzureAD_admin_consent_requests_Jira_ticket_creation.ps1` script is just a template. To make it work, you have to check and fix lines that starts with `FIXME`. Therefore export Jira and Azure app credentials, defined App Id etc.

Feel free to write comment in case of any problems. 👍
