I'd like to retrieve a list of users from an Azure AD App role by means of the Azure CLI.
I am able to fetch some of my application's metadata by issuing
az ad app list --app-id <app-id>. The resulting JSON does include the appRole for which I want to fetch all assigned users.
From the az ad app docs I only understand that App roles can be used in conjunction with az ad app create or az ad app update, but this is not what I am looking for.
I also tried az ad group member list --group <group-id> but this command apparently only applies to AAD groups, not to App roles.
How can I simply retrieve a list of users assigned to a certain App role?
Unfortunately, we don’t have any CLI command to get the assignment list for an app role. Because the app role is something which belongs to tenant, and we don’t have tenant parameter for the command az role assignment list. Below is the official doc for your information.
https://learn.microsoft.com/en-us/cli/azure/role/assignment?view=azure-cli-latest#az-role-assignment-list
We have only one way to fetch the assignment role list is through portal.
Related
I am not able to fetch role claim when using AzureAD for authentication.
quay.io/oauth2-proxy is used
• Please check the version of image quay.io/oauth2-proxy you are using whether it is v6.1.1 as there is a known issue with this image version regarding the oidc groups claim which are not on the list. Also, currently, if you are adding a service principal to a group, and then assigning an app role to that group, Azure AD does not add the roles claim to tokens it issues.
• Thus, also please check the app manifest that has multiple attributes mapped including app roles also for any unsupported attributes that are entered in app registrations(legacy) vs normal app registrations as some crucial attributes seem to have modified in the new app registration platform such as for the app roles, it will be ‘collection’ type while for ‘groupmembershipclaims’ attribute, it is string type.
• Also, check the users claim for custom roles as below in the app manifest if you have defined any custom roles for claim assignments: -
{
"roles": ["{custom_role}"]
}
Please find the below links for more information: -
Accessing Roles claim in Azure AD secured Web Api
https://github.com/oauth2-proxy/oauth2-proxy
TL;DR
To grant admin consent to a newly created single-tenant app I need to know its Service Principal Id. Is there a way of getting the Service Principal Id of a newly created app registration when it is not listed in the results from a call to the MS Graph API ServicePrincipals endpoint?
I am using the Microsoft Graph Beta SDK to add functionality that enables users of our application to create and maintain SDS Sync Profiles.
I have a multi-tenant app registration which, given user consent, enables me to create a single-tenant app registration in the user's tenant using the graphClient.Applications.Request().AddAsync({application}) method. The process I have works fine and the single-tenant app registration is created with the necessary permissions but these require admin consent. Currently I am sending users to the adminconsent endpoint: (https://login.microsoftonline.com/{tenantId}/adminconsent) where the user can grant the necessary permissions. This is also working fine but it requires the user to log in again, having already logged in once to grant consent to the multi-tenant app. This is clearly not great from a UX point of view so I would like to avoid the necessity of the user having to log in again if possible.
I came across this post: https://winsmarts.com/how-to-grant-admin-consent-to-an-api-programmatically-e32f4a100e9d which explains how to grant the admin consent programmatically . This involves creating an oAuth2PermissionGrant object with the scopes listed that admin consent is required for.
The issue I have is that in order to add the oAuth2PermissionGrant I need to know the Service Principal Id of the single-tenant app registration just created. However, when I make a call to the Graph API to list the Service Principals (graphClient.ServicePrincipals.Request().GetAsync()) the single tenant app registration is not listed, so I have no way of getting the Service Principal Id and thus cannot create the oAuth2PermissionGrant.
Once I grant admin consent to the permissions on the single-tenant app registration, either manually in Azure AD or via the adminconsent endpoint, the single-tenant app registration shows in the results from the call to ServicePrincipals endpoint.
Additionally, if I haven't granted admin consent, and just make a call to any Graph endpoint, and, when (having logged in again) the grant permissions page is shown, I don't tick the "consent for my organization" box, the permissions remain (as expected) in "require admin consent" status, however the single-tenant app registration now shows amongst the Service Principals list.
Sorry for the long question but any advice would be most appreciated.
Thanks
David.
However, when I make a call to the Graph API to list the Service Principals (graphClient.ServicePrincipals.Request().GetAsync()) the single tenant app registration is not listed, so I have no way of getting the Service Principal Id and thus cannot create the oAuth2PermissionGrant.
That's because a service principal is not created automatically when you create an application through the APIs or with PowerShell. Azure Portal creates it for you at the same time when using it for convenience, but the raw APIs don't do that. You need to create the service principal, the only mandatory parameter is the appId (your app id/client id) if I recall correctly. Here is the documentation page for that: https://learn.microsoft.com/en-us/graph/api/serviceprincipal-post-serviceprincipals?view=graph-rest-1.0&tabs=http
Once the service principal has been created, you should be able to create the oauth2PermissionGrant objects that grant the permissions you want for all users in your directory.
Lets say i have an WEB API that i have developed and the web API is already protected by Azure AD using App registrations.
Now the Web API has some roles like Admin User and Manager.
I want to store these roles in Azure AD too and get an accesses token for Azure so in the JWT claim of the accesses token the role is present.
Any pointers if this is possible at all ?
You could add an appRole into your Azure AD app and assign users and groups to roles.
Then the users in the group will have the claim like below:
{
"roles": ["{the role you customized}"]
}
After that, the role will be included in the access token. And you can implement your authorization logic based on the roles of the user.
I am doing login from Azure AD.Client is SPA(angular using MSAL). If user is not Authenticated, it redirect to Microsoft Login Screen (using MSAL). On successful login, it return an access token.
My roles will be stored in a database. I need to add the roles of that user as part of claim in access token. I am not finding the way to do it.
I do not want to make another call from SPA to API to get the DB roles.
Please suggest some good approach.
Any links explaining the approach will also be very helpful.
I am still in design phase but not able to find the best approach.
In one microsoft site, i found that we can fetch the roles from DB but details were not there.
most of the places, it is written that we need to provide roles in Azure AD users menifest file.
In regular Azure AD, the "roles" claim is exclusively sourced from app role assignments for the signed-in user (or groups the user is a member of), to the app roles for the app the user is signing in to.
There's no feature currently in Azure AD which will connect to an arbitrary database, make a database query in the appropriate form, and include the results in the roles claim in the resulting ID Token.
I can think of three options to achieve your scenario:
After sign-in, call an API to retrieve the roles. Though you mention this is not desirable, it's probably the simplest approach, so it's worth listing. As a result of the user's sign-to you app, you app will usually obtain an access token to an API. If you set up your API to be secured with Azure AD (directly, or through Azure API Management), your SPA could simply get the necessary access token as part of sign-in, and at that point it's trivial to make a REST call to retrieve the role details for the user (and possibly other information useful to rendering your app).
Synchronize (or copy) your role information from your database to Azure AD. For each role, create an app role in the Azure AD app registration. For each user-role association, either create an app role assignment to directly assign the user (user -> app role), or assign a group to the app role and add the user to the group (user -> group -> app role. Keeping this in sync is probably not trivial, so if your scenario allow to move the role information to Azure AD app role assignment, you can forget the database entirely (making Azure AD the authoritative location). Of course, this might not work for your specific case.
Use Azure AD B2C and a custom sign-in policy. You could create an Azure AD B2C tenant, set up a custom sign-in policy to use your (regular) Azure AD tenant as the identity provider, and configure the policy to enhance the claims by calling a REST API to retrieve your roles. In this approach, you still need to have a REST API which can provide the role information, so rather than doing the setup and migrating your app, you may prefer simply calling the API from your SPA (option 1, in this list).
I would like list roleAssignments of a group with GraphAPI.
But I only see an API to list whole roleAssignments.
I tried to filter by resourceScopes/scopeMembers using $filter clause but it's not working.
Should I filter this whole list myself or is there any other way to do it?
It seems like you are looking for Azure RBAC role assignments.
These are different from what you've linked to, which are Intune device management role assignments (which are specific to Intune RBAC roles). They are also different from Azure AD app role assignments (which are for assigning an app or a user/group to another app's role), and Azure AD directory role membership (which is for assigning users to directory roles).
You can list all Azure RBAC role assignments using the Azure Management API. You can also filter this request by scope and/or by which user, group or app the role assignment is for.
For example, to list all the scopes a group {group-id} has been assigned to for a subscription {sub-id}:
GET https://management.azure.com/subscriptions/{sub-id}/providers/Microsoft.Authorization/roleAssignments?api-version=2015-07-01&$filter=principalId%20eq%20'{group-id}'
For more details, you can read Manage Role-Based Access Control with the REST API.