I know how to get the tenant id of Azure AD. But i have registred an APP in Azure AD using microsoft graph powershell and i want to obtain tenant id of this registred app using microsoft graph powershell. I tried to get it using the variable i used to create the app registration:
$APP = New-MgApplication -displayName $AppName `
-RequiredResourceAccess #{ ResourceAppId = $GraphResourceId; ResourceAccess = #($resourceAccess) } `
-SignInAudience $SignInAudience `
-PublicClient #{ RedirectUris = $URL }
If i use the variable $App and try to get a property called tenantid, there is nth called like this. $App | Select * did not show any tenantid aswell.
Anyone know how to read the tenantid of this registred azure app using microsoft graph powershell?
Graph API doesn't provide any information about tenant for registered application, so you cannot get tenant id directly.
The registered application is created under the same tenant that the user or application is signed in to.
You can read organization data
Import-Module Microsoft.Graph.Identity.DirectoryManagement
$org = Get-MgOrganization
$org.id is the tenant ID.
Documentation:
Organization
You can get the tenant id, by following below commands , ref doc - https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-how-to-find-tenant#find-tenant-id-with-powershell
Connect-AzAccount
Get-AzTenant
To list all To the tenants for your account, you can use:
GET https://management.azure.com/tenants?api-version=2020-01-01
ref doc - https://docs.microsoft.com/en-us/rest/api/resources/tenants/list
If you want to see the tenant ID associated with an app registration, you can do so through the portal under Azure Active Directory > App Registrations > the app registration > Overview. I don't believe it's possible to get this data via Powershell since Powershell requires both Tenant ID and Application ID to query the application information.
See the doc more info - https://learn.microsoft.com/en-us/partner-center/find-ids-and-domain-names
Hope this helps
Thanks
Related
We have Azure AD sync'ing user accounts to Salesforce - this is working fine. In Salesforce we have a few custom 'Profiles'. And in Azure AD > Enterprise Apps > Salesforce > Users & Groups, we have AD Groups mapped to these profiles https://i.imgur.com/TjjdT7H.png
Due to additional development in Salesforce, we are now making use of a few Permission Sets (and Permission Set Groups), as well as Public Groups.
Rather than manually managing assignments to these various groups when new users are provisioned, I would like to automate it, based on Azure AD group membership.
I have read a bunch of threads on this topic. One suggesting the way to do this is to create an new App Role (link - see comment by Mike-S122). This is done via App Registrations > Salesforce > App Roles. So I created an App Role, which shows up when in Enterprise Apps > Salesforce > Users & Groups - I can click 'Add user/group', select the new Role in the list, and assign an AD Group, but if I try to provision-on-demand a user, I get an error that the user cannot belong to two groups. That makes sense.
Perhaps I need to edit the provisioning mappings instead? My current mapping looks like this.
How can be added custom attribute for user in Azure AD B2B using API?
A found a way for External Identities but I'm looking for custom attributes regardless of user type.
For example, I want to have the attribute "FavoriteColor" for every user (member or guest)
How can I achieve that?
You can use Microsoft Graph API Create extensionProperty.
Specify the targetObjects as "User".
An example (you can use any of your app registrations for {object id of the app registration}):
Post https://graph.microsoft.com/v1.0/applications/{object id of the app registration}/extensionProperties
{"name":"customAttribute","dataType":"string","targetObjects":["User"]}
It will generate an extension property named extension_{client id of the app registration without "-"}_customAttribute.
Then you can update the extension property for the member or guest user:
Patch https://graph.microsoft.com/v1.0/users/{user id}
{"extension_{client id of the Azure AD application without "-"}_customAttribute":"value"}
Use Microsoft Graph Explorer to have a quick test.
Microsoft Graph auth overview and Microsoft Graph SDK for your reference.
In the Azure Portal, one can look-up an Azure AD object based on the Object ID as shown below:
Is it possible to retrieve an Azure AD object by the Object ID using the Azure CLI?
In order to use the Azure CLI to get the object related to the object ID, it appears that I need to know in advance if the related resource is a user, group, device, app registration, etc., in order to get the details. For example, if I know the Object ID is a user, I can use az ad user show --id. If all I have is the Object ID, I don't know the 'type' of the object, yet somehow the Portal can figure this out!
While I'd prefer an Azure CLI solution, an Azure PowerShell solution would be better than nothing. I am asking the question because I'm trying to generate a list of access policies within key vault using az keyvault list, but the access policy list from that CLI command just shows Object IDs for each policy... I have no way of determining if the objects are users, groups, etc.
If you want to get Azure AD resource with its object id, we can use the following Microsoft Graph API
POST https://graph.microsoft.com/v1.0/directoryObjects/getByIds
Content-type: application/json
{
"ids":[""]
}
If you want to call the Microsoft Graph with Azure CLI, we can use the command az rest
For example (I use Azure cloud shell)
az rest --method POST --url 'https://graph.microsoft.com/v1.0/directoryObjects/getByIds' --headers 'Content-Type=application/json' --body '{"ids":[""]}'
For more details, please refer to here nad here
If you have a CSV file with user IDs in one column, this script is useful to look up all users at once
param(
$file = "query_data.csv"
)
$data = Get-Content $file | ConvertFrom-Csv
$userIds = $data.User | Get-Unique
$body = #{
ids = $userIds
} | ConvertTo-Json -Compress;
$body = $body -replace '"', '\"';
$results = az rest `
--method POST `
--url 'https://graph.microsoft.com/v1.0/directoryObjects/getByIds' `
--headers 'Content-Type=application/json' `
--body $body;
$results > results.json
I'm implementing an application in Java that has access to Azure via a secure principal and that creates some Resource Groups.
I would like, given an AD Group Name specified via configuration, to add a specific Role Assignment for that AD Group to the Resource Groups.
Is it feasible via Azure Java SDK or I need to use REST APIs?
Which permissions the service principal needs to:
Read an AD group given its name
Assign a RolePermission to a newly created Resource Group for that AD Group
I need to ask to our ActiveDirectory team which permission must be enabled to my Service principal.
TIA
Best regards
I don't know if we can use java sdk to implement this requirement, but I know we can request rest api to do it. Please refer to the steps below:
1. We need to get the id of the role definition by request this api: GET https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleDefinitions?api-version=2015-07-01
The URI parameter {scope} should be like /subscriptions/{your subscription id}/resourceGroups/{your resource group name}
For example, here I get the id of "Contributor" role.
2. Then request this api: PUT https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{roleAssignmentName}?api-version=2015-07-01 to create role assignment(assign the role for resource group contributor to your ad group).
The {scope} should be /subscriptions/{your subscription id}/resourceGroups/{your resource group name} and you can specify a {roleAssignmentName} as you like(should be valid GUID).
The request body should be like below:
{
properties: {
"roleDefinitionId": "{the id of Contributor role which we get in step 1}",
"principalId": "{the object id of your AD group}"
}
}
3. Finish the two apis request above, we can find the AD group has been assigned with the role of "Contributor" for the resource group.
I am using Azure AD with a registered Application and I am using the Microsoft Graph API to query the AD.
The following code below tells which groups the User is Assigned to
var memberof = await graphClient.Users[xxx].MemberOf.Request().GetAsync();
I am using standard AD package and it seems that groups are somewhat restricted and I need to buy the "Premium AD Package" to use them fully.
So I don't want to use the group information. I am interested in the roles that I assign my users that I have put into my application manifest.
e.g
"appRoles": [
{
"allowedMemberTypes": [
"User"
],
"displayName": "Case Manager",
"id": "{A_Guid}",
"isEnabled": true,
"description": "Case Manager's can create and assign Cases to other users",
"value": "CaseManager"
},
So, how can I use the Graph Api to tell me if a user has a particular role ?
1. Microsoft Graph API
The ability to read all application specific roles assigned to a user (i.e. AppRoleAssignments) is only available as part of Microsoft Graph API beta endpoint currently AFAIK. This is not available as part of v1.0. You can read about versions here
As evident from name "beta", it's not expected to be a stable version that can be relied upon for production applications. Read more specific points in this SO Post by Marc LaFleur
Exact API (Microsoft Docs Reference):
GET https://graph.microsoft.com/beta/users/{id | userPrincipalName}/appRoleAssignments
I tried using GraphServiceClient (.NET SDK for Microsoft Graph) but wasn't able to find anything related to AppRoleAssignments. (probably because SDK uses metadata from stable 1.0 version and not the beta version)
In any case, if you can still test this, use Microsoft Graph Explorer or directly call the endpoint from C# code
string graphRequest = $"https://graph.microsoft.com/beta/users/{my user GUID}/appRoleAssignments";
HttpClient client = new HttpClient();
HttpRequestMessage request = new HttpRequestMessage(HttpMethod.Get, graphRequest);
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", authResult.AccessToken);
HttpResponseMessage response = await client.SendAsync(request);
2. Windows Azure AD Graph API
Even though it's recommended to use Microsoft Graph API whenever possible, there are still some cases where Microsoft Graph hasn't caught up yet so you are forced to use Azure AD Graph API. Application management related cases are some of those.
So you could use this Azure AD Graph API. I quickly tested this from Azure AD Graph Explorer and it works fine.
https://graph.windows.net/{yourtenantid}/users/{id}/appRoleAssignments?api-version=1.6
Just like Microsoft Graph Library for .NET you can use Azure AD Graph Client Library for .NET and your code would look something like this..
aadgraphClient.Users["<user guid>"].AppRoleAssignments;
On a side note, since you've asked the question specifically for Microsoft Graph API, I've answered it accordingly.
At least for the currently signed in user for an application, you can always find the Application Roles assigned to them from the Role claims available as part of the access token from Azure Active Directory.
This although only helps with roles for current user and not in management sort of scenarios if you're trying to go across all users for an application. Here's a sample that reads role claims and does authorization based on App Roles for currently signed in user.
Authorization in a web app using Azure AD application roles & role claims
I just found a way to get roles of an user at an application level.
You can create application level roles by updating the manifest's appRoles array.
[azure/app registrations/<your-app>/manifest)]
I used Microsoft.Graph.Beta, to get access to service principals api.
var userRoles = await _client.Me.AppRoleAssignments.Request().GetAsync();
The above query would fetch all the application roles for the user.
var appRoleAssignments = await _Client.ServicePrincipals[<<application_objectId>>].Request().GetAsync();
The above query would fetch all the roles of an application assigned at manifest level.
And application object Id could be found at [azure/app registrations/<your-app>)] -> Object ID
And execute the below to get list of user roles
var roles = new List<string>();
if (appRoleAssignments != null && appRoleAssignments.AppRoles.Any())
{
var userRolesOfCurrentResource = userRoles.First(role => role.ResourceId == Guid.Parse(<<application object id>>));
if(userRolesOfCurrentResource!=null)
{
var role = appRoleAssignments.AppRoles.First(role => role.Id == userRolesOfCurrentResource.AppRoleId);
if (role!=null)
{
roles.Add(role.Value);
}
}
}