In the Azure Portal, I can navigate to Identity Governance | Access Packages | Access Package and then create a direct assignment for a user. The Azure Portal allows me to specify whether or not approvals are applied to the assignment request.
I can also create a direct assignment request using the Microsoft Graph, but I cannot figure out how to apply approvals to this request. Requests from the Graph seem to always bypass the approval policy.
Using Fiddler and the Azure Portal (ref screenshot above), I can see that the following JSON payload is POSTed to the Graph. So I took that exact same JSON payload and POSTed it with the Graph Explorer, but the approval process is still being bypassed.
POST https://graph.microsoft.com/beta/identityGovernance/entitlementManagement/accessPackageAssignmentRequests
{
"accessPackageAssignment": {
"target": {
"objectId": "5eaf3cdc-3859-40a1-bd48-583da94d16b3",
"type": "User"
},
"assignmentPolicyId": "3261eff8-1e91-426d-93dd-55f196a593a4",
"accessPackageId": "d14d6f8c-458f-4a1c-926a-38f4c5e63fe8"
},
"justification": "testing",
"requestType": "AdminAdd",
"parameters": [
{
"name": "IsApprovalRequired",
"value": "true"
}
]
}
How can I achieve the same behavior as the Azure Portal (i.e., direct access package assignment with approval)?
In the request body, it contains a accessPackageAssignmentRequest object which has a property assignmentPolicyId, and the assignmentPolicyId property identifying the accessPackageAssignmentPolicy, and this policy has a definition for requestApprovalSettings. approvalSettings contained isApprovalRequired.
By the way, what you mentioned are beta version api which is not recommended. And V1.0 version may be better.
Related
I'm working on implementing SCIM 2.0, as I need to use to to provision users in my system that are stored in Azure AD. I have set it up and when I try to manually provision a user, I get this error:
The user is successfully provisioned on the client side, as you might guess from the error message - it's not an issue with the request.
I am guessing that the issue is with where the identifier is located, since the Identifier attribute is included in the response that is in the error message.
I've googled this error and I can find general tutorials for AD SCIM implementations, but I haven't been able to find anything about this specific error.
Here's a pretty-printed version of the response:
{
"totalResults": 1,
"startIndex": 0,
"itemsPerPage": 1,
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:ListResponse"
],
"Resources": [
{
"emails": [
{
"type": "work",
"value": "perrin#***.com",
"primary": true
}
],
"Identifier": "1072",
"meta": {
"meta": "/scim/v2/Users/1072",
"resourceType": "User"
},
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User"
],
"name": {
"familyName": "Aybara",
"givenName": "Perrin"
},
"active": true,
"id": "1072",
"userName": "perrin#***.com"
}
]
}
• As you are provisioning a user manually through SCIM functionality of Azure AD, the issuer identity, i.e., Azure AD is identified by an iss claim in the token received after successfully provisioning the user from Azure AD. Example of it is as below: -
"iss":https://sts.windows.net/cbb1a5ac-f33b-45fa-9bf5-f37db0fed422/
where ‘https://sts.windows.net’ is the URL of the issuer, i.e., Azure AD and the ‘cbb1a5ac-f33b-45fa-9bf5-f37db0fed422’ is the unique identifier of the Azure AD tenant for which it was issued. This token was issued for the application template ID of the app configured for provisioning in enterprise applications.
• Also, please note that the query to provision an Azure AD user with the ‘create’ action in the client app web service with an ‘externalId’ attribute value that matches the ‘mailNickname’ attribute value of a user doesn't return any users in your case as shown in the image, then AAD requests that the web service provision a user corresponding to the one in AAD. The user provisioned from Azure AD is assigned an identifier value when the provisioning succeeds and returns an instance of the Microsoft.SCIM.Core2EnterpriseUser class with identifier attribute indicating the user provisioned. Thus, since the user identifier value is missing as shown in the image, please run the below command to query whether the user is created successfully or not.
‘ GET ~/scim/Users/54D382A4-2050-4C03-94D1-E769F1D15682 HTTP/1.1
Authorization: Bearer ... ’
In a request to retrieve the current state of the user provisioned, the values of the properties of the object provided as the value of the parameters argument are as follows:
Identifier: "54D382A4-2050-4C03-94D1-E769F1D15682"
SchemaIdentifier: "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
• Request you to try again to provision the user and query to request the current state of the user regarding its reference attribute. Also, send a request from Azure AD to the SCIM service to update the user in its datastore. Here is an example of the request sent from Azure AD to the SCIM service: -
‘ PATCH ~/scim/Users/54D382A4-2050-4C03-94D1-E769F1D15682 HTTP/1.1
Authorization: Bearer ...
Content-type: application/scim+json
{
"schemas":
[
"urn:ietf:params:scim:api:messages:2.0:PatchOp"],
"Operations":
[
{
"op":"Add",
"path":"manager",
"value":
[
{
"$ref":"http://.../scim/Users/2819c223-7f76-453a-919d-413861904646",
"value":"2819c223-7f76-453a-919d-413861904646"}]}]} ‘
Please find the detailed steps in the link as below: -
https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/use-scim-to-provision-users-and-groups#handling-provisioning-and-deprovisioning-of-users
This error generally shows up when there is something invalid with the format of the JSON payload. From looking at this one, I suspect it's your inclusion of "Identifier" as this is not defined in the core SCIM schema docs, and specifically may be causing issues if it overlaps with something else in the provisioning service. "id" is the correct attribute to use.
After playing around with it the issue was not that the resources were missing anything - it was the ListResponse itself that needed an ID. If I include
"id": "urn:ietf:params:scim:api:messages:2.0:ListResponse"
to the top-level object (along with totalResults, etc.) it is processed as expected.
I want to set the replyUrlsWithType programmatically on an app manifest within Azure AD. However, the REST API for updating the manifest only seems to support setting the replyUrls property, which does not enable the type property to be set. Is there a supported way to set the replyUrlsWithType programmatically?
The team I'm working with has used Fiddler to take a look at how the Azure portal sets the type property and have hacked the following to get it to work, but we are looking for a supported method if there is one:
$UpdateAppResponse = Invoke-WebRequest -Uri "https://graph.windows.net/myorganization/applications/$appId?api-version=2.0" `
-Method "PATCH" `
-Headers #{"Authorization"="$($Response.token_type) $($Response.access_token)"; "Accept"="*/*"; } `
-ContentType "application/json" `
-Body "{`"id`":`"$appId`",`"replyUrlsWithType`":[{`"url`":`"https://$HostName`",`"type`":`"Web`"},{`"url`":`"msauth://$ReversedHostName`",`"type`":`"InstalledClient`"}, {`"url`":`"msauth.$ReversedHostName://auth`",`"type`":`"InstalledClient`"}]}"
In the past, the application registered in Azure portal could only be one type. So, the Azure AD Graph API was able to set replyUrls.
However, new application registered in Azure portal could support both type at the same time. Based on the fiddler traces, the Azure AD Graph seems to updated to support that.
The url https://graph.windows.net/myorganization/applications/$appId?api-version=2.0 is a typical url of AAD Graph API. Maybe just the document has not been updated.
However, we suggest you use Microsoft Graph API. It is an unified center for managing lots of Microsoft Cloud Resources.
You can Get application and Update application with Microsoft Graph API.
For example, you can make a PATCH request with the following body:
{
"publicClient": {
"redirectUris": [
"myapp://auth"
]
},
"web": {
"redirectUris": [
"https://devchat.com/",
"http://localhost/",
"https://mytest.com/"
],
"implicitGrantSettings": {
"enableAccessTokenIssuance": false,
"enableIdTokenIssuance": false
}
}
}
Then all the platforms will be added:
For anybody who is looking to configure similarly as a SPA, you can set the property to "spa" instead of "web". This was a headache for me so hopefully helpful for others:
Instead of:
"web": {
"redirectUris": [
use
"spa": {
"redirectUris": [
A one liner for the Azure Cloud Shell (bash):
az rest --method PATCH --uri 'https://graph.microsoft.com/v1.0/applications/<APP REG OBJECT GUID (object ID not the App ID)>' --headers 'Content-Type=application/json' --body '{"spa":{"redirectUris":["https:<APP DOMAIN (and port if needed)>"]}}'
I'm trying to assign app-specific roles to a user in our AD group using Microsoft Graph.
The link I'm sending the request to:
https://graph.microsoft.com/beta/users/{oID of the user I want to assign the role to}/appRoleAssignments/{Object ID of the AD enterprise app}
Inside the request:
{"id": "ID of the role I'm trying to assign to the user"}
The error:
"code": "BadRequest",
"message": "Write requests are only supported on contained entities",
The documentation doesn't define parameters in the example well and I've tried various possibilities but this is the only meaningful result I've gotten.
This isn't current supported by Microsoft Graph. To create app role assignments, you'll need to use Azure AD Graph:
POST https://graph.windows.net/myorganization/users/{user-object-id}/appRoleAssignments
{
"principalId": "{user-object-id}",
"resourceId": "{service-principal-object-id}",
"id": "{app-role-id}"
}
I've been using Microsoft Graph API to create users in Azure Active Directory, but when I try to update skills or schools I get error:
PATCH https://graph.microsoft.com/v1.0/me
{
"skills": ["skills-value"]
}
{
"error": {
"code": "BadRequest",
"message": "Tenant does not have a SPO license.",
"innerError": {
"request-id": "804948b5-f087-4be8-bdf0-ab49dccf7efc",
"date": "2018-04-14T17:55:52"
}
}
}
Also when I try to update for example businessPhones it's work fine, I get no errors.
PATCH https://graph.microsoft.com/v1.0/me
{
"businessPhones": ["businessPhones-value"],
}
HTTP/1.1 204 No Content
Any idea?
The Microsoft Graph is a front-end which intelligently wraps a suite of Microsoft and Office 365 APIs into a single endpoint. This includes free and paid services, and ultimately to access certain APIs you will need to have a subscription for the services which host the underlying API.
In this case, you are seeing that the skills attribute on the user is stored in SharePoint Online, and if you do not have a SharePoint license, you will not be able to use that property.
If you are simply looking for a way around this, you might look into storing and retrieving your skill information using Add custom data to resources using extensions which is stored in Azure AD and should be totally free to access.
I'm building an internal meeting room app that uses the Microsoft Graph API and I would like to extend Event objects with a Schema Extension.
Documentation:
API Reference
Tutorial Example
However when running a query to register a new schema extension, I am receiving this HTTP response:
{
"url": "https://graph.microsoft.com/beta/schemaExtensions",
"status": "403 Forbidden",
"headers": {
"request-id": "e1e36210-6c4c-4ed8-afb1-c9ee6f6362ed",
"client-request-id": "e1e36210-6c4c-4ed8-afb1-c9ee6f6362ed",
"x-ms-ags-diagnostic": "{\"ServerInfo\":{\"DataCenter\":\"North Europe\",\"Slice\":\"SliceA\",\"ScaleUnit\":\"001\",\"Host\":\"AGSFE_IN_2\",\"ADSiteName\":\"DUB\"}}",
"duration": "742.4624"
},
"body": {
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"request-id": "e1e36210-6c4c-4ed8-afb1-c9ee6f6362ed",
"date": "2017-05-10T10:05:37"
}
}
}
}
I can confirm that my application has the prerequisite scope permission of Directory.AccessAsUser.All and it's also been more than 16 hours since adding this permission. I have also got verified domains, so the namespace should be OK per the documentation reference.
My API query in code:
Outlook.test({
version: 'beta',
resource: 'schemaExtensions',
method: 'POST',
body: {
id: 'thehivegroup_beethere',
description: 'Extension for event presence status',
targetTypes: [ 'Event' ],
properties: [
{ name: 'checkIn', type: 'String' },
{ name: 'checkOut', type: 'String' }
]
}
})
.then(result => console.log(result), err => console.error(err))
Which results in a POST with the JSON encoded in the body and headers with authorization token to the URL https://graph.microsoft.com/beta/schemaExtensions.
I have tried different IDs, such as beethere, which resulted in a namespace error, so I know this ought to be working fine.
There are no other scope permissions I am aware of that I need to enable here as well. The error is just too vague for me to figure out what privileges are insufficient here.
EDIT: Have manually run the query in the Graph Explorer as an Admin in the tenant, added the scope permissions required for the API and some extra ones in case, but the query for registration of Schema Extensions still does not work, with the same error message as the application receives. So it is definitely not a problem in my code, but the Microsoft Graph API. Is there a contact or way to ask microsoft to look into the issue?
Directory.AccessAsUser.All is a delegated permission only (it must be delegated because it grants access to directory based APIs as the signed-in user's access rights). It doesn't show up in the roles claim because it isn't an application permission.
As far as I know, right know, you cannot use the application flow (client credentials) to create a schema extension, and you need to use the "code authorization" flow. Please let us know if this is a requirement. Additionally we'd love to know if you want to see an experience for schema definition registration as part of the application registration...
Also you CANNOT currently create a schema extension definition (or manage it) through Graph Explorer. For you to created a definition, you must either be an admin or the owner of the app creating the extension definition AND the creation request must also come from that application (which cannot be graph explorer). We may look at relaxing this last constraint.
If you want to see a code snippet for this it's available here (although it's a UWP c# app, not JS): https://github.com/microsoftgraph/uwp-csharp-snippets-rest-sample.
Also schema extensions is now GA, and available in the v1.0 endpoint.
Hope this helps,
Graph Explorer is able to add an extension.
You will need to create an app in your tenant and set the owner in the payload to the client id of your app.
more on this
This schema extensions creating REST works well for me. Please ensure that the token contains Directory.AccessAsUser.All permission. You can parse the token check the scp claim in it from this site.