Please is there a kind of role that I can give to someone that uses my App services and he will not be able to have access to the "Get Publish Profile" . Is there a way I can restrict access to the "Get Publish Profile" tab.
I have tried the Microsoft.Web/sites/publishxml/Action to a custom role, but the users still have access to the tab.
Please your help will be appreciated.
Is there a way I can restrict access to the "Get Publish Profile" tab?
No, there isn't a built-in role like WebSite Contributor that you can set to restrict access to the Get Publish Profile.
But you can follow this document to either allow or deny Microsoft.Web/sites/publishxml/Action using custom role , which is the preferred method and then assign the role to the designated users.
Related
So, I have a WPF application, and I wanted to integrate SSO to it.
I successfully made it with "App registration" under Azure.
But now I have a problem, the users under the Azure AD can successfully connect to the app, but I want to specify which users in my AD can access to this app.
I didn't find any way to do this, and I see that in "Enterprise application" we can do so.
I wanted to know if there is any way to do it with "App registration" or if I must switch to use "Enterprise Application" and if so how can I handle the authentication in my WPF app .
In my case I use this to authenticate in the wpf app with "Tenant" and "clientId" from the app registration:
PublicClientApp = PublicClientApplicationBuilder.Create(ClientId)
.WithRedirectUri("https://login.microsoftonline.com/common/oauth2/nativeclient")
.WithAuthority(AzureCloudInstance.AzurePublic, Tenant)
.Build();
authResult = await PublicClientApp.AcquireTokenInteractive(scopes)
.ExecuteAsync();
The "registered application" is just a notification to the AAD that this application uses AAD for authentication. Once your user logs in, you can check that the user belongs to a security group that is allowed permission to use the application. There may be a better way to do this, but I check in the application itself.
To grant access only for a specific subset of users/groups in Azure AD you should create "Enterprise Application" and assign necessary users/groups to it like in this example.
Also you will need to configure single sign-on (SSO) and ensure that app's "User assignment required" property is enabled. All the steps are described here
My AD tenant has user consent disabled, i.e., all permissions added to AD app registration need an admin consent.
For an application using static permissions/scopes (v1.0 OAuth/OpenId endpoint), is it possible to add new permissions such that until the admin consent is granted, users can continue using features which require only the existing consented scopes?
Microsoft docs say: "The app needs to know all of the resources it would ever access ahead of time. It was difficult to create apps that could access an arbitrary number of resources." Does it mean that for my scenario, all users need to wait for admin consent before they can access the app?
I receive the below error when a user tries logging in to the app using the Open ID Connect flow. For reference, my login URL is similar to https://login.microsoftonline.com/{tenant}/oauth2/authorize?response_type=id_token&client_id=b8ad6a99-cd23-40a6-a1b4-1184af990aa2&redirect_uri=https%3A%2F%2Flocalhost%2F&state=13ccfb84-cfd1-4cb0-bfe3-bb2c227e19f7&client-request-id=4d76947a-0000-48af-aeff-7bc2d5e40000&x-client-SKU=Js&x-client-Ver=1.0.17&nonce=ef1caa16-d3fe-4523-a9c9-000000000000
is it possible to add new permissions such that until the admin consent is granted, users can continue using features which require only the existing consented scopes?
Yes, you can.
When the admin consent the API permission of an AD App(App registration), the permissions essentially will be given to the service principal(Enterprise application) in your AAD tenant. Actually if you use the AD App in your tenant, the permissions are essentially from the service principal.
You could refer to the screenshot below, there are four permissions, the two permission has been granted.
Navigate to the Overview, click the option Manage application in local directory.
Then in the Permissions, you will find the two permissions which have been consent.
When you add the new scopes, the app will keep working, but it will only be able to access the old scopes until the admin consents to the new scopes.
Thanks!
Alex Simons
According to this page, admin consent should not be required for a native app using Directory.AccessAsUser.All
As a side note, for native applications, this permission behaves like a User permission instead. A native app does not have an identity per se, and it is already doing the direct user’s bidding anyway. It stands to reason that the app should be able to do what the user is able to do, just as happens on-premises when a classic native client (say Word or Excel) can or cannot open a document from a network share depending on whether the user has the correct permissions on that folder.
I'm not seeing this in practice. The "API Permissions" page in Azure portal warns me that admin consent will be required, and users attempting to sign in using my app also get told that admin consent is required.
I haven't provided a Web redirect URL, just checked https://login.microsoftonline.com/common/oauth2/nativeclient under the Public Clients section - i'd expect this to be enough for admin consent not to be required, but it doesn't seem to be the case.
Is the doc above wrong, or am I missing something?
That page is wrong, consent framework doesn't allow a permission to be Admin/User.
If it is marked Admin, it requires admin consent.
That may have been right in the past though.
i am developing an app.i am using google provisioning api in this app.in documentation it is mentioned that admin account can acces provisioning app.there are various types of admin accounts in google apps for example
1.Super Admin
2.Groups Admin
3.User Management admin
4.Help Desk Admin
5.Services Admin
in these all profiles in which accounts we can enable provisioning api .please reply
You need to create a custom role and assign it permissions from the Provisioning API section (at the very bottom of the list of possible permissions. Delegated users who are granted rights to perform actions in the Control Panel will not be able to perform the same actions via the API unless explicitly assign Provisioning API permissions for their role.
See this help article for more details.
Jay
I am working on an implementation in Salesforce for a customer which involves setting up partner module. We cannot setup access rights on User object standard fields based on profiles, and using partner login info, you can access all user info from Dataloader or Apex Explorer, which looks like a security hole in Salesforce.
Does anyone faced this issue before or has a workaround?
If I am understanding you correctly, your concern is that you can access all of the User records using the Login information provided by your customer.
I agree that this is a security issue, but I don't believe it is Salesforce specific as much as the security practices of your customer. If the user credentials won't need to access information via the data loader or Apex Explorer, then they should remove the "API Enabled" permission from the profile. If the credentials should only have API Access they should turn on the "API Only User" permission on the profile.
What it comes down to is they need to restrict the "un-trusted" users to only the permissions and access levels that they need. I have found the profile permissions to be capable of meeting all of my security needs.