I'm working on implementing SCIM 2.0, as I need to use to to provision users in my system that are stored in Azure AD. I have set it up and when I try to manually provision a user, I get this error:
The user is successfully provisioned on the client side, as you might guess from the error message - it's not an issue with the request.
I am guessing that the issue is with where the identifier is located, since the Identifier attribute is included in the response that is in the error message.
I've googled this error and I can find general tutorials for AD SCIM implementations, but I haven't been able to find anything about this specific error.
Here's a pretty-printed version of the response:
{
"totalResults": 1,
"startIndex": 0,
"itemsPerPage": 1,
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:ListResponse"
],
"Resources": [
{
"emails": [
{
"type": "work",
"value": "perrin#***.com",
"primary": true
}
],
"Identifier": "1072",
"meta": {
"meta": "/scim/v2/Users/1072",
"resourceType": "User"
},
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User"
],
"name": {
"familyName": "Aybara",
"givenName": "Perrin"
},
"active": true,
"id": "1072",
"userName": "perrin#***.com"
}
]
}
• As you are provisioning a user manually through SCIM functionality of Azure AD, the issuer identity, i.e., Azure AD is identified by an iss claim in the token received after successfully provisioning the user from Azure AD. Example of it is as below: -
"iss":https://sts.windows.net/cbb1a5ac-f33b-45fa-9bf5-f37db0fed422/
where ‘https://sts.windows.net’ is the URL of the issuer, i.e., Azure AD and the ‘cbb1a5ac-f33b-45fa-9bf5-f37db0fed422’ is the unique identifier of the Azure AD tenant for which it was issued. This token was issued for the application template ID of the app configured for provisioning in enterprise applications.
• Also, please note that the query to provision an Azure AD user with the ‘create’ action in the client app web service with an ‘externalId’ attribute value that matches the ‘mailNickname’ attribute value of a user doesn't return any users in your case as shown in the image, then AAD requests that the web service provision a user corresponding to the one in AAD. The user provisioned from Azure AD is assigned an identifier value when the provisioning succeeds and returns an instance of the Microsoft.SCIM.Core2EnterpriseUser class with identifier attribute indicating the user provisioned. Thus, since the user identifier value is missing as shown in the image, please run the below command to query whether the user is created successfully or not.
‘ GET ~/scim/Users/54D382A4-2050-4C03-94D1-E769F1D15682 HTTP/1.1
Authorization: Bearer ... ’
In a request to retrieve the current state of the user provisioned, the values of the properties of the object provided as the value of the parameters argument are as follows:
Identifier: "54D382A4-2050-4C03-94D1-E769F1D15682"
SchemaIdentifier: "urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
• Request you to try again to provision the user and query to request the current state of the user regarding its reference attribute. Also, send a request from Azure AD to the SCIM service to update the user in its datastore. Here is an example of the request sent from Azure AD to the SCIM service: -
‘ PATCH ~/scim/Users/54D382A4-2050-4C03-94D1-E769F1D15682 HTTP/1.1
Authorization: Bearer ...
Content-type: application/scim+json
{
"schemas":
[
"urn:ietf:params:scim:api:messages:2.0:PatchOp"],
"Operations":
[
{
"op":"Add",
"path":"manager",
"value":
[
{
"$ref":"http://.../scim/Users/2819c223-7f76-453a-919d-413861904646",
"value":"2819c223-7f76-453a-919d-413861904646"}]}]} ‘
Please find the detailed steps in the link as below: -
https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/use-scim-to-provision-users-and-groups#handling-provisioning-and-deprovisioning-of-users
This error generally shows up when there is something invalid with the format of the JSON payload. From looking at this one, I suspect it's your inclusion of "Identifier" as this is not defined in the core SCIM schema docs, and specifically may be causing issues if it overlaps with something else in the provisioning service. "id" is the correct attribute to use.
After playing around with it the issue was not that the resources were missing anything - it was the ListResponse itself that needed an ID. If I include
"id": "urn:ietf:params:scim:api:messages:2.0:ListResponse"
to the top-level object (along with totalResults, etc.) it is processed as expected.
Related
I have added about 18 extension claims to my access token. Based on the application state you may get different claims from this list. I'm sure that those claims have some values assigned. But for some reason, I'm not receiving all of them as part of my JWT Access token. I can get these values using graph API.
Example of extension claim from jwt token:
"extn.***_**_CreatedDate": [
"30/09/2022 12:21:01 PM +00:00"]
Example of application manifest token configuration:
"optionalClaims": {
"idToken": [
{
"name": "extension_someguid_***_***_CreatedDate",
"source": "user",
"essential": false,
"additionalProperties": []
}]
}
Are there any limits on clams/extension claims count added to AAD access token?
If application sends the claims with data in the form of extension attribute registered on a different application, a claims mapping policy must be used to map the extension attribute to the claim.
New-AzureADPolicy -Definition #('{
"ClaimsMappingPolicy":
{"Version":1,
"IncludeBasicClaimSet":"true",
"ClaimsSchema": [
{
"Source":"user",
"ID":"employeeid",
"SamlClaimType":"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/employeeid","JwtClaimType":"employeeid"
},
{
"Source":"company",
"ID":"tenantcountry",
"SamlClaimType":"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/country",
"JwtClaimType":"country"}]}}')
-DisplayName "ExtraClaimsExample"
-Type "ClaimsMappingPolicy"
accesstokenAcceptedVersion must be set to supported value 1, 2, or null , depends on the issuer enpoint obtained from the token.
"acceptMappedClaims" must be set to true, for single tenant app.
Also do make sure to give claims under accessToken in manifest .
Note:
If want to have the claims in the access token then you may need to modify the manifest of the resource app. i.e.; If you have an web App
that calls Web API B and you want the claims in the access_token then
you need to modify the manifest of web api B.
Only extension attributes on user objects can be used for emitting claims to applications.
When adding claims to the access token, the
claims emitted are for a web API and not requested by the
application. So you will be able to see only claims emitted are for
access tokens requested for the application webApi.
Reference: Use Azure AD directory extension attributes in claims - Microsoft Entra | Microsoft Learn
In the Azure Portal, I can navigate to Identity Governance | Access Packages | Access Package and then create a direct assignment for a user. The Azure Portal allows me to specify whether or not approvals are applied to the assignment request.
I can also create a direct assignment request using the Microsoft Graph, but I cannot figure out how to apply approvals to this request. Requests from the Graph seem to always bypass the approval policy.
Using Fiddler and the Azure Portal (ref screenshot above), I can see that the following JSON payload is POSTed to the Graph. So I took that exact same JSON payload and POSTed it with the Graph Explorer, but the approval process is still being bypassed.
POST https://graph.microsoft.com/beta/identityGovernance/entitlementManagement/accessPackageAssignmentRequests
{
"accessPackageAssignment": {
"target": {
"objectId": "5eaf3cdc-3859-40a1-bd48-583da94d16b3",
"type": "User"
},
"assignmentPolicyId": "3261eff8-1e91-426d-93dd-55f196a593a4",
"accessPackageId": "d14d6f8c-458f-4a1c-926a-38f4c5e63fe8"
},
"justification": "testing",
"requestType": "AdminAdd",
"parameters": [
{
"name": "IsApprovalRequired",
"value": "true"
}
]
}
How can I achieve the same behavior as the Azure Portal (i.e., direct access package assignment with approval)?
In the request body, it contains a accessPackageAssignmentRequest object which has a property assignmentPolicyId, and the assignmentPolicyId property identifying the accessPackageAssignmentPolicy, and this policy has a definition for requestApprovalSettings. approvalSettings contained isApprovalRequired.
By the way, what you mentioned are beta version api which is not recommended. And V1.0 version may be better.
I'm trying to implement the on behalf flow with Azure AD following this Microsoft sample documentation, all is good on the client-side but in the
the service app side (the azure function that obtains another Access Token using the on user's behalf and calls the MS Graph API on user's behalf again), it fails to obtain the access a new access token (getNewAccessToken) and shows:
{
"error": "invalid_request",
"error_description": "AADSTS90002: Tenant 'xyz' not found. This may happen if there are no active subscriptions for the tenant. Check to make sure you have the correct tenant ID. Check with your subscription administrator.\r\nTrace ID: xxx \r\nCorrelation ID: yyy \r\nTimestamp: 2021-01-04 07:17:15Z",
"error_codes": [
90002
],
"timestamp": "2021-01-04 07:17:15Z",
"trace_id": "xxx",
"correlation_id": "yyy",
"error_uri": "https://login.microsoftonline.com/error?code=90002"
}
any clue how to solve this issue?
Based off your error message, you can navigate to your Azure Active Directory and make sure your TenantID matches what's in your application.
Error Message:
AADSTS90002: Tenant 'xyz' not found. This may happen if there are no active subscriptions for the tenant. Check to make sure you have the correct tenant ID.
TenantID
I am trying to create a "service principal" for application and to grant admin consent for the permissions using Microsoft graph API.
I followed the following steps:
Created application in a tenant using graph API. My request body is:
{
"displayName": "AppWithPermissions",
"requiredResourceAccess": [
{
"resourceAppId": "00000002-0000-0ff1-ce00-000000000000",
"resourceAccess": [
{
"id": "dc890d15-9560-4a4c-9b7f-a736ec74ec40",
"type": "Role"
}
]
}
]
}
Created a service principal for the above-created application. The creation was successful.
Now, I want to grant admin consent to each assigned permission programmatically using graph API.
To grant application permissions, I created an app role assignment in the appRoleAssignedTo collection of the API's service principal:
The request was as follows:
Post request:
https://graph.microsoft.com/v1.0/servicePrincipals/{id}/appRoleAssignedTo
Request body:
{
"principalId": "principal_id",
"resourceId": "resource_id",
"appRoleId": "approle_id"
}
Here,
"principal_id" is the "id" of service principal created in step 2 above.
"approle_id" is the id of the appRole you want to grant. (taken "id" value from "resourceAccess" array present in "requiredResourceAccess")
"id" in http request url and "resource_id" are the same. (taken "resourceAppId" value from "requiredResourceAccess" which is corresponds to "approle_id" given above)
After running the query, I am getting error 404.
"code": "Request_ResourceNotFound"
for the "resource_id"/"id" field.
Adding screenshots for better understandings:
App Creation:
service principal creation:
Grant an appRoleAssignment for a service principal:
I am confused about which IDs to use where and didn't get a clear idea from the documentations. Can any one please resolve my query? Thanks in advance.
It looks like you're using the appId instead of the id value.
In an app role assignment, resourceId is the id of the servicePrincipal for the resource app (in your case, the API). In an application object's requiredResourceAccess, you use appId, which is a different value.
To find the id of a service principal for which you know the appId:
GET https://graph.microsoft.com/v1.0/servicePrincipals?$filter=appId eq '{app-id}'
The response will contain the id property of the servicePrincipal object, and you can use that when creating the app role assignment.
The document description is not very clear.
In simple terms:
principalId: Usually your service principal id.
resourceId: Usually your service principal id.
appRoleId: For appRoleId you can find it by requesting GET https://graph.microsoft.com/v1.0/servicePrincipals/{id}.
Grant an appRoleAssignment for a service principal:
I'm trying to assign app-specific roles to a user in our AD group using Microsoft Graph.
The link I'm sending the request to:
https://graph.microsoft.com/beta/users/{oID of the user I want to assign the role to}/appRoleAssignments/{Object ID of the AD enterprise app}
Inside the request:
{"id": "ID of the role I'm trying to assign to the user"}
The error:
"code": "BadRequest",
"message": "Write requests are only supported on contained entities",
The documentation doesn't define parameters in the example well and I've tried various possibilities but this is the only meaningful result I've gotten.
This isn't current supported by Microsoft Graph. To create app role assignments, you'll need to use Azure AD Graph:
POST https://graph.windows.net/myorganization/users/{user-object-id}/appRoleAssignments
{
"principalId": "{user-object-id}",
"resourceId": "{service-principal-object-id}",
"id": "{app-role-id}"
}