As per below link, we can assign Global Administrator or Security Administrator role in Azure AD to an user and that provides full access to Microsoft Cloud App Security portal.
https://learn.microsoft.com/en-us/cloud-app-security/manage-admins#office-365-and-azure-ad-roles-with-access-to-cloud-app-security
However, with these roles users get privileged admin access to other features of Azure AD as well. We want restrict the role to provide full access in Microsoft Cloud App Security portal only. Is it possible to create a custom role with permissions only for Microsoft Cloud App Security?
Unfortunately it's not supported to create a custom AAD role with the full access permission of Microsoft Cloud App Security portal.
Currently, permissions for Application registrations and Enterprise applications are supported in custom roles. See the details here.
The full access permission of Microsoft Cloud App Security portal should be microsoft.directory/cloudAppSecurity/allProperties/allTasks. You can see that it's not listed in the page when I try to look for it in Azure portal.
You can query microsoft.directory/cloudAppSecurity/allProperties/allTasks in this page and choose the one with the least permissions to assign to users who need to be assigned the Cloud App Security portal administrator role.
Recently Microsoft has came up with a new role named "Cloud App Security Administrator". This role provides full admin access to MCAS without providing any privileged access other Azure AD configurations. Didn't find any documentation, but it is visible in Azure AD portal.
Related
I am following a tutorial Build Java apps with Microsoft Graph
and after using my personal account for Azure AD to register the application. I am not able to sign in using my personal account but I set the support account as 'Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts. Any help?
Screenshot
You need to change the /tenant id endpoint to the /common endpoint.
The /tenant id endpoint only allows users with work/school accounts
of a specific Azure AD tenant to log in to the application. It does
not support personal accounts.
Only the /common endpoints will allow personal Microsoft accounts to
log in to the application.
Is it possible to access sharepoint online from desktop app with azure ad token, but as a currently logged user?
I already registered client app in the azure ad and i'm able to connect to share point when the api permissions are set to "Application permissions", but when i set the permissions to "Delegated permissions" I can't access sharepoint site.
What i need is a way to create sp ClientContext based on the token i get from the azure. I know it's possible to try with SharePointOnlineCredentials, but i don't want to mess with users credentials.
To get the Access Token for Azure, pls use the below article.
active-directory-dotnet-native-headless
Below are the steps you have to follow:
Followed the steps mentioned in the article
Added Office 365 Sharepoint Online API access permissions for the App.
Selected necessary permissions for the App.
I'm using OpenID Connect to authenticate users according to https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc. I registered application in Azure AD and there are following user consents defined:
The problem is that only 3 users are authenticated while others get error 90094 with message:
Need admin approval
App needs permission to access resources in your organisation that
only an admin can grant. Please ask an admin to grant permission to this app before you can use it.
These 3 users who can sign-in are the ones who granted "Sign users in" and "Sign in and read profile" permissions (visible under "Granted By" column links on the screenshot) and this is the only difference in Azure configuration between them and the rest who cannot sign-in. All of users have been added to app through "Users and groups" page with the same roles. All users are from the same company's directory. Api permissions looks like following
Moreover I have setting
I don't know how to grant permissions to other users and I don't know how to extend list of permissions visible on the screenshot.
Any ideas?
I wonder if any changes in Azure Portal happened since November 2019 when I created and configured that app. There where no changes in my permissions since that time, so I didn't have more power that time. I've read various documentation on MSDN about consents and permissions but didn't find solution.
You are not the admin of your Azure AD tenant.
Please see this reference: Disable or enable user consent from the Azure portal.
I see that you have the setting: Users can consent to apps accessing company data on their behalf. But if you don't Enable the admin consent workflow, when the application is requesting permissions that the user is not allowed to grant, the users still can't consent to the apps by themselves.
Another method is that you need to use an admin account to log into Azure portal. And then grant admin consent for your tenant.
I am a developer working on an application that will access O365 data via the Graph API. I have registered an application under my company account. I have authentication working on a per-user basis. Now I am trying to get it to work so that a tenant administrator can grant permission to my application for data access on an organization-wide basis. I have this working as well - I used the /adminconsent endpoint to bring the administrator to a page where he granted the consent.
What I am wondering about is the line in the documentation that says "You can rely on an administrator to grant the permissions your app needs at the Azure portal". I am trying to figure out what that procedure is so I can document it for admin users. I thought perhaps it was to go to App Registrations - there I see an option to create a new registration. But this has it's own Client Id. Don't I somehow have to give it the Client Id of my own application? Or is the idea that the tenant admin will supply the Client Id of his app to my app? Or am I in the wrong area altogether?
BTW in case it is relevant, I am not using any authentication library, just making direct http calls from a C++ program running on the Windows desktop.
Per my understanding, your application is an multi-tenant application. Only you or the administrators in your tenant can grant the permissions to your application. The administrators from other tenants can grant consent to use your application, but they can not control the permissions.
Update:
You can grant admin consent by calling admin consent endpoint.
https://login.microsoftonline.com/common/v2.0/adminconsent?
client_id={your_tenant_client_id}
&state=12345
&redirect_uri=http://localhost/myapp/permissions
&scope=
https://graph.microsoft.com/.default
If you want to grant admin consent via Azure portal. The application must already been provisioned in your tenant. For example, an app could be provisioned in your tenant if at least one user has already consented to the application.
We have an Azure Web App published that includes pages with Excel Add In integration using the Office.JS library. We've secured the Web App using Azure AD authorization and it is working well as long as the user it logged into Office/Excel with the same domain credentials. How can we allow our customers who are logged into Office with their companies credentials get access to our Add In site using credentials within our domain? Federating the 2 domains would work but isn't an option in most cases.
You could use Azure B2B to invite your customers as guest users in your AAD.
You could invite the user by using the Azure portal as an Azure AD administrator.
Azure Active Directory > Users > All users > add New guest user
For the details, you could read here.
Or you could use the powershell:
New-AzureADMSInvitation -InvitedUserDisplayName "Sanda" -InvitedUserEmailAddress sanda#fabrikam.com -InviteRedirectURL https://myapps.azure.com -SendInvitationMessage $true
For the details, please refer to this docs.
If you want to bulk invite users, you could create a CSV file, and then use the powershell to import it. For the details, you could read bulk invite B2B.