Could someone please confirm whether I can add AzureAD applicationID in the Exchange room BookinPolicy
Something like below
set-calendarprocessing "Room Mailbox1" -BookinPolicy "0deb4a5b-a50c-6658-253d-d3388c9adada"
Per my understanding, you want to specify a service principal to make it be allowed to submit in-policy meeting requests to the resource mailbox that are automatically approved.
In theory, you should put the object id of the service principal (not the AzureAD applicationID) into the cmdlet.
But no matter which ID (object id of the service principal or AzureAD applicationID) you want to put here, it is not supported.
The supported value for this property is only for user and group:
Related
Inviting a consumer user to Azure AD B2C has been covered by other Stack Overflow questions & answers, and AFAIK requires the use of custom policies that entail a signed JWT being created and used during invite redemption.
What I'm trying to figure out: In our application, we have differently permissioned user groups and different organisations managed by internal RBAC logic. We identify & authorize users based on their oid claim in the access token that's returned to msal-react/msal-browser and used to authenticate against our backend's API.
In Microsoft Graph, a user can be invited and the API will respond with the created user's oid. However, this is the wrong type of user and not appropriate for B2C scenarios.
With the custom policy route not creating the user object in AAD B2C at the time of invite, and therefore without knowing the user's oid at the time of inviting them to the application, what might be the best way to configure their in-app profile and have them identifiable to the application itself upon first login?
My thought at the moment is to have the application store the emails of users that are invited who have not yet redeemed/signed-in. We can configure the emails claim to be returned upon login, which is checked against the invited emails store when an oid claim is returned that isn't present in the database. This can then trigger a function to update the user's internal id with the oid in their first login's claim.
If this is inadvisable or if there's a better way, I'd be very grateful to hear it.
It would work, or just pre create the user up front via MS Graph API. Then you have an email and objectId available.
You could also put an extension attribute on the account indicating whether the user has redeemed their invite. That would allow you to monitor who has redeemed, and also be a way to provide a different experience depending on if the user has redeemed or not redeemed the link.
I am integrating AzureAD with a SCIM endpoint. So far integration seems to work: AzureAD sends "POST" requests to create users, then later it queries/updates users using their 'id'.
Reminder from SCIM standard (RFC 7643): The 'id' is
A unique identifier for a SCIM resource as defined by the service provider
My SCIM endpoint generates this unique ID upon user first creation. It sends this ID to AzureAD in the reply, as required by the standard. I know that AzureAD stores the ID somewhere, because it uses it in subsequent requests.
My question: where is this ID stored in AzureAD? I need to read it, so I can forward it somewhere else. Using Graph Explorer I tried a lot of properties:
https://graph.microsoft.com/v1.0/me?$select=id,userPrincipalName,extensions,employeeId,externalUserState,identities,externalId
But none of them work. They are empty or do not contain the SCIM id.
Does anyone know if the property is publicly available?
Azure AD Provisioning has an internal data store that is not exposed via any external/customer-facing APIs where this is stored. If the service is evaluating an object that it does not know the SCIM ID value for it will try to locate that using a filtered GET such as GET /Users?filter=userName eq "user#domain.com", but once it has located that object the service will store internally a record stating that object X in Azure AD with objectId value of 123 is matched to object Y in with ID value of 456.
To specifically answer your end goal of "I need to find this value in Azure AD and forward it somewhere else" - this is not possible.
It is not like you think that AAD will save the user id from SCIM.
You can use Provision on demand to understand how it works.
Simple steps:
Click on "Provision on demand" in SCIM enterprise app.
Then select an AAD user and click on "Provision".
After it is executed successfully, you will be able to see the following:
Import user is retrieving User from Azure Active Directory.
Determine if user is in scope is determining if User in scope by evaluating against each scoping filter.
Match user between source and target system is retrieving User from SCIM and matching it with the AAD User in step 1. This is the point that you didn't know before. AAD will Get User by query in this step.
GET /Users?filter=userName eq "{userName}"
Then the user id from SCIM will be returned (As above screenshot shows).
Perform action updates User in SCIM using the id from step 3.
So AAD doesn't store the id from SCIM. It queries the user in SCIM firstly to get the id and then use this id to send update request to SCIM endpoint.
I'm implementing an application in Java that has access to Azure via a secure principal and that creates some Resource Groups.
I would like, given an AD Group Name specified via configuration, to add a specific Role Assignment for that AD Group to the Resource Groups.
Is it feasible via Azure Java SDK or I need to use REST APIs?
Which permissions the service principal needs to:
Read an AD group given its name
Assign a RolePermission to a newly created Resource Group for that AD Group
I need to ask to our ActiveDirectory team which permission must be enabled to my Service principal.
TIA
Best regards
I don't know if we can use java sdk to implement this requirement, but I know we can request rest api to do it. Please refer to the steps below:
1. We need to get the id of the role definition by request this api: GET https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleDefinitions?api-version=2015-07-01
The URI parameter {scope} should be like /subscriptions/{your subscription id}/resourceGroups/{your resource group name}
For example, here I get the id of "Contributor" role.
2. Then request this api: PUT https://management.azure.com/{scope}/providers/Microsoft.Authorization/roleAssignments/{roleAssignmentName}?api-version=2015-07-01 to create role assignment(assign the role for resource group contributor to your ad group).
The {scope} should be /subscriptions/{your subscription id}/resourceGroups/{your resource group name} and you can specify a {roleAssignmentName} as you like(should be valid GUID).
The request body should be like below:
{
properties: {
"roleDefinitionId": "{the id of Contributor role which we get in step 1}",
"principalId": "{the object id of your AD group}"
}
}
3. Finish the two apis request above, we can find the AD group has been assigned with the role of "Contributor" for the resource group.
We have multiTenant support, where user can belong to more then one tenant and in each tenant he may have different Roles,
Client application uses acr_values to pass the tenant information.
Based on this information a Role claim need to be added in Iprofileservice
please suggest how I can do that..
I saw lots of post related to same topic but none has the full information
I am using IdentityServer4.
You might be able to get the acr values from the validated request property in the ProfileDataRequestContext context:
string acr_values = context?.ValidatedRequest.Raw.Get("acr_values");
Note that ValidatedRequest may be null depending on the endpoint that is being requested.
I have a multi-tenant scenario in which one email can be associated with multiple tenants.
I've thus configured a custom AccountChooserResponseGenerator that inherits from the built-in AuthorizeInteractionResponseGenerator class.
After the user authenticates, the UI correctly diverts the user to an Account Chooser view, which lists the tenants the email address is associated with. The idea being that the user must now select the Tenant he/she wants to log in to, and then get redirected to that Tenant's URI.
My problem though is that I can't figure out how, after selecting a Tenant, I can add that Tenant Id as a Claim to the token that gets passed to the app from IdentityServer (multiple tenants could share the same URL so I need something in the token to know which Tenant has context).
So in the AccountChooserController.TenantSelected(long tenantId) method, I'm expecting to be able to add this tenantId to the User Claims, but it does not seem like this is supported.
Please advise if this is possible, and how?
Put the tenant information into the cookie when calling SignInAsync - you can then retrieve it from your profile service.