I want to set the replyUrlsWithType programmatically on an app manifest within Azure AD. However, the REST API for updating the manifest only seems to support setting the replyUrls property, which does not enable the type property to be set. Is there a supported way to set the replyUrlsWithType programmatically?
The team I'm working with has used Fiddler to take a look at how the Azure portal sets the type property and have hacked the following to get it to work, but we are looking for a supported method if there is one:
$UpdateAppResponse = Invoke-WebRequest -Uri "https://graph.windows.net/myorganization/applications/$appId?api-version=2.0" `
-Method "PATCH" `
-Headers #{"Authorization"="$($Response.token_type) $($Response.access_token)"; "Accept"="*/*"; } `
-ContentType "application/json" `
-Body "{`"id`":`"$appId`",`"replyUrlsWithType`":[{`"url`":`"https://$HostName`",`"type`":`"Web`"},{`"url`":`"msauth://$ReversedHostName`",`"type`":`"InstalledClient`"}, {`"url`":`"msauth.$ReversedHostName://auth`",`"type`":`"InstalledClient`"}]}"
In the past, the application registered in Azure portal could only be one type. So, the Azure AD Graph API was able to set replyUrls.
However, new application registered in Azure portal could support both type at the same time. Based on the fiddler traces, the Azure AD Graph seems to updated to support that.
The url https://graph.windows.net/myorganization/applications/$appId?api-version=2.0 is a typical url of AAD Graph API. Maybe just the document has not been updated.
However, we suggest you use Microsoft Graph API. It is an unified center for managing lots of Microsoft Cloud Resources.
You can Get application and Update application with Microsoft Graph API.
For example, you can make a PATCH request with the following body:
{
"publicClient": {
"redirectUris": [
"myapp://auth"
]
},
"web": {
"redirectUris": [
"https://devchat.com/",
"http://localhost/",
"https://mytest.com/"
],
"implicitGrantSettings": {
"enableAccessTokenIssuance": false,
"enableIdTokenIssuance": false
}
}
}
Then all the platforms will be added:
For anybody who is looking to configure similarly as a SPA, you can set the property to "spa" instead of "web". This was a headache for me so hopefully helpful for others:
Instead of:
"web": {
"redirectUris": [
use
"spa": {
"redirectUris": [
A one liner for the Azure Cloud Shell (bash):
az rest --method PATCH --uri 'https://graph.microsoft.com/v1.0/applications/<APP REG OBJECT GUID (object ID not the App ID)>' --headers 'Content-Type=application/json' --body '{"spa":{"redirectUris":["https:<APP DOMAIN (and port if needed)>"]}}'
Related
In the Azure Portal, I can navigate to Identity Governance | Access Packages | Access Package and then create a direct assignment for a user. The Azure Portal allows me to specify whether or not approvals are applied to the assignment request.
I can also create a direct assignment request using the Microsoft Graph, but I cannot figure out how to apply approvals to this request. Requests from the Graph seem to always bypass the approval policy.
Using Fiddler and the Azure Portal (ref screenshot above), I can see that the following JSON payload is POSTed to the Graph. So I took that exact same JSON payload and POSTed it with the Graph Explorer, but the approval process is still being bypassed.
POST https://graph.microsoft.com/beta/identityGovernance/entitlementManagement/accessPackageAssignmentRequests
{
"accessPackageAssignment": {
"target": {
"objectId": "5eaf3cdc-3859-40a1-bd48-583da94d16b3",
"type": "User"
},
"assignmentPolicyId": "3261eff8-1e91-426d-93dd-55f196a593a4",
"accessPackageId": "d14d6f8c-458f-4a1c-926a-38f4c5e63fe8"
},
"justification": "testing",
"requestType": "AdminAdd",
"parameters": [
{
"name": "IsApprovalRequired",
"value": "true"
}
]
}
How can I achieve the same behavior as the Azure Portal (i.e., direct access package assignment with approval)?
In the request body, it contains a accessPackageAssignmentRequest object which has a property assignmentPolicyId, and the assignmentPolicyId property identifying the accessPackageAssignmentPolicy, and this policy has a definition for requestApprovalSettings. approvalSettings contained isApprovalRequired.
By the way, what you mentioned are beta version api which is not recommended. And V1.0 version may be better.
I'm trying to avoid to use the managed policies AmazonSageMakerReadOnly and AmazonSageMakerFullAccess because I only want the users to be able to start/stop their own notebook instance and to open jupyter in their instance.
So far the user role has the following permissions among others
...
{
"Sid": "",
"Effect": "Allow",
"Action": [
"sagemaker:StopNotebookInstance",
"sagemaker:StartNotebookInstance",
"sagemaker:CreatePresignedNotebookInstanceUrl"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/OwnerRole": "${aws:userid}"
}
}
},
The policy does not have sagemaker:CreatePresignedDomainUrl but it has sagemaker:CreatePresignedNotebookInstanceUrl, when the user with this policy click on Open Jupyter in the AWS Sagemaker console , it opens an url https://xxxxxx.notebook.eu-north-1.sagemaker.aws/auth?authToken=xxxxx but that url will return:
403 Forbidden. Access to xxxxxx.notebook.eu-north-1.sagemaker.aws was denied. You don't have authorisation to view this page. HTTP ERROR 403
As soon as I added sagemaker:CreatePresignedDomainUrl for resource * then the 403 error was gone and the user could open the jupyter notebook.
My question is why is that needed, and what resource should I put instead of *, the documentation mentions arn:aws:sagemaker:regionXXX:account-idXXX:app/domain-id/userProfileNameXXXX/* but I do not have any domain or user profile.
CreatePresignedDomainUrl statement allows the role to launch a SageMaker Studio app (and hence the domain-id/user-profile ARN). Opening SageMaker notebook instance does not need the presigned domain url permission.
You'll need to make sure you're tagging the notebook with an OwnerRole key, with value = userid (not username). In addition, you'll need to use the sagemaker:ResourceTag (instead of aws:ResourceTag).
See the service authorization page for a complete list of actions and condition keys.
I'm very new to ADFS and the Web Application Proxy. That said, I've recently setup an ADFS server and a WAP server and have all of the configuration setup to successfully handle SAML SSO to my custom application.
I am now attempting to use the Webfinger endpoint. By default, that endpoint is enabled (and proxy enabled). Unfortunately, I have not been able to get any meaningful response from this endpoint and am unsure even how to set it up. Searching for "ADFS Webfinger" documentation has been fruitless. Honestly, I can't find anything other than discussions of an Event Viewer error and other useless information.
I have attempted various combinations of URLs.
https://my-adfs-server/.well-known/webfinger?resource=https%3A%2F%2Fmy-adfs-server%2Fadfs%2F/ls&rel=http://schemas.microsoft.com/rel/trusted-realm
This gives me back a JSON:
{
"subject": "https://my-adfs-server",
"links": [
{
"rel": "http://schemas.microsoft.com/rel/trusted-realm",
"href": "https://my-adfs-server"
}
]
}
but it is the only URL I have found that returns anything.
https://my-adfs-server/.well-known/webfinger?resource=acct:<myemail>
This gives me a 404 with a valid email (acct).
What am I missing? Even if that last URL was working, how do I resolve it to specify information that should be returned in the JRD document for this particular account? Do I need IIS installed (I don't have it installed currently) and custom code?
Thanks for any help/insight.
Pink
I have an IBM Cloud Function (OpenWhisk) that invokes a Watson Conversation Service.
We are using JAVA
The documentation of the JAVA SDK (https://github.com/watson-developer-cloud/java-sdk ) suggests that the credentials would be picked up from the binding.
When I list the bindig I get this:
>bx wsk action get talksmall parameters
ok: got action talksmall, displaying field parameters
[
{
"key": "__bx_creds",
"value": {
"conversation": {
"credentials": "Credentials-SmallTalk",
"instance": "<INSTANCE>",
"password": "<PASSWORD>",
"url": "https://gateway.watsonplatform.net/conversation/api",
"username": "<USERNAME>"
}
}
}
]
But when I use the SDK like this:
Conversation conversationService = new Conversation(Conversation.VERSION_DATE_2017_05_26);
I get an error
{
"error": "An error has occured while invoking the action (see logs for details): java.lang.IllegalArgumentException: apiKey or username and password were not specified"
}
When I add the line:
conversationService.setUsernameAndPassword(userName, password);
It works.
Maybe the VCAP_Service way of binding does not work with Cloud Functions ?
The Cloud Function runs in the same IBM Cloud organization and space.
I opened an issue against the SDK documentation which talks about "running in Bluemix". IBM Cloud offers infrastructure, OpenWhisk / Cloud Functions, Cloud Foundry and more. Bluemix originated from Cloud Foundry and the automatic binding via VCAP_SERVICE is a Cloud Foundry feature.
From my experience with using IBM Cloud Functions with Python and Node.js you need to call the API functions to set credentials explicitly. With the feature of service binding you can easily make credentials of provisioned services available to the context within IBM Cloud Functions as successfully shown in your code above.
I'm building an internal meeting room app that uses the Microsoft Graph API and I would like to extend Event objects with a Schema Extension.
Documentation:
API Reference
Tutorial Example
However when running a query to register a new schema extension, I am receiving this HTTP response:
{
"url": "https://graph.microsoft.com/beta/schemaExtensions",
"status": "403 Forbidden",
"headers": {
"request-id": "e1e36210-6c4c-4ed8-afb1-c9ee6f6362ed",
"client-request-id": "e1e36210-6c4c-4ed8-afb1-c9ee6f6362ed",
"x-ms-ags-diagnostic": "{\"ServerInfo\":{\"DataCenter\":\"North Europe\",\"Slice\":\"SliceA\",\"ScaleUnit\":\"001\",\"Host\":\"AGSFE_IN_2\",\"ADSiteName\":\"DUB\"}}",
"duration": "742.4624"
},
"body": {
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"request-id": "e1e36210-6c4c-4ed8-afb1-c9ee6f6362ed",
"date": "2017-05-10T10:05:37"
}
}
}
}
I can confirm that my application has the prerequisite scope permission of Directory.AccessAsUser.All and it's also been more than 16 hours since adding this permission. I have also got verified domains, so the namespace should be OK per the documentation reference.
My API query in code:
Outlook.test({
version: 'beta',
resource: 'schemaExtensions',
method: 'POST',
body: {
id: 'thehivegroup_beethere',
description: 'Extension for event presence status',
targetTypes: [ 'Event' ],
properties: [
{ name: 'checkIn', type: 'String' },
{ name: 'checkOut', type: 'String' }
]
}
})
.then(result => console.log(result), err => console.error(err))
Which results in a POST with the JSON encoded in the body and headers with authorization token to the URL https://graph.microsoft.com/beta/schemaExtensions.
I have tried different IDs, such as beethere, which resulted in a namespace error, so I know this ought to be working fine.
There are no other scope permissions I am aware of that I need to enable here as well. The error is just too vague for me to figure out what privileges are insufficient here.
EDIT: Have manually run the query in the Graph Explorer as an Admin in the tenant, added the scope permissions required for the API and some extra ones in case, but the query for registration of Schema Extensions still does not work, with the same error message as the application receives. So it is definitely not a problem in my code, but the Microsoft Graph API. Is there a contact or way to ask microsoft to look into the issue?
Directory.AccessAsUser.All is a delegated permission only (it must be delegated because it grants access to directory based APIs as the signed-in user's access rights). It doesn't show up in the roles claim because it isn't an application permission.
As far as I know, right know, you cannot use the application flow (client credentials) to create a schema extension, and you need to use the "code authorization" flow. Please let us know if this is a requirement. Additionally we'd love to know if you want to see an experience for schema definition registration as part of the application registration...
Also you CANNOT currently create a schema extension definition (or manage it) through Graph Explorer. For you to created a definition, you must either be an admin or the owner of the app creating the extension definition AND the creation request must also come from that application (which cannot be graph explorer). We may look at relaxing this last constraint.
If you want to see a code snippet for this it's available here (although it's a UWP c# app, not JS): https://github.com/microsoftgraph/uwp-csharp-snippets-rest-sample.
Also schema extensions is now GA, and available in the v1.0 endpoint.
Hope this helps,
Graph Explorer is able to add an extension.
You will need to create an app in your tenant and set the owner in the payload to the client id of your app.
more on this
This schema extensions creating REST works well for me. Please ensure that the token contains Directory.AccessAsUser.All permission. You can parse the token check the scp claim in it from this site.