We have an application which parses the Audit Logs emitted by Azure AD. More specifically we are parsing the 'Update application' log to detect when a new Role has been added to an Application (see example below).
We would like to find out more information about the "DirectAccessGrantTypes" and "ImpersonationAccessGrantTypes" fields. If someone can point us to documentation for this that would be great.
[{"EntitlementEncodingVersion":2,"EntitlementId":"654a4f1f-1b7f-4354-a6d6-fcf7346af0ec","IsDisabled":true,"Origin":0,"Name":"Data Manager","Description":"Manager for test app","Definition":null,"ClaimValue":"DataManager","ResourceScopeType":0,"IsPrivate":false,"UserConsentDisplayName":null,"UserConsentDescription":null,"DirectAccessGrantTypes":[20],"ImpersonationAccessGrantTypes":[],"EntitlementCategory":0,"DependentMicrosoftGraphPermissions":[]},{"EntitlementEncodingVersion":2,"EntitlementId":"3d03256d-cf0c-4553-b8af-98d7ebbee1f2","IsDisabled":false,"Origin":0,"Name":"Application Manager","Description":"Admin for test app","Definition":null,"ClaimValue":"ApplicationManager","ResourceScopeType":0,"IsPrivate":false,"UserConsentDisplayName":null,"UserConsentDescription":null,"DirectAccessGrantTypes":[20],"ImpersonationAccessGrantTypes":[],"EntitlementCategory":0,"DependentMicrosoftGraphPermissions":[]},{"EntitlementEncodingVersion":2,"EntitlementId":"88d0d3e3-b661-4760-aea3-f4548db1ff96","IsDisabled":false,"Origin":0,"Name":"Read","Description":"Allow users to add a admin consent","Definition":null,"ClaimValue":"Read","ResourceScopeType":0,"IsPrivate":false,"UserConsentDisplayName":null,"UserConsentDescription":null,"DirectAccessGrantTypes":[],"ImpersonationAccessGrantTypes":[{"Impersonator":29,"Impersonated":20}],"EntitlementCategory":0,"DependentMicrosoftGraphPermissions":[]}]
From article > View reports & logs in entitlement management - Azure AD | Microsoft Docs
When Azure AD receives a new request, it writes an audit record, in
which the Category is EntitlementManagement and the Activity is
typically User requests access package assignment. In the case of a
direct assignment created in the Azure portal, the Activity field of
the audit record is Administrator directly assigns user to access package, and the user performing the assignment is identified by the
ActorUserPrincipalName.
Application Impersonation is basically an administrator-managed, not user-managed permission.
Impersonate access grants logs gives information ex:count., of users given consent by the admin to access the application to impersonate user.
ImpersonationAccessGrantTypes gives count or info of access grants by admin on behalf of user whereas DirectAccessGrantTypes gives info about the users who directly access the application ,as they are already assigned by admin.
Reference:
Multiple Client applications authorisation to WebApi (microsoft.com)
On guest user login on redirect URI I got an error:
AADSTS1000031: Application {App name} cannot be accessed at this time. Contact your administrator.
I'm using multi-tenant approach. The authorization URL looks good and it redirects me with such an error.
But I can't find any description of the error or configuration in the azure related to this error.
Also, "normal" users can log in without any issues.
I have such configuration in my Azure App:
Could you please advise how can I enable guest accounts support here?
This error can occur if you have not granted admin consent.
Go to Azure Active Directory within the Azure portal.
Go to Application registrations.
Select the Application based on the App-Id.
Go to API Permissions.
Click Grant Admin consent.
https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/grant-admin-consent
Has this SSO been setup as an Enterprise application?
Or are you just trying to get a guest user logged in to your tenancy as a guest?
If it is the later just create a new Guest user within your tenancy, make sure you have the rights to to do this first.
Then have the guest user accept the email invitation they receive.
Confirm within Azure they have accepted the invite.
Also make sure they are using the same email address as the invite was sent to and not an alias, which can cause confusion.
Have AzureAD application for authentication with appRoles defined in the manifest. The roles are assigned to users and they are included in tokens of authenticated users as claims. This is the case with members of the current tenant as well as newly added guest users of type "Microsoft Account" for the source of authority. (The signInAudience of the application is set as AzureADandPersonalMicrosoftAccount in the manifest.)
But for an existing guest user of type "External Azure Active Directory" for the source of authority, the appRole is not coming through the token claims. Is it worth trying to delete the guest user account and try readding it? Wouldn't this particular feature/behavior of appRoles be the same whether the source of authority for the guest account is "Microsoft Account" or "External Azure Active Directory"?
Or wondering might there be some additional/complementary setting that needs to be set or adjusted for the "External Azure Active Directory"?
PS: the authorization endpoint used currently is https://login.microsoftonline.com/common, and it authenticates just it's not getting the appRole, and it works with the appRole for the "Microsoft Account" type of guest account. Should that be changed however..?
Yup that was it. Based on suspicion tried changing the authority to tenant based https://login.microsoftonline.com/contoso.onmicrosoft.com and it worked... yes because guest user of type "External Azure Active Directory" would of course authentication against their tenant if using https://login.microsoftonline.com/common, and get their roles. So by forcing to authenticate against specific tenant where they are registered as guest users (where the roles are defined), the roles are added to the claims. Of course guest users of type "Microsoft Account" don't have their own tenants so were being authenticated against the tenant anyway... ha ha. Just found out this morning worked. First time using AAD, but kind of makes sense when think about it... Thnks!
I used Graph explorer->Logged in with Global administrator -> Modify Permissions-> chose User.ReadWriteAll,Group.ReadWriteAll,Directory.AccessAsUser.All and then select "access to your entire organization" and logged in again with global administrator
I get below error.
Selected user account does not exist in tenant 'Microsoft' and cannot
access the application 'de8bc8b5-d9f9-48b1-a8ad-b748da725064' in that
tenant. The account needs to be added as an external user in the
tenant first. Please use a different account.
How can I add permissions to global administrator user?
Since your account is a guest in the tenant, you could not use the account to query the tenant, even if you are a global admin.
For more details, refer to this post.
Credentials are only owned by a single tenant. The tenant is discovered by Graph Explorer based on domain. You cannot use Graph Explorer to query tenants your account is a guest on, it can only query the tenant that owns the account. The only way to use those creds with another tenant would be to force the OAuth uri to use that tenants ID instead of "common". This isn't supported by Explorer. You'd have to download the source an reengineer the auth process
I am not an admin of my azure active directory. Currently my web api application will able to read directory data when I or any user manually going to azure portal and click `Grant Permissions'.
I set Read directory data under DELEGATED PERMISSIONS.
But, I can't go to to each user and ask for same. Is there any way to do this at once for all users of my AD tenet? Thanks!
Because you are not an admin, no you cannot grant permissions on behalf of any other users. The most you can do is grant the application permissions equal to what your user can do, which is what the "Access the directory as the signed-in user" permission does.
However, depending on the data you are trying to read, you may be able to access that data without needing other users to consent. For example, any user has the ability to grant the application the ability to read basic information about all other users in the tenant. You will need to elaborate on your scenario.