We are trying to figure out what permissions are applicable to tenant members in regards to tenant guests' open extensions in Microsoft Graph.
The official documentation says permissions User.ReadBasic.All is available to any user by default and allows to read open extensions of all users. However, it is not clear if this is applicable to guest users as well or not.
Let's say we have a tenant tA, a tenant member uA and an external user uB (either member of another tenant, or a personal account). User uB has an open extension with some data. User uA adds uB as a guest to tenant A (for example, invites to a team in MS Teams). Shall user uA be able to read the open extension of uB?
I have tried this with Microsoft Graph Explorer. My test shows that
If user uB is a business user, i.e. a member of an organizational tenant B, then user uA cannot read the extension data. uA can find the user, read profile, but expanding extensions returns nothing.
If user uB is a personal account, e.g. some_user#outlook.com, then uA can read extension data.
It looks like for business accounts, user object extensions are visible only to the tenant that created the user, but not to inviting tenants. For personal accounts, however, looks like there are no restrictions, as if MS Graph user objects were created in the inviting tenant.
What are the specifications for accessing data of a guest user? Are they published anywhere?
Related
I have a Microsoft Teams group tab and I'd like to implement a permission system in which users can do different things in the tab depending on their role in the team (or channel). The context I get from the Teams JavaScript API cannot be trusted, so I have to check group/team/channel role through the MS Graph API.
The only way I've found to check whether a user is an owner or only a member of a team is to call /teams/{groupId}/channels/{channelId}/members. In the response I can see which roles users have and I so I can find out if the current user has owner privileges.
The problem is that this endpoint requires admin consent (I guess because it displays data of other users). I'd like to avoid having to ask for admin consent, however. Is there another way of finding out about the role of a user in a team without admin consent? (As private channels behave differently in Teams, this would be the same as finding out about the role in a channel)
I know that I can get if a user is in a group through the optional group claims that are added to the ID token but this doesn't include the rule inside the group/team/channel.
To read a user's role in a channel currently requires admin consent, the permission needed is ChannelMember.Read.All see list conversation member documentation here. Admin consent is also required to get a member of a team or list members in a team. For your particular use case, I would recommend asking your admin to grant these permissions.
I need to emit a role's permissions as claims in the JWT.
The aim is to get a certain user's permissions as claims in the JWT for authorization purposes.
The user belongs to a group which is assocciated to a certain role which has certain permissions in the Azure Active Directory.
Clarification:
If I add some items to the appRoles array in the app's manifest, the role names are emitted as role-type claims in the JWT in the following format:
http://schemas.microsoft.com/ws/2008/06/identity/claims/role: [value property in the appRole item as appears int he manifest appRoles array]
But I couldn't find any way to emit role's permissions' names (or any other property) as claims.
I've been googling and digging in MS docs for days but couldn't find anything. I hope that it's possible.
If it isn't possible, a clumsy workaround may be to represent the permission we need to be emitted as an AAD role, and to represent the role (in the meaning of "a set of permissions") as an AAD special group, and then to associate the groups we wanted to be associated with the role (in an ideal world) to that special "role"-group.
But it's very clumsy as we will actually lose the natural meaning of role which is a set of permissions, and the natural meaning of group which is a set of users and/or groups
Thanks for any help :)
The value property is the custom role name you configured and will be returned in JWT. It's by design.
The permission name won't be returned in the JWT. After you have added an appRole into the Azure AD app, you need to assign users and groups to the role.
You need to add the needed permissions in Azure AD APP and then control the permissions in your code.
We assume you have assigned a custom role in an Azure AD app and added a user to this role.
When a user signs in, a token which includes the role claim will be returned. You can judge the user's role in the code. If it matches a custom appRole, he is allowed to perform an operation. If the user does not match any of the appRoles, he does not have permission to perform any operations.
Further to the question raised here
Get all user properties from microsoft graph
Yes, I can obtain full user profile data using the graph query but from the perspective of the tenant, can I restrict the graph query to only be able to access the basic profile data?
Azure AD graph has delegated permissions for user.readBasic.all which restricts this. We have a 3rd party app that accesses the Azure directory to retrieve basic data to set up accounts in its user directory and we need to restrict this to the basic data due to the security risk. We cannot rely on the 3rd party just doing the right thing all the time.
So I need a way to set the app to allow app permissions (not delegated as the read occurs every 4 hours without human involvement) for user.readBasic.all.
If you want restrict the returned field from the "user.readBasic.all", the best way is you implement a custom handler(API/Service and so on). No directly official channel to do this now. (user.readBasic allows the app to read the full profile of the signed-in user, because after the user sign-in it means he has authorized the APP to get his information.)
You can check the blog for graph permission for here: https://blogs.msdn.microsoft.com/aaddevsup/2018/05/21/finding-the-correct-permissions-for-a-microsoft-or-azure-active-directory-graph-call/
And for the detail of the "user.readBasic.all" you have pointed from official link(https://developer.microsoft.com/en-us/graph/docs/concepts/permissions_reference#user-permissions) Allows the app to read a basic set of profile properties of other users in your organization on behalf of the signed-in user. This includes display name, first and last name, email address, open extensions and photo. Also allows the app to read the full profile of the signed-in user.
In AAD, one could
add new Users to the same Domain
add Guests:
from other AAD Tenancies, passing through credential verification to the other Tenancy
from Microsoft Account users, passing through credential checking to live.com
But I'm noticing today although it still accepts to invite MA users, when they sign in, they are asked to create a Password.
From then on, they are shown the usual "Do you want to use your personal account or org/school account".
Is this a new change?
Should be no longer be inviting personal accounts, and stick to only inviting users within other Tenancies (so they don't get asked whether to use Pers/Work account when signing in)?
What happens when they create a company around their own email...will they be able to wrest back resolution of the credentials -- or will it always stay with the first tenant that imported a personal account!?
Thanks for help understanding how this aspect of Azure AD works.
Is there a way to get the Group the User is member of so we can process the authentication, or even throw exception so the token will not be created.
The reason we need groups is that we can not create OU in Azure AD whereas we could before in LDAP. We retrieved the distinguished name and therefore had very rich information about said user.
Lastly, we do see that you could create an OU on-premises but read that Graph API would not recognize it or could not retrieve it.
We are attempting to do logic within the SecurityTokenValidated stage of Authentication process and we break the process whenever we try to use:
string UPN = context.AuthenticationTicket.Identity.FindFirst(ClaimTypes.Name).Value
Is this because we are using MSAL?
The best approach for you to take here is to make use of the group claims capability of Azure AD. (And for get OUs. OUs are not represented in Azure AD at all.)
Dushyant Gill's blog post on this is relatively old, but still very much relevant: http://www.dushyantgill.com/blog/2014/12/10/authorization-cloud-applications-using-ad-groups/. In short, the process is:
Enable group claims for your application by setting the groupMembershipClaims property in your application. After setting this, when a user signs in to your application, the list of groups they are a member of will be included in the token (if the number of groups is smaller than the limit).
Update your application's authorization code to make use of the group membership claims (if present).
Update your application to query the Azure AD Graph API if the groups membership claim is not present (i.e. if the "overage" claim is present). This happens only when the user is a member of more than 150-250 groups. (Use the _claim_name and _claim_sources claims as indications that the Graph API needs to be called directly.)
As described in the documentation for Azure AD Graph API permissions, in order for your application to call the getMemberGroups method, the app must have the "Read all groups" permission (Groups.Read.All). This permission requires admin consent, but once consent has been granted, the request can be made using the signed-in user's access token.