We have an application which parses the Audit Logs emitted by Azure AD. More specifically we are parsing the 'Update application' log to detect when a new Role has been added to an Application (see example below).
We would like to find out more information about the "DirectAccessGrantTypes" and "ImpersonationAccessGrantTypes" fields. If someone can point us to documentation for this that would be great.
[{"EntitlementEncodingVersion":2,"EntitlementId":"654a4f1f-1b7f-4354-a6d6-fcf7346af0ec","IsDisabled":true,"Origin":0,"Name":"Data Manager","Description":"Manager for test app","Definition":null,"ClaimValue":"DataManager","ResourceScopeType":0,"IsPrivate":false,"UserConsentDisplayName":null,"UserConsentDescription":null,"DirectAccessGrantTypes":[20],"ImpersonationAccessGrantTypes":[],"EntitlementCategory":0,"DependentMicrosoftGraphPermissions":[]},{"EntitlementEncodingVersion":2,"EntitlementId":"3d03256d-cf0c-4553-b8af-98d7ebbee1f2","IsDisabled":false,"Origin":0,"Name":"Application Manager","Description":"Admin for test app","Definition":null,"ClaimValue":"ApplicationManager","ResourceScopeType":0,"IsPrivate":false,"UserConsentDisplayName":null,"UserConsentDescription":null,"DirectAccessGrantTypes":[20],"ImpersonationAccessGrantTypes":[],"EntitlementCategory":0,"DependentMicrosoftGraphPermissions":[]},{"EntitlementEncodingVersion":2,"EntitlementId":"88d0d3e3-b661-4760-aea3-f4548db1ff96","IsDisabled":false,"Origin":0,"Name":"Read","Description":"Allow users to add a admin consent","Definition":null,"ClaimValue":"Read","ResourceScopeType":0,"IsPrivate":false,"UserConsentDisplayName":null,"UserConsentDescription":null,"DirectAccessGrantTypes":[],"ImpersonationAccessGrantTypes":[{"Impersonator":29,"Impersonated":20}],"EntitlementCategory":0,"DependentMicrosoftGraphPermissions":[]}]
From article > View reports & logs in entitlement management - Azure AD | Microsoft Docs
When Azure AD receives a new request, it writes an audit record, in
which the Category is EntitlementManagement and the Activity is
typically User requests access package assignment. In the case of a
direct assignment created in the Azure portal, the Activity field of
the audit record is Administrator directly assigns user to access package, and the user performing the assignment is identified by the
ActorUserPrincipalName.
Application Impersonation is basically an administrator-managed, not user-managed permission.
Impersonate access grants logs gives information ex:count., of users given consent by the admin to access the application to impersonate user.
ImpersonationAccessGrantTypes gives count or info of access grants by admin on behalf of user whereas DirectAccessGrantTypes gives info about the users who directly access the application ,as they are already assigned by admin.
Reference:
Multiple Client applications authorisation to WebApi (microsoft.com)
My Azure AD admin have created an Enterprise App for me and I'm Configuration Owner for it.
The app Provisioning is setup to:
Provision Azure Active Directory Groups
Provision Azure Active Directory Users
to my SCIM server.
The setup is working fine, users are created via and groups are updated also.
My problem is that in my company workflow when a consultant contract is renewed the user's AccountEnabled property is set to false and then later re-enabled with AccountEnabled=true, this is translating right now into a Delete / Create via SCIM in my app.
My impression was that AccountEnabled=false would translate to a isSoftDeleted=true (as mentioned in Customizing user provisioning attribute-mappings for SaaS application in Azure Active Directory) and that in turn will translate to a SCIM Disable User request because of the attribute mapping settings of the app is to map the Azure Active Directory Attribute Not([IsSoftDeleted]) to active attribute in the app.
But it's not disabling the user it's deleting it.
The user resides in a on-premises Active Directory then synced to Azure AD.
All the information that I could find (like this) suggest that a SCIM Delete should only happened after 30 days when a user is hard deleted and not when AccountEnabled=false so I guess it may be another factor at play.
So, how do I stop Azure AD from issuing Delete user for disabled users in my app?.
EDIT: I tested with a local user in Azure AD (not synced from the on-premises AD) and with that user when the user is disabled it triggers an update user not a delete. So it must be related with synced users only (I'm still troubleshooting)
Certain applications don't support soft deletes so the Azure AD provisioning service sends a delete in place of an update. What app are you using?
The attribute mapping blade allows you to de-select delete as an option, do the deletes stop when you do that?
I recommend keeping the attribute mappings as close to the default as possible.
Try removing the "not" function and using the default attribute mappings. The default mapping uses a switch statement to map false to true and true to false. It sends the request as a string rather than a boolean.
I'm working on improving the user experience for our org when logging into snowflake. We have adfs sso enabled and are provisioning mapping users to roles using azure ad. I had a colleague attempt to sign in with SSO who didn't have a user account created in snowflake and they were greeted with
"The signed in user <user#email.com> is not assigned to a role for the application (Snowflake)".
My question is, is it possible to have users sign into snowflake without being mapped to a default role, perhaps only have the public role assigned, and without being synced with azure ad.
If it is, i'd appreciate any pointers to documentation i can reference. The goal is to get all users that can SSO, to by default be able to login
AD group syncing occurs every 40 minutes in Microsoft, and I don't believe it's possible to force a sync or change this time frame. In addition, like the OP mentioned Snowflake cannot connect to an on-prem ADFS server so all users must be in Azure AD.
AD group syncing is somewhat configurable via the "Scope" (see Step 15 of this tutorial)
If your Scope is set to "Sync only assigned users and groups", you can either
Change the scope to "Sync all users and groups" (may cause issues if you don't want to import all this data into Snowflake)
or
Confirm that your desired users' AD group is one of those assigned to be synced to Snowflake (requires manually assigning these users, or that all of these users are part of the same AD group that you choose to sync to Snowflake).
By seeing the error its not allowing user who don't have appropriate role for the application.
In these why can't we create generic stored procedure to assign default role and instance to new user based on the group they belong to.! Each time if we add any new user then we have to run stored procedure to assign default role and object prior to his login to snowflake.
At the moment I have setup a build pipeline that pulls an artifact from Azure artifacts.
Authentication is done using a Personal Access Token.
Since a couple of days now, my pipeline errors out with the message:
VS403463: The conditional access policy defined by your Azure Active Directory administrator has failed.
Looking into the debug logs I can see the call that is made
Now doing this call from my local machine, this works but ONLY if I am within the network of my Organisation (if I run it from home, it does not work)
Looking at the pipeline, it mentions that it gets an agent "from the cloud".
I assume this agent is not within our network.
Is there any way we can setup Azure Devops such that we can still access Azure artifacts from a cloud build agent whilst this conditional access policy is in place?
Your administrator might set the Conditional Access policies to block the ip outside the trusted IP range to access your organization resources. Check the Common signals Conditional Access takes.
You can try connecting to your organization network over VPN when you work from home. Or asking your administrator to add your home ip to the trusted ip range.
You can also try disabling "Enable Azure Active Directory Conditional Access Policy Validation" in your azure devops organization setting page. Check the steps here.
Check here to learn more about conditional access policy. Hope you find it helpful.
Is there a way to detect and monitor that a service principal is only being used from a specific set of IP addresses? I do not want to IP restrict my entire directory. I have premium AAD and I think it has features that I might be able to utilized but I cannot do much testing. I’m currently struggling on how to detect if a SP has been jeopardized and how to prevent it.
If you want to use IP as conditions for the user to sign-in, you could use Conditional Access to make it. But the Conditional Access is used for the entire tenant.
And the features of Azure Active Directory Premium includes:
Company branding
Group-based application access
Self-service password reset
Self-service group management
Advanced security reports and alerts
Multi-Factor Authentication
Forefront Identity Manager (FIM)
Enterprise SLA of 99.9%
For the details, please read here.