I am working with School Data Sync(SDS) and Azure Active Directory with Microsoft Graph API with a custom Web App that is being developed.
I require read and write to the SDS objects (class, school etc) created by a SDS sync profile.
Reading https://developer.microsoft.com/en-us/graph/docs/api-reference/beta/api/educationroot_list_schools
and related documentation - I can potentially achieve the above.
Yet the required permissions (
EduRoster.Read.All, EduRoster.ReadWrite.All
)
are not available to be set in the Active Directory Portal (using application > Settings > Required Permissions > Microsoft Graph)
How can I perhaps set the required permissions, perhaps by some other means or through the portal, for my app?
The documentation you posted is right. The documentation shows Permissions's Name directly. Acutally, if you use v2 endpoint application in Microsoft App Registration Portal to choose permissions, you will see these permissions directly.
For this case, the permissions you saw in the Azure portal is the permission's Display String.
For Example:
Application permissions: EduRoster.ReadWrite.All 's Display string is Read and write the organization's roster.
So, you can add these permissions for your scenario:
You can see details about Microsoft Graph Permissions Reference in this documentation.
Related
I have an issue with accessing user data with microsoft graph api.
Context : I have a web app with a calendar inside for my users. I would like to give the user the possibility to synchronise this calendar with their microsoft calendar. I did the same thing with google calendars and it works well.
Problem : I registered an app on azure and setup my code with the correct access to login and get a token from the graph api.
It kinda works but i can only log in with the address i used to create my app on azure.
So lets say my admin address on azure is test#azure.com , then i can log in and access the data i want . But if i try with another address like for example test#customer.com, then it fails and display this message :
I keep looking for a way but the Microsoft graph documentation doesn't seem to talk about this problem.
I tried to add the account as an external user, like the message says (and maybe i did it wrong i'm not really sure of this part) but then i can log in but the data i can access doesn't match the data on the account i tried with, as if adding the user as an external user created a "new" user in my organisation.
What I want : I would like to be able to access the data of any user that try to log in with a microsoft email (if they accept the permissions of course).
It's my first time using the graph api so maybe i'm missing something simple...
Thanks
Based on the So thread reference:
When a user authenticates against your tenant, you only have access to the data controlled by your tenant. In other words, if test1#outlook.com authenticates against yourtenant.onmicrosoft.com tenant, you don't gain access to their outlook.com email.
Reason you're able to see the outlook.com email from Graph Explorer is that Graph Explorer is authenticating against their outlook.com account.
In other way, Graph Explorer is authenticating test1#outlook.com against the outlook.com tenant, not yourtenant.onmicrosoft.com.
When a user authenticates against a given tenant, that token only provides access to data within that single tenant. Microsoft Graph does not allow you to cross tenant boundaries.
Thanks Hong for the comment, you may also set your app registration to "multitenant + personal accounts"
So Reference: MS Graph External User 401 Unathorized
I cannot create an experiment within a project nor create a new project because apparently my watson studio doesn't have the right permissions to access/create/delete something in my Cloud object storage instance, knowing that the COS service was created from Watson studio itself.
In case this helps, here is service endpoints information:
Follow the instructions provided in Watson Studio FAQ - https://dataplatform.cloud.ibm.com/docs/content/getting-started/faq.html#iameditor
Also,Looks like you don’t have proper IAM access permission. If you are the owner of the account, you can set the required permissions following the steps in this link. If you are not the owner ask the account owner for the permissions.
For best practices, refer this solution tutorial
Hope this helps
You need Operator/Editor role. Account owner would need to login into console.bluemix.net and goto "Manage Users" -> https://console.bluemix.net/iam/#/users
Cloud Foundry Access -> Space Role -> Add Developer
Access Policies -> Assign access to all resources -> Assign platform access roles (Add Operator or above) and Assign service access roles (Add editor or above).
This is only one of the options of setting up user for the things your are trying to do. For more detailed user management, checkout the links that #vidyasagar-machupalli posted in his answer.
Further to the question raised here
Get all user properties from microsoft graph
Yes, I can obtain full user profile data using the graph query but from the perspective of the tenant, can I restrict the graph query to only be able to access the basic profile data?
Azure AD graph has delegated permissions for user.readBasic.all which restricts this. We have a 3rd party app that accesses the Azure directory to retrieve basic data to set up accounts in its user directory and we need to restrict this to the basic data due to the security risk. We cannot rely on the 3rd party just doing the right thing all the time.
So I need a way to set the app to allow app permissions (not delegated as the read occurs every 4 hours without human involvement) for user.readBasic.all.
If you want restrict the returned field from the "user.readBasic.all", the best way is you implement a custom handler(API/Service and so on). No directly official channel to do this now. (user.readBasic allows the app to read the full profile of the signed-in user, because after the user sign-in it means he has authorized the APP to get his information.)
You can check the blog for graph permission for here: https://blogs.msdn.microsoft.com/aaddevsup/2018/05/21/finding-the-correct-permissions-for-a-microsoft-or-azure-active-directory-graph-call/
And for the detail of the "user.readBasic.all" you have pointed from official link(https://developer.microsoft.com/en-us/graph/docs/concepts/permissions_reference#user-permissions) Allows the app to read a basic set of profile properties of other users in your organization on behalf of the signed-in user. This includes display name, first and last name, email address, open extensions and photo. Also allows the app to read the full profile of the signed-in user.
Using IAM, I am trying to allow certain users to access API's and allow them to create OAuth client credentials. Is there a predefined role for allowing this? I don't want to use the role of project editor, because I'm trying to allow access to only the necessary services.
It's when the user is in their project, and they go to "APIs and Services" > Credentials, the user receives this error:
You don't have permission to view API keys, OAuth clients, and service account keys.
Roles/Permissions:
-App Engine Admin
-Cloud Functions Developer
-Cloud Datastore Owner
-Service Account Admin
-Source Repository Administrator
-Storage Admin
So I believe I've come across the solution. After failing to find a predefined role or any answers online, I started to delve into creating custom roles. If anyone has issues with this in the future, here is what I have done.
I went to Project Settings > Roles > Create Role. I then created 2 custom Roles, here are all the permissions I assigned to them:
"Custom API"
container.apiServices.create
container.apiServices.delete
container.apiServices.get
container.apiServices.list
container.apiServices.update
container.apiServices.updateStatus
serviceusage.apiKeys.create
serviceusage.apiKeys.delete
serviceusage.apiKeys.get
serviceusage.apiKeys.getProjectForKey
serviceusage.apiKeys.list
serviceusage.apiKeys.regenerate
serviceusage.apiKeys.revert
serviceusage.apiKeys.update
"Custom Client Auth"
clientauthconfig.brands.create
clientauthconfig.brands.delete
clientauthconfig.brands.get
clientauthconfig.brands.list
clientauthconfig.brands.update
clientauthconfig.clients.create
clientauthconfig.clients.createSecret
clientauthconfig.clients.delete
clientauthconfig.clients.get
clientauthconfig.clients.getWithSecret
clientauthconfig.clients.list
clientauthconfig.clients.listWithSecrets
clientauthconfig.clients.undelete
clientauthconfig.clients.update
*Note that at the time of writing, these individual permissions are in a "testing" state, and may not work as intended.
You can go to the roles page:
https://console.cloud.google.com/iam-admin/roles?project=[your-project-id]
And there you can filter for the permission you need:
Now you can see in the list all the roles include the permission you need, and you can return to the IAM page:
https://console.cloud.google.com/iam-admin/iam?project=[your-project-id]
And select one of those rules:
A follow up on my earlier question - Are there any APIs available to manage conditional access policies for a tenant?
I'm using the API (https://developer.microsoft.com/en-us/graph/docs/api-reference/beta/api/policy_list) to retrieve the list of policies created for my tenant and have been running into permissions issues.
According to the documentation this API requires a scope of Directory.AccessAsUser.All. On the Azure AD portal, I set the permissions for my test App to include "Read and write directory data" and "Access the directory as a signed-in user". I set these permissions on both Windows Azure Active Directory and Microsoft Graph APIs. When I make a call to https://graph.microsoft.com/beta/policies, I keep getting 403 Forbidden with the error message "Insufficient privileges to complete the operation.". The other operations like getting the users in the directory, getting identityRiskEvents, etc all work fine.
Am I missing anything here?
Thanks in advance!
Actually the answer is no. The GRAPH REST API List Policies does not return conditional access policies yet.
The REST API doc states:
Currently only one type of policy is available:
Token Lifetime Policy - Specifies the lifetime duration of tokens
issued for applications and service principals.
Check the microsoft faq documentation on configuring conditional access.
Are Graph APIs available for configuring conditional access policies?
Currently, no.
FAQ Link
No, There is a REST API List policies of Operations on policy described in Graph API reference, which you can use it to list all policies for your tenant.
Edit: This article lists only Token Policy's are being returned at this moment: https://learn.microsoft.com/nl-nl/graph/api/resources/policy?view=graph-rest-beta
Microsoft have recently released access to conditional access policies in their Graph API beta (https://learn.microsoft.com/en-gb/graph/api/resources/conditionalaccesspolicy?view=graph-rest-beta). The current methods they support for the conditional access policy resource type are:
List
Create
Get
Update
Delete
Similar methods are available for named locations included in a policy.