I'm trying SCIM 2.0 provisioning with Azure AD
As premise, I have SCIM a server for my product and I'm implementing PATCH endpoints for use with Okta and Microsoft Azure AD.
I'm done testing with Okta, so I'm trying with Azure AD now.
I read this post active-directory-scim-provisioning and the SCIM 2.0 Specification Section 3.5.2.
I set up an enterprise application on our Azure AD with the following mapping
Then, Azure AD sends the following JSON POST request to create users assigned to the application to my server:
POST:
{
"active": true,
"displayName": "$DISPLAY_NAME",
"emails": [
{
"primary": true,
"type": "work",
"value": "$EMAIL"
}
],
"externalId": "$EXTERNAL_ID",
"meta": {
"resourceType": "User"
},
"name": {
"formatted": "$FORMATTED"
},
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User",
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
],
"userName": "$USER_NAME"
}
I can process the POST request correctly, but I am unable to consume the PATCH request from Azure AD.
PATCH:
{
"Operations": [
{
"op": "Replace",
"path": "name.givenName",
"value": [
{
"$ref": null,
"value": "$VALUE"
}
]
},
{
"op": "Replace",
"path": "name.familyName",
"value": [
{
"$ref": null,
"value": "$VALUE"
}
]
}
],
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:PatchOp"
]
}
Is it correct (according to the specification) that the value attribute is of type Array, even if the target is a single-valued attribute? Is the use of the $ref attribute correct in this case?
Or did I misunderstand the specification?
They have fixed it Dec 18 2018 :)
https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/application-provisioning-config-problem-scim-compatibility
They made a mistake on the value implementation for non-complex objects. You can read more about it here https://social.msdn.microsoft.com/Forums/lync/en-US/e2200b69-4333-41ea-9f51-717d316c7751/automatic-user-provisioning-scim-restful-patch-payload-issue?forum=WindowsAzureAD
Related
I am updating an internally developed single-page app (Typescript/React) that uses OAuth2 from AD-FS 2016 to Azure AD v2. Things are complicated slightly by the fact that I (the developer) don't have direct access to the Azure console and am working on this with a (non-developer) sysadmin who does.
I have implemented PKCE and got the flow working; I can now obtain JWT access, ID and refresh tokens from the server and authenticate them via JWKS. So far so good.
Now, my apps to know a couple more things:
whether or not the user should be treated as an administrator. This is inferred from group memberships
the preferred username and first name/surname of the user
The first of these we dealt with by setting up a "role" and mapping it out to groups in the Azure console. We then added the role claim to the tokens. I can find this as a string array in "id_token". No problem.
I was confused for a while because I was looking for it in "access_token", but it's not a problem for my app to use "id_token" instead.
The second is the thing that is really giving us problems. No matter what we put into the "optional claims" dialog - we've added all these fields and more, for the ID token, they do not appear in it. Nothing we are doing seems to affect the actual tokens that come out at all.
I am beginning to think that I have missed something out with regards to obtaining the information. I am using the https://graph.microsoft.com/profile, https://graph.microsoft.com/email and https://graph.microsoft.com/user.read scopes and the administrator has authorized these on behalf of the app. The user is synced from our in-house active directory, which the AD-FS is running from as well, so I know that this information is in there. I tried messing with the resource parameter but this is deprecated in Azure AD v2 apparently.
I've read and re-read https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims along with other online documentation, and the following passage confuses me and makes me think that the issue might be related to scopes:
Access tokens are always generated using the manifest of the resource, not the client. So in the request ...scope=https://graph.microsoft.com/user.read... the resource is the Microsoft Graph API. Thus, the access token is created using the Microsoft Graph API manifest, not the client's manifest. Changing the manifest for your application will never cause tokens for the Microsoft Graph API to look different. In order to validate that your accessToken changes are in effect, request a token for your application, not another app.
Or is that just the reason that I switched to using the id_token?
The optional_claims section of the configuration manifest looks like this:
"optionalClaims": {
"idToken": [
{
"name": "email",
"source": null,
"essential": false,
"additionalProperties": []
},
{
"name": "upn",
"source": null,
"essential": false,
"additionalProperties": []
},
{
"name": "groups",
"source": null,
"essential": false,
"additionalProperties": []
},
{
"name": "family_name",
"source": null,
"essential": false,
"additionalProperties": []
},
{
"name": "given_name",
"source": null,
"essential": false,
"additionalProperties": []
},
{
"name": "preferred_username",
"source": null,
"essential": false,
"additionalProperties": []
}
],
"accessToken": [
{
"name": "email",
"source": null,
"essential": false,
"additionalProperties": []
},
{
"name": "groups",
"source": null,
"essential": false,
"additionalProperties": []
},
{
"name": "preferred_username",
"source": null,
"essential": false,
"additionalProperties": []
}
],
"saml2Token": [
{
"name": "groups",
"source": null,
"essential": false,
"additionalProperties": []
}
]
},
But the resulting payload in the ID tag looks like this:
{
"aud": "redacted",
"iss": "https://login.microsoftonline.com/redacted/v2.0",
"iat": 1654770319,
"nbf": 1654770319,
"exp": 1654774219,
"email": "redacted",
"groups": [
"redacted",
"redacted",
"redacted",
"redacted"
],
"rh": "redacted",
"roles": [
"redacted"
],
"sub": "redacted",
"tid": "redacted",
"uti": "redacted",
"ver": "2.0"
}
Can anyone who has more experience of the platform help me understand what we are doing wrong here? Do we need to define custom scopes? Have we simply forgotten to turn an option on?
All help gratefully received! Thanks in advance...
I tried to reproduce the same in my environment and got below results:
I have implemented PKCE flow and got JWT access, ID and refresh tokens.
I added optional claims like below:
Go to Azure Portal -> Azure Active Directory -> App Registrations -> Your App -> Token Configuration
Please check the scopes you are using to get token.
When I gave only openid as scope, got response like below:
But when I gave scope as openid profile email user.read, got all optional claims successfully like below:
I have an Azure Logic App with a SQL Server connector through a On-Premise Data Gateway, the connection is made using SQL Server Authentication. It works fine from the Logic App Designer.
No details about the connection are stored in the ARM template of the SQL Server connection, so if I want to automate the deployment of the Logic App, I need to add some values to the ARM template. The documentation for this is really poor, even though I was able to write this template:
{
"type": "MICROSOFT.WEB/CONNECTIONS",
"apiVersion": "2018-07-01-preview",
"name": "[parameters('sql_2_Connection_Name')]",
"location": "[parameters('logicAppLocation')]",
"properties": {
"api": {
"id": "[concat(subscription().id, '/providers/Microsoft.Web/locations/', parameters('logicAppLocation'), '/managedApis/', 'sql')]"
},
"displayName": "[parameters('sql_2_Connection_DisplayName')]",
"parameterValues": {
"server": "[parameters('sql_2_server')]",
"database": "[parameters('sql_2_database')]",
"username": "[parameters('sql_2_username')]",
"password": "[parameters('sql_2_password')]",
"authType": "[parameters('sql_2_authtype')]",
"sqlConnectionString": "[parameters('sql_2_sqlConnectionString')]",
"gateway": {
"id": "[concat('subscriptions/', subscription().subscriptionId, '/resourceGroups/', parameters('dataGatewayResourceGroup'), '/providers/Microsoft.Web/connectionGateways/', parameters('dataGatewayName'))]"
}
}
}
}
But I can't find the correct value for the authType property corresponding to "SQL Server Authentication". The values windows and basic are accepted, but couldn't find the value for "SQL Server Authentication".
Can someone please tell me what's the value for the authType property corresponding to "SQL Server Authentication"?
Use following properties json inside your web api connection
"properties": {
"api": {
"id": "/subscriptions/<YourSubscriptionIDHere>/providers/Microsoft.Web/locations/australiaeast/managedApis/sql"
},
"parameterValueSet": {
"name": "sqlAuthentication",
"values": {
"server": {
"value": "SampleServer"
},
"database": {
"value": "WideWorldImporters"
},
"username": {
"value": "sampleuser"
},
"password": {
"value": "somepasssword"
},
"gateway": {
"value": {
"id": "/subscriptions/<subscriptionIDGoesHere>/resourceGroups/az-integration-study-rg/providers/Microsoft.Web/connectionGateways/<NameofTheGatewayHere>"
}
}
}
}
},
"location": "australiaeast"
That should do the trick
In Azure Active Directory I created an app, in the manifest file I've update the appRoles with the following value:
"appRoles": [
{
"allowedMemberTypes": [
"User"
],
"displayName": "Client manager",
"id": "bf77e391-0bbf-4e33-854b-a384a5ac0630",
"isEnabled": true,
"description": "Client manager can manage all client actions.",
"value": "ClientManager"
}]
I updated my user so that my assigned role is no longer Default Access but is Client manager
With Graph api I'm trying to retrieve this assigned role.
I tried this uri but for some reason it will not return my role(s).
https://graph.microsoft.com/beta/me/appRoleAssignments?$filter=resourceId eq 04dcaab1-7219-4689-8510-4672e957ac11$select=appRoleId
But the response is:
{
"error": {
"code": "BadRequest",
"message": "Invalid filter clause",
"innerError": {
"request-id": "ce3cb456-956b-41c5-84a2-cdcdfe1ac3c5",
"date": "2018-11-05T20:54:08"
}
}
}
I could create a workaround requesting all my roles, for all my applications but this is something I would like to avoid. This would end up with the following uri:
https://graph.microsoft.com/beta/me/appRoleAssignments?$select=resourceId,appRoleId
and results in this json, where I need to filter out my applicationid.
{
"#odata.context": "https://graph.microsoft.com/beta/$metadata#appRoleAssignments(resourceId,appRoleId)",
"value": [
{
"appRoleId": "00000000-0000-0000-0000-000000000000",
"resourceId": "667cc3aa-00b9-4526-bde5-b81312ed5afb"
},
{
"appRoleId": "00000000-0000-0000-0000-000000000000",
"resourceId": "64b92ac1-4a56-478c-8774-5c584fb200e5"
},
{
"appRoleId": "bf77e391-0bbf-4e33-854b-a384a5ac0630",
"resourceId": "04dcaab1-7219-4689-8510-4672e957ac11"
}
]
}
I tried several solutions proposed on StackOverflow already but for some reason, all the eq filters don't work. I'm testing my query with the Graph explorer. My desired result should be something like this:
{
"#odata.context": "https://graph.microsoft.com/beta/$metadata#appRoleAssignments(appRoleId)",
"value": [
{
"appRoleId": "bf77e391-0bbf-4e33-854b-a384a5ac0630"
}
]
}
It seems not support to filter resourceId with https://graph.microsoft.com/beta/me/appRoleAssignments.
As mentioned in the doc:
Not all parameters are supported across all Microsoft Graph APIs, and support might differ significantly between the v1.0 and beta endpoints.
Also, if we filter the id with GET https://graph.microsoft.com/beta/me/appRoleAssignments?$filter=id eq 'xxxxxxx', it will work fine. So I think the format of the query should be correct, the only possibility is it is not supported as mentioned in the doc.
I have created app registration in azure aad. I want to add a app role using Microsoft Graph API programmatic.
It seems that there is no Microsoft Graph API to do that. If Azure AD graph is acceptable, you use the following rest API to do that.
PATCH https://graph.windows.net/{tenantId}/directoryObjects/{objectId}/Microsoft.DirectoryServices.Application?api-version=1.6
Note: objectId not applicationId, we could get it from Azure portal.
The following is the test body
appRoles": [
{
"allowedMemberTypes": [
"User"
],
"displayName": "SurveyAdmin",
"id": "c20e145e-5459-4a6c-a074-b942bbd4cfe1",
"isEnabled": true,
"description": "Administrators can manage the Surveys in their tenant",
"value": "SurveyAdmin"
}
]
Test result:
We also could check it in the application manifest from Azure portal.
According to my experience, I added appRoles with the help of MicrosoftGraphAPI. You can use this:
respond = "https://graph.microsoft.com/v1.0/applications/{apps-Object-ID}"
request_body = json.dumps({
"appRoles": [ {
"allowedMemberTypes": ['User'],
'description': 'access',
'displayName': 'access',
'id': "XXXX-XXXX-XXX",
"isEnabled": "true",
"value": "null",
"origin": "Application"
}
]
})
response = requests.patch(respond, headers, request_body)
And don't forget to import json and requests
I am trying to create schema extensions. I do have
"scp": "Directory.AccessAsUser.All" in token. Don't know for what reason it is failing.
https://developer.microsoft.com/en-us/graph/docs/api-reference/beta/api/schemaextension_post_schemaextensions
POST https://graph.microsoft.com/beta/schemaExtensions
Content-type: application/json
{
"id":"courses",
"description": "Graph Learn training courses extensions",
"targetTypes": [
"Group"
],
"properties": [
{
"name": "courseId",
"type": "Integer"
},
{
"name": "courseName",
"type": "String"
},
{
"name": "courseType",
"type": "String"
}
]
}
error :
{
"error": {
"code": "Service_InternalServerError",
"message": "Encountered an internal server error.",
"innerError": {
"request-id": "1909aef3-b66d-48de-8204-0a41df0a27a8",
"date": "2017-07-17T13:07:20"
}
}
}
Unfortunately it looks like Microsoft Graph schema extensions is not supported in B2C tenant (please confirm if you are NOT using a B2C tenant - in which case this might be a different problem).
In the meantime (until we fix this issue), you'll need to use Azure AD Graph to register and use directory extensions.
Hope this helps,