I am trying to develop an web application using angular 4, java ee and wildfly. I am planning on using keycloak as IDM. I researched and found that we can provide roles to user but what I couldn't find is if it provides the feature to exclude some privilege from admin role.
For example: I want to provide user with admin role all the privileges except one, so I want to exclude the privilege from that admin.
Is it possible using keycloak? If not, can anyone suggest any other IDM matching this requirement?
No, you cannot change the privileges of admin role. Yes, you can use Keycloak.
From http://www.keycloak.org/docs/latest/server_admin/topics/admin-console-permissions/fine-grain.html
Fine grain permissions are used to grant additional permissions. You cannot override the default behavior of the built in admin roles.
I think you still can achieve want you want with Keycloak's flexible administrative role and permission management. Just not exactly in the way you think it should be done.
Don't give your administration user the role admin, but some of the more restrictive roles of client realm-management (e.g. view-realm, manage-users).
Related
TL;DR
How can I delegate my user permissions to a service principal in Azure Ad when the usual interactive way (e.g. web app with consent screen popup) is not feasible? This is because I cannot configure the MSI in the Azure Portal properly to work that way.
More detail
I want to grant an application permission to access the Graph API on behalf of a user. Usually, this is a well-documented scenario in which you create an app registration, acquire delegated user permissions by asking permission for the needed scopes, and then use these permissions in the app.
The app that needs Graph access is a background service that is to work on its own without user intervention/activity. For this use case, the common approach is to use application permissions. In my case this is not feasible, because application permissions require admin-consent and are all-or-nothing kind of permissions. There is no way this will be granted for me. Rightfully so, because its overkill.
But on the other hand that's really a pity. A pity, because I've found an example on how to assign Graph API application permissions directly to a Managed Service Identity rather than to a self-registered app. And my service (as an Azure Functions app) already has a MSI assigned to it. So this would be the perfect fit, b then again, there is no way I'll get those application permissions.
So what is the workaround? We have this one user principal which has all the required permissions we need for our background service. What I want to do is to delegate this user's permissions to the Function App/MSI. In order to do this, I used this SPA-template by the MSAL team to have something that will prompt me the permissions popup.
This however failed because the implicit oauth flow was not enabled. To remedy this, you usually need to update the app manifest in the portal. However, since this is a MANAGED service identity, and not a self-registered one, the MSI is not listed in the portal under app registrations. So I cannot set this property to true.
Doing the same via Azure CLI also failed because apparently the MSI is not identified as an app.
az ad app update --oauth2-allow-implicit-flow true --id <appId_of_MSI>
This yields the following error:
ResourceNotFoundError: Resource '<appId_of_MSI>' does not exist or one of its queried reference-property objects are not present.
It shows fine when doing this
az ad sp show --id <appId_of_MSI>
So in summary: I cannot complete the process of delegating that user's permissions interactively. Is there any other way? Maybe via CLI?
The fallback the solution is to create a separate unmanaged/self-registered app identity. But I want to really avoid this because then I would need to manage and rotate client (app) credentials again, which the MSI took care of for me.
Why o why can't I just assign fine-scoped application permissions 😒
Any help on this is greatly appreciated. Cheers.
In my experience Managed Identities don't support the scenario you are suggesting.
They do not have an app registration and in that way cannot authenticate users interactively.
I would go with your fallback solution; a normal app registration and use that to access Graph API on behalf of the user.
This is what we do in our projects at least.
App permissions -> Managed Identity if possible. Delegated permissions -> normal app registration + secret/certificate in Key Vault, retrieved with Managed Identity.
I want to enable someone to manage testers and groups. What are the steps to provide the minimum level of permissions to enable this?
Firebaser here - you can create a custom role with specific Firebase permissions and then assign that to a member of your organization.
Looking at the individual products' management permissions for App Distribution, the following permissions should enable this for you:
firebaseappdistro.testers.list
firebaseappdistro.testers.update
firebaseappdistro.groups.list
firebaseappdistro.groups.update
Note that the App Distribution permissions are in beta as of now, and that you will need to add other permissions to your custom role to make sure it works - see the required permissions section of the Firebase IAM permissions page.
We are using service principal to connect our Azure tenant with our customer’s tenant. To create the service principal in customer’s tenant, we need global admin of the customer’s AD tenant to approve and create the service principal. We are trying to find a way to accomplish this without using global admins involvement. The solution can involve few manual steps which can be done at customer’s end.
Thanks Allen. Appreciate the quick response. Actually I did not put the full requirement correctly. Here is one more addition. Thanks!!!
Screenshot: Access Grants
The service principal requires delegated access to APIs as shown in the diagram. That appears, that it can be granted by global admin. Can any other user(s)/ roles can do this? What is the best practice for this. We are trying to avoid to have a global admin to do this all the time and wanted to have someone in the project team to own this process.
Appreciate any insights.
You could ask an admin of your customer's tenant to configure the User settings.
Please refer to this document.
Check the App registrations setting. This value can only be set by an
administrator. If set to Yes, any user in the Azure AD tenant can
register an app.
Then you could use a non-admin account to create the service principal.
UPDATE
I'm afraid that you have to use a global admin to do the admin consent because the permissions are for the entire tenant.
I don't think a global admin need to do this all the time. Every time new permissions are assigned to your app, administrator consent is required.
I am currently developing a service that would be able to sync data between workforce management systems (like Kronos WFC) and Microsoft Shifts. In order to sync the data, I have to register a Workforce Integration. I have established the necessary permissions, but I am not able to add permissions and I'm returned a message on the Azure Portal that permissions are not supported. The tenant that I'm using for development has also been whitelisted. Ideally whitelisting should be solving all problems when it comes to adding Graph API scopes, but in this instance, the whitelisting does not seem to resolve. Any ideas as to why such thing is happening?
Some Graph permissions are not allowed on applications that support Microsoft accounts authentication (e.g. Skype, Xbox, Hotmail). The WorkforceIntegration permissions are one of them.
The idea is that some O365 enterprise services are not available to consumer Microsoft accounts. Unfortunately I don't know where these permissions are documented but please comment if you find the list.
Sometimes, it could be a temporary error. You may have another try at a later time.
Please do not add too many permissions at one time. I tried to add that permission and got a success:
By the way, as Azure AD V2 supports to grant permission dynamically. You may directly add and grant permission to a new scope.
Note: I just want to show you the detailed flow, but in fact all the
following steps can be done with ADAL or MSAL.
For example:
I did not have https://graph.microsoft.com/Chat.ReadWrite permission at first. But I can request that permission dynamically through Azure AD OAuth2 authorization code flow:
A. Make a request call to
https://login.microsoftonline.com/<your_tenent_id_or_name,hanxia.onmicrosoft.com>/oauth2/v2.0/authorize?response_type=code
&client_id=88b1****-***-****-****-f64c****9f8a
&redirect_uri=https://localhost/
&scope=https://graph.microsoft.com/Chat.ReadWrite
B. Grant the permission
C. Check the permissions in Enterprise Application
You can see that a new permission was added. And then uses in the tenant can use that permission scope.
My requirement is to have Multi-tenant application. I am trying to select the correct AD directory structure. I am under the understanding that a tenant is an AD directory. I need to be able to have group, role, and policy security options as well as user self sign-up. I have started on the journey of using Azure B2C directories but this does not seem to be the correct solution because roles do not seem available. Lastly, I also need the ability to manage authorizations to all tenants which I would like to build an Admin app to do so; I plan to use Microsoft Graph API for that but I am not sure if that will work either. Can someone help me to answer these questions. I have been searching as well as testing many scenarios.
You can assign user roles and group roles through AAD. https://learn.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles
You can also manage permissions through roles based access control. You do not need to use b2c to manage user permissions unless you are connecting your outside company to Microsoft AAD, rather than building a custom app within Azure. https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal
The tenant includes your resources that you want managed under that tenant. It is not exactly synonymous with an AAD because it can include more than just your AAD. You can use it solely to manage your AAD if you wish, though (and even include subscriptions in other tenants that are linked to your AAD tenant).
Graph API is useful for managing more complex user data. Whether you need this depends on what you are aiming to accomplish.