I need to get the group membership of the device in AAD.
It is possible to get the groups, select one, get members and find a device there in one call
https://graph.microsoft.com/v1.0/groups/xxx/members/yyy
I can get to the same device as by calling
https://graph.microsoft.com/v1.0/me/registeredDevices/yyy
But I haven’t found anything for a reversed approach for the device. It is simple to find the group membership of a user
https://graph.microsoft.com/v1.0/me/memberOf
but this apparently doesn’t seem to be possible for the device. Neither in v1.0, nor in beta.
Am I missing something? Thanks!
If I understand, you are looking for something that will tell you what groups a device is a member of like:
GET https://graph.microsoft.com/v1.0/devices/memberOf
We don't have anything like that today.
However we do have an alternative, that might work for you, and it provides transitive closure too (which memberOf does not). See: https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/directoryobject_getmembergroups
POST https://graph.microsoft.com/v1.0/devices/{deviceId}/getMemberGroups
{
"securityEnabledOnly":false
}
The response will contain a list of group ids for which the device is a member. To get the group details, you will have to make another call. You could use the getByIds action for this - see https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/directoryobject_getbyids. If you want to do this in one call, you could take a look at using batching: https://developer.microsoft.com/en-us/graph/docs/concepts/json_batching.
Hope this helps,
Related
I'm getting an error when uploading my customized policy, which is based on Microsoft's SocialAccounts example ([tenant] is a placeholder I added):
Policy "B2C_1A_TrustFrameworkExtensions" of tenant "[tenant].onmicrosoft.com" makes a reference to ClaimType with id "client_id" but neither the policy nor any of its base policies contain such an element
I've done some customization to the file, including adding local account signon, but comparing copies of TrustFrameworkExtensions.xml in the examples, I can't see where this element is defined. It is not defined in TrustFrameworkBase.xml, which is where I would expect it.
I figured it out, although it doesn't make sense to me. Hopefully this helps someone else running into the same issue.
The TrustFrameworkBase.xml is not the same in each scenario. When Microsoft documentation said not to modify it, I assumed that meant the "base" was always the same. The implication of this design is: If you try to mix and match between scenarios then you also need to find the supporting pieces in the TrustFrameworkBase.xml and move them into your extensions document. It also means if Microsoft does provide an update to their reference policies and you want to update, you need to remember which one you implemented originally and potentially which other ones you had to pull from or do line-by-line comparison. Not end of the world, but also not how I'd design an inheritance structure.
This also explains why I had to work through previous validation errors, including missing <DisplayName> and <Protocol> elements in the <TechnicalProfile> element.
Yes - I agree that is a problem.
My suggestion is always to use the "SocialAndLocalAccountsWithMfa" scenario as the sample.
That way you will always have the correct attributes and you know which one to use if there is an update.
It's easy enough to comment out the MFA stuff in the user journeys if you don't want it.
There is one exception. If you want to use "username" instead of "email", the reads/writes etc. are only in the username sample.
GetMemberGroups only returns the "id" properties of the groups, afaik there is no way to include other additional properties (my guess it's because it only searches in some kind of index rather than actually traversing all nodes in the hierarchy, which makes sense when it needs to be transitive)
DirectoryObjects.GetByIds comes handy once I have the ids from GetMemberGroups, but this one returns all default properties. If I specify any $filter for example if I know that I don't need groups with certain prefix in displayName, or a $select because I know I will only need certain properties, any of these query parameters are ignored. No error thrown, just ignored, and all objects are returned with all parameters.
// this works (max 2046 results)
var groupIDs = await client.Users[userid].GetMemberGroups(false).Request().PostAsync()
// something like Expand or Include would be handy
// even if it is done separately in AD, at least we would save the roundtrip
client.Users[userid].GetMemberGroups(false).Request().Include("prop1,prop2").PostAsync()
// this works nicely with pagination, but both Select and Filter are ignored
var res = await client.DirectoryObjects.GetByIds(groupIDs.ToList(), new[] { "group" })
.Request().Select("id,displayName").Filter("startswith(displayName,'prefix')").PostAsync()
This scenario makes more sense when you are dealing with large result sets (), and you cannot cache values for too long, in these cases it can waste more bandwith than it should.
Is there any other option to achieve similar results? Or any hints on whether it is possible at all to support this, is anything similar on the roadmap?
Maybe #Dan Kershaw knows more, but if meanwhile I'm missing an already existing solution, would be nice to use it.
This looks like a new feature request - to filter and select on a function or action in Microsoft Graph. We don't have this today. The only option currently available to you is to get the full set back, and do client side filtering/selection.
Can you create a user voice request for this new capability please
Hope this helps,
Firstly, I know about the duplicates. We're not talking about iOs/Android/KindOfDevice-only, as the others & cookies are not the way I want to go.
So I want to bypass the need of a password or something by "binding" my service (which is only an idea by now) to the device used.
An E-Mail and stuff would be needed of course, to keep your devices bundled.
What would your approaches be?
My thoughts so far
My first idea was using the mac-adress, because I heard that they're unique. But a quick google told me that's not really true.
On Phones I could use the phone number or the IMEI, but I don't want it to be restricted to phones, it should be usable by web, too.
I guess when we talk about a web-solution, stuff would get even more tricky because browsers won't let the service go really deep into the system and stuff?
Of course I guess there needs to be a combination of two or more things. So two not-so-unique things combine to an 99%-unique-thing?
I just need some help about how to go on with this problem, a direction, because if you google terms like "unique device identification" you only get this medicine-thing..
In my project I use
var secureUDID = (UIDevice.current.identifierForVendor?.uuidString)!
which - Returns a string created from the UUID, such as “E621E1F8-C36C-495A-93FC-0C247A3E6E5F”.
UUID - An alphanumeric string that uniquely identifies a device to the app’s vendor.
I'm knocking together a demo app based upon Nancy.Demo.Authentication.Forms.
I'm implementing Claims and UserName in my UserIdentity:IUserIdentity class and, as per the demo, I've got a UserModel with UserName.
In the SecureModule class, I can see that the Context.CurrentUser can be used to see who it is that's logged on, but as per the interface, this only supplies the username and the claims. If I then need to get more data (say messages for the logged on user) for a view model, all I can see to use as a filter for a db query is the username, which feels, well, weird. I'd much rather be using the uniqueIdentifier of the user.
I think what I'm trying to get to the bottom of, if it is better to add the extra fields to my IUserIdentity implementation, or to the UserModel? And where to populate these?
Not sure my question is that clear (It's not clear in my head!), but some general basic architecture advice would go down a treat.
Sorry for the delayed reply.. bit hectic at the moment :)
The IUserIdentity is the minimum interface required to use Nancy's built in authentication helpers, you can implement that and add as much additional information as you like to your class; it's similar to the standard .net IPrincipal. If you do add your own info you'll obviously have to cast to your implementation type to access the additional fields. We could add a CurrentUser method to stop you having to do that, but it seems a little redundant.
You can stop reading here if you like, or you can read on if you're interested in how forms auth works..
FormsAuth uses an implementation of IUsernameMapper (which is probably named wrong now) to convert between the Guid user identifier that's stored in the client cookie and the actual user (the IUserIdentity). It's worth noting that this GUID needs to be mapped to the user/id somewhere, but it's not intended to be your database primary key, it is merely a layer of indirection between your (probably predictable) user id/names and the "token" stored on the client. Although the cookies are encrypted and HMACd (depending on your configuration), if someone does manage to crack open and reconstruct the auth cookie they would have to guess someone else's GUID in order to impersonate them, rather than changing a username (to "admin" or something smilar), or an id (to 1 for the first user).
Hope that makes sense :)
I'm working on a library which implements the actor model on top of Grand Central Dispatch (specifically the C level API libdispatch). Basically a brief overview of my system is as such:
Communication happens between actors using messages
Multicast communication only (one actor to many actors)
Senders and receivers are decoupled from one another using a blackboard where messages are pushed to.
Messages are sent in the default queue asynchronously using dispatch_group_async() once a message gets pushed onto the blackboard.
I'm trying to implement futures in the language right now, so I've created a new type which holds some information:
A group of its own
The value being 'returned'
However, I have a problem since dispatch_block_t is of type void (^)(void) so it doesn't return anything. So my idea of in my future_new() function of setting up another group which can be used to execute a block returning a result, which I can store in my "value" member in my future_t structure, isn't going to work.
The rest of the futures implementation is very clear, except it all depends on being able to get the value into the future back from the actor, acting on the message.
When using the library, it would greatly reduce its usefulness if I had to ask users (and myself) to be aware when futures were going to be used by other parts of the system—It just isn't practical.
I'm wondering if anyone can think of a way around this?
Actually had Mike Ash's implementation pointed out to me, and as soon as I saw his initWithBlock: on MAFuture, I realized what I needed to do. Very much akin to what's done there, so I'll save the long winded response about how I'm doing it.