I'm trying to get a website up and running where the user has to log in using an Azure AD account. The user themselves are usually either a member of one of two groups. Is there any way within Azure AD of getting that group ID and/or name returned as a claim on the identity token?
You can edit the manifest of the app.
You can find it in the new portal via Azure Active Directory -> App Registrations -> Your app -> Manifest.
Then you need to set the groupMembershipClaims property to either "SecurityGroup" or "All".
"groupMembershipClaims": "SecurityGroup"
The ids will then be returned in id tokens for your app. SecurityGroup only includes AAD security groups, All also includes Office 365 groups.
Related
I have an app that is implementing SCIM 2.0.
I have connected this app to my Azure AD and I am succeeding to provision users and groups to my app from from Azure AD.
I want to add a custom attribute and manage the value of that attribute in Azure AD for every user or a group and add that data to my provisioning mapping - to send it to my app as part of the provisioning process.
I can't find where in Azure AD I can do that.
I have tried to add a custom security attributes, I have assigned it to my app. But when I go to the provisioning mapping - the attribute is not in the list of source attributes that I can choose from.
I have also tried to add a custom attribute (which I was able to choose in the provisioning mapping), but I did not find where I can manage the value of this attribute to a user in the Azure AD .It looks like it can only be filled in a user flow (login with SSO) - which is not my case.
I did not find a way to create a custom attribute for a group and manage its values in the Azure AD and then add to provisioning group mapping.
I saw that there are extension attributes, but where in Azure AD I can enter data to these attributes for a specific users or groups?
Can anyone help?
Is there a completely different way to add extra information to user / group and send it from Azure AD to my app using SCIM?
• When you provision an application in Azure AD through SCIM (System for Cross-Domain Identity Management) for the purpose of provisioning the Azure AD users to the ‘Enterprise application’ created in Azure AD tenant, you enter the URL of the application’s SCIM endpoint as ‘https://api.contoso.com/scim/’ and since it requires an OAuth bearer token from an issuer other than Azure AD as it can validate this token issued by the Azure AD itself. Therefore, in the ‘Mappings’ section of the ‘Provisioning’ section for the Azure AD enterprise application, you have the option for reviewing the attributes that are synchronized from Azure AD to the SCIM provisioned app. These attributes are selected as ‘Matching’ properties and are used to match the users and groups in your app for update operations.
Also, to add the extension attributes to the user in Azure AD for them to be exported to the SCIM provisioned application, you will need to create a dynamic group with members added to them via a dynamic query as shown below. Before that, you will have to synchronize the extension attributes through Azure AD connect utility from the on-premises AD that were created there already. Then, these already created extension attributes can be selected to be mapped with the SCIM provisioned app as below: -
Complete the expression to suit your requirements. As above, the rule is set to ‘(user.extension_9d98ed114c4840d298fad781915f27e4_division -eq "Sales and marketing")’.
• Secondly, you can also create extension attributes for users that are to be synchronized from Azure AD to the SCIM provisioned application through Microsoft Graph API as shown below: -
First, create a ‘GET’ request to the object ID of the SCIM provisioned application to check the request sent status success. Then, send a ‘POST’ request to the object ID of the SCIM provisioned application as shown below with the custom extension attribute in the body of the request: -
Now, since this custom extension attribute is created without any value, you will have to update this attribute with a value so that this attribute is synchronized to the SCIM provisioned application accordingly as shown below: -
Thus, as shown above, you can add custom extension attributes to any Azure AD user and synchronize these attribute values to the SCIM provisioned app.
For more detailed information on the above, please refer to the below links: -
https://learningbydoing.cloud/blog/getting-started-with-azuread-extension-attributes/#:~:text=Go%20to%20the%20Azure%20AD,settings%20default%20and%20click%20Register.
https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-feature-directory-extensions
Are Azure Active Directory app roles only supported for accounts in the same tenancy?
I am trying to use Azure Active Directory to authenticate users both on my tenancy, others, and social accounts, and be able to manually assign different app-level roles.
What I would like:
Users would sign up using any of these methods, and I would see them in the 'Users and groups' blade of the Enterprise Application in Azure portal (or I could invite them). I would assign app roles (roles specific to my app, eg engineer/technician/residential user) via the 'Add user/group' button.
When logging in to my app, I retrieve the app roles via idTokenClaims.roles[]
What happens instead:
This works fine for user accounts already in my Azure tenancy. But for other Microsoft accounts (eg theirname#outlook.com or MS accounts created with any email address), the user doesn't appear in Azure portal after logging in unless I manually invite them. After inviting them (and accepting the invite), I see a user like theirname_outlook.com#EXT##mytenancy.onmicrosoft.com. I can assign app roles to this user, but their idTokenClaims.roles[] is not returned.
Other social accounts (eg Twitter, facebook) seem to not be supported at all
What else I tried
I also investigated AD B2C, which gives the developer more control over the login flow, and supports other social accounts other than MS (which looks good), but it seems that doesn't support app roles at all.
Am I trying to use the wrong tool for the job?
All I want to do is support any user to sign up to my app, and for an admin to set what their app-specific roles should be.
Update
I am using the MSAL auth library, following the instructions
https://login.microsoftonline.com/Enter_the_Tenant_Id_here should be one of the following:
If your application supports accounts in this organizational directory, replace this value with the Tenant ID or Tenant name. For example, contoso.microsoft.com.
If your application supports accounts in any organizational directory, replace this value with organizations.
If your application supports accounts in any organizational directory and personal Microsoft accounts, replace this value with common.
To restrict support to personal Microsoft accounts only, replace this value with consumers.
Because I wanted this to work with any social account, I chose https://login.microsoftonline.com/common. This shows a UI that allows you to use any organisation or personal MS account, or sign up for a personal MS account with any email address. But I noticed the objectId returned for personal accounts is different to the id when I manually invite the account in azure portal. I changed to use my TenantID instead, and that worked. Personal accounts that have been previously invited via portal can log in. Other personal accounts get an error and cant log in. App roles are now returned for these personal accounts. This now partially solves my original problem, but I still have some unsolved issues:
this method shows a slightly different UI that doesn't allow the user to sign up for a new MS account in this flow
I still can't use other oauth accounts eg Twitter/Facebook. Do these not support app roles at all?
the instructions quoted above seem incorrect, clearly it is possible to log in using "accounts in any organizational directory and personal Microsoft accounts" via TenentID, not common, once they've been invited to the app
App roles absolutely support guest accounts. But as you can see, the id token of the guest account does not seem to contain the roles claim, and it is not clear whether this is by design. But the roles claim will appear in the access token.
I think an access token you can be used, and the access token also contains user information.
In Azure AD i have a multi-tenant Enterprise Application and App registration that are accessed through SAML2. I receive a limited set of users attributes, including tenant-id, email, first name, last name. But the organisation that the user belongs to, has defined extension attributes in their on-premise AD that i want to consume in my application. Also i would like to receive the jobTitle and Department in the application. The organisation says they have set up synchonisation of the attributes from their on-premise AD to Azure.
I have added the attributes i want under the Enterprise Application -> Single sign-on -> User Attributes and Claims -> Additional claims. But i am obviously still missing some configuration somewhere because they do not appear in the SAML2 token.
Which API permissions do i need to grant my application to pass these attributes through to the SAML2 token? Do i need to add something else to map these attributes?
when you set up a multitenant app, when your client's users / tenant signs in, it actually creates an "enterprise application" (service principal) in their tenant for your app. https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-convert-app-to-be-multi-tenant#understand-user-and-admin-consent
As per that, your client would have to go into the SSO (saml) setup screens for your app in their own tenant and customize the claims that they will emit to your application. It doesn't matter if you add the attribute claims to your own SSO setup. thats for your tenant, not theirs.
It turns out that the Single Sign On properties are not visible in the Service Principal, because the proper tags are not set in the Application registration.
After using Microsoft Graph Explorer to see the properties of a working Service Principal with SSO properties, i noticed that it had a tag set that was absent in the Service Principal without SSO properties in the portal.
In the Application Registration manifest i set:
"signInAudience": "AzureADMultipleOrgs",
"tags": [
"WindowsAzureActiveDirectoryCustomSingleSignOnApplication",
"webApp",
"notApiConsumer"
],
Then recreated the service principal in a guest tenant using an adminconsent link (https://login.microsoftonline.com/[guest tenant domain]/v2.0/adminconsent?client_id=[app registration id]...) the portal displayed the Single Sign On settings in the guest tenant.
The Azure portal seems to display SSO properties for Service Principals associated with Application registrations that have the WindowsAzureActiveDirectoryCustomSingleSignOnApplication tag.
To summarise:
Set the WindowsAzureActiveDirectoryCustomSingleSignOnApplication tag in the Application registration manifest.
Create a Service Principal in the Owning Tenant if you haven't done that already.
Use an adminconsent url to create a Service Principal in the Guest tenant.
Have the Guest Tenant Administrator fill in the single sign on properties to add the required attributes.
The attributes are returned to the application in the SAML2 token
I've built a react app (using CRA) and am attempting to secure it using MSAL.js, granting access to only those people within an Azure AD Security Group. The following doc suggests it might be possible to do just this through configuration, by setting the 'authority' property:
https://learn.microsoft.com/en-gb/azure/active-directory/develop/msal-js-initializing-client-applications
e.g. Authority: https://login.microsoftonline.com/<tenant>
where the is a "GUID representing the TenantID property of the directory used only to sign in users of a specific organization"
What does 'directory' mean in this context?
Should I be able to use the Tenant ID of the Security Group here too?
What does 'directory' mean in this context?
It means the Azure AD Directory, in general, we also called it Azure AD Tenant.
You can find the Tenant ID in the portal -> Azure Active Directory.
Should I be able to use the Tenant ID of the Security Group here too?
Yes, you could use the Tenant ID in your case.
We have a multi-tenant Saas application providing sign in using our username/pwd authentication system and using Azure AD (OAuth 2.0 flows). When a user signs in using Azure AD, we can get the user's profile using https://graph.windows.net/{tenantid}/me. We want however to get more information using the memberOf or getMemberGroups operations to retrieve the user's groups in the tenants directory, to map specific groups from the tenant to an organizational structure in our application. However these operations always fail with a Forbidden statuscode. Are we missing required permissions or is it just not possible to query for the groups and roles of another tenant.
Thanks in advance
This is totally possible, but today requires that you request the "Read Directory" permission. This permission does require and admin of the tenant to consent. We are looking at adding some additional fine grained permissions for Graph API that will allow users to consent (to get group membership information).
Another option for you is to configure your application to request group membership claims (which should appear in any user or JWT token). You can do this by going to the azure management portal and getting to your app's config page. From there download the application manifest file and update the groupMembershipClaims property. You can see most of the properties in the application manifest described here: https://msdn.microsoft.com/en-us/library/azure/dn151677.aspx. Once updated, you can upload this app manifest file, and this will configure your application accordingly. Once done, AAD will issue group membership claims in the token. Dushyant has written a nice blog about authorizing access to a web app, using group membership claims or app roles. You can find it via Alex Simons blog post here: http://blogs.technet.com/b/ad/archive/2014/12/18/azure-active-directory-now-with-group-claims-and-application-roles.aspx
HTHs