Is it possible to enumerate all users and/or groups associated with an application role using Azure Active Directory Graph API? If not, is there a programmatic work-around (as opposed to using the portal with AD Premium)?
I'm using the Microsoft.Azure.ActiveDirectory.GraphClient Nuget package which wraps the AD Graph API to fetch application roles associated with an application instance. Unfortunately the AppRole object doesn't include a method to fetch mapped principals.
If you know the service principal that is associated with an application role, you can query for all the objects associated with that service principal (which include all the app roles):
https://graph.windows.net/myorganization/servicePrincipals/#objectId#/appRoleAssignedTo?api-version=1.5
The documentation for app role assignments are here:
https://msdn.microsoft.com/en-us/Library/Azure/Ad/Graph/api/entity-and-complex-type-reference#AppRoleAssignmentEntity
Related
I have an app that is implementing SCIM 2.0.
I have connected this app to my Azure AD and I am succeeding to provision users and groups to my app from from Azure AD.
I want to add a custom attribute and manage the value of that attribute in Azure AD for every user or a group and add that data to my provisioning mapping - to send it to my app as part of the provisioning process.
I can't find where in Azure AD I can do that.
I have tried to add a custom security attributes, I have assigned it to my app. But when I go to the provisioning mapping - the attribute is not in the list of source attributes that I can choose from.
I have also tried to add a custom attribute (which I was able to choose in the provisioning mapping), but I did not find where I can manage the value of this attribute to a user in the Azure AD .It looks like it can only be filled in a user flow (login with SSO) - which is not my case.
I did not find a way to create a custom attribute for a group and manage its values in the Azure AD and then add to provisioning group mapping.
I saw that there are extension attributes, but where in Azure AD I can enter data to these attributes for a specific users or groups?
Can anyone help?
Is there a completely different way to add extra information to user / group and send it from Azure AD to my app using SCIM?
• When you provision an application in Azure AD through SCIM (System for Cross-Domain Identity Management) for the purpose of provisioning the Azure AD users to the ‘Enterprise application’ created in Azure AD tenant, you enter the URL of the application’s SCIM endpoint as ‘https://api.contoso.com/scim/’ and since it requires an OAuth bearer token from an issuer other than Azure AD as it can validate this token issued by the Azure AD itself. Therefore, in the ‘Mappings’ section of the ‘Provisioning’ section for the Azure AD enterprise application, you have the option for reviewing the attributes that are synchronized from Azure AD to the SCIM provisioned app. These attributes are selected as ‘Matching’ properties and are used to match the users and groups in your app for update operations.
Also, to add the extension attributes to the user in Azure AD for them to be exported to the SCIM provisioned application, you will need to create a dynamic group with members added to them via a dynamic query as shown below. Before that, you will have to synchronize the extension attributes through Azure AD connect utility from the on-premises AD that were created there already. Then, these already created extension attributes can be selected to be mapped with the SCIM provisioned app as below: -
Complete the expression to suit your requirements. As above, the rule is set to ‘(user.extension_9d98ed114c4840d298fad781915f27e4_division -eq "Sales and marketing")’.
• Secondly, you can also create extension attributes for users that are to be synchronized from Azure AD to the SCIM provisioned application through Microsoft Graph API as shown below: -
First, create a ‘GET’ request to the object ID of the SCIM provisioned application to check the request sent status success. Then, send a ‘POST’ request to the object ID of the SCIM provisioned application as shown below with the custom extension attribute in the body of the request: -
Now, since this custom extension attribute is created without any value, you will have to update this attribute with a value so that this attribute is synchronized to the SCIM provisioned application accordingly as shown below: -
Thus, as shown above, you can add custom extension attributes to any Azure AD user and synchronize these attribute values to the SCIM provisioned app.
For more detailed information on the above, please refer to the below links: -
https://learningbydoing.cloud/blog/getting-started-with-azuread-extension-attributes/#:~:text=Go%20to%20the%20Azure%20AD,settings%20default%20and%20click%20Register.
https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-feature-directory-extensions
I am setting up an SSO Enterprise APP in Azure AD and there is a feature called provisioning which requires a Scim endpoint for Azure AD to sync users between the SAAS app AD in "real-time"
The application grants access to a user based on the groups the user belongs too. This works well when SAML is used because i can include the groups as part of the SAML request, but i am having a lot of trouble mapping the groups in the Scim call, using the Provisioning functionality, so that the user does not need to launch the app to be provisioned.
Is there a way i can map the groups a User belongs to as part of the provisioning call?
I have tried mapping different values in customappsso config with no success.
Azure AD Provisioning manages group objects directly and populates values into each group's "members" attribute. The SCIM protocol does not allow manipulation of a user's group memberships via updates targeted to the user itself.
You should just need to ensure that your SCIM endpoint supports calls to /groups, that you have groups enabled in provisioning, and that the groups are assigned/otherwise in scope for provisioning in the AAD app.
I have an application that uses Azure Ad Groups to manage authorization of certain actions.
In certain places in the app we want to show the users that are authorized to perform a certain action. (for example approving the publishing of an article)
We use the MS Graph api to retrieve all users in a certain Azure Ad Group.
Now we want to use approles in a serviceprincipal/appregistration, where multiple groups can be added to a specific approle.
Now I want to retrieve a list of users that has a specific approle assigned, either directly or through a ad group added to the approle.
Is there some api to retrieve the users in this way?
In terms of graph, what I believe you are looking for is this: https://learn.microsoft.com/en-us/graph/api/serviceprincipal-list-approleassignedto?view=graph-rest-1.0&tabs=http
This is the graph endpoint that gets all app role assignments for a given application
I would like list roleAssignments of a group with GraphAPI.
But I only see an API to list whole roleAssignments.
I tried to filter by resourceScopes/scopeMembers using $filter clause but it's not working.
Should I filter this whole list myself or is there any other way to do it?
It seems like you are looking for Azure RBAC role assignments.
These are different from what you've linked to, which are Intune device management role assignments (which are specific to Intune RBAC roles). They are also different from Azure AD app role assignments (which are for assigning an app or a user/group to another app's role), and Azure AD directory role membership (which is for assigning users to directory roles).
You can list all Azure RBAC role assignments using the Azure Management API. You can also filter this request by scope and/or by which user, group or app the role assignment is for.
For example, to list all the scopes a group {group-id} has been assigned to for a subscription {sub-id}:
GET https://management.azure.com/subscriptions/{sub-id}/providers/Microsoft.Authorization/roleAssignments?api-version=2015-07-01&$filter=principalId%20eq%20'{group-id}'
For more details, you can read Manage Role-Based Access Control with the REST API.
We have a multi-tenant Saas application providing sign in using our username/pwd authentication system and using Azure AD (OAuth 2.0 flows). When a user signs in using Azure AD, we can get the user's profile using https://graph.windows.net/{tenantid}/me. We want however to get more information using the memberOf or getMemberGroups operations to retrieve the user's groups in the tenants directory, to map specific groups from the tenant to an organizational structure in our application. However these operations always fail with a Forbidden statuscode. Are we missing required permissions or is it just not possible to query for the groups and roles of another tenant.
Thanks in advance
This is totally possible, but today requires that you request the "Read Directory" permission. This permission does require and admin of the tenant to consent. We are looking at adding some additional fine grained permissions for Graph API that will allow users to consent (to get group membership information).
Another option for you is to configure your application to request group membership claims (which should appear in any user or JWT token). You can do this by going to the azure management portal and getting to your app's config page. From there download the application manifest file and update the groupMembershipClaims property. You can see most of the properties in the application manifest described here: https://msdn.microsoft.com/en-us/library/azure/dn151677.aspx. Once updated, you can upload this app manifest file, and this will configure your application accordingly. Once done, AAD will issue group membership claims in the token. Dushyant has written a nice blog about authorizing access to a web app, using group membership claims or app roles. You can find it via Alex Simons blog post here: http://blogs.technet.com/b/ad/archive/2014/12/18/azure-active-directory-now-with-group-claims-and-application-roles.aspx
HTHs