I'm trying to programmatically determine which Graph permissions a user is inheriting when it's assigned to a specific AAD Directory role. When you look at a built-in Azure Active Directory role, its permissions are listed in the form of a path. For example, for the Global Reader role, the first one is
microsoft.directory/accessReviews/allProperties/read, as displayed on the Azure portal
or using the Microsoft.Graph Powershell module:
PS> $roleDef = Get-MgRoleManagementDirectoryRoleDefinition -Filter "DisplayName eq 'Global Reader'"
PS> $roleDef.RolePermissions.AllowedResourceActions
microsoft.directory/accessReviews/allProperties/read
microsoft.directory/accessReviews/definitions/allProperties/read
However, Graph permissions are usually expressed in this format: User.Read, Directory.ReadWrite.All. For example, for a user, you can check its delegated and application permissions with:
Get-MgUserOauth2PermissionGrant -UserId $userId
Get-MgUserAppRoleAssignment -UserId $userId
I have 2 questions:
Why the difference between AAD Role permissions and Graph permissions ?
How can I map AAD Directory Role permissions to Graph permissions ?
I just got confirmation from a Microsoft engineer that it's not possible to map built-in AAD role permissions to Graph permissions.
Azure AD built-in roles will grant access to data that's also possible through Graph permissions, but Graph permissions allow for more granular management of access to data.
With this said, certain endpoints will require you to have both Azure AD built-In roles and Graph permissions.
For example, the "delete user" endpoint requires the logged-in user to have at least the User Administrator role to proceed.
Related
I have a requirement to list a subset of my AAD users, identify the manager, and disable the user if the manager is already disabled.
My account has the 'User Administrator' and 'Global Reader' AAD roles.
This task is easy to accomplish using the AzureAD PowerShell cmdlets, however I want to transition to the Microsoft Graph cmdlets.
I understand that I need the scope User.Read.All so I execute the following command:
Connect-MgGraph -Scopes "User.Read.All"
When I log in via the web interface, I am shown a dialog stating that I need consent from an admin (which I understand to be a user with an AAD role of Global Administrator or Application Administrator).
In my tenant, under 'Enterprise Applications > User Consent Settings', the option 'Allow user consent for apps' is selected.
This seems like a step backwards to me. My user has the necessary permissions to perform the required actions, but because MS Graph uses an Enterprise App I need an administrator to grant consent.
My questions are:
Will the admin consent dialog appear every time I execute Connect-MgGraph with a given scope, or just the first time?
Is there a way to achieve my requirement without admin consent?
Question 1
Admin consent can be given in 2 contexts
On behalf of a specific user
On behalf of your organization (all users)
From the admin consent dialog box, which context it is corresponds to the checkbox Consent on behalf of your organization
If you do not give consent on behalf of the entire organization, the admin consent dialog will appear for each user, until consent has been granted either for that user, or the entire organization.
Question 2
There are 2 types of permissions
Delegated (aka Scope)
Application (aka Role)
All Application permissions require admin consent, and SOME delegated permissions require admin consent.
This document details which MS Graph permissions require admin consent, from the column Admin Consent Required
Microsoft Graph permissions reference
You can see that the User.Read.All delegated permission is one that does require admin consent
User.Read.All permission reference
There's no way around this without granting admin consent. This provides a way to control access to applications on a more granular level.
I created an app that displays SignInActivity pulled from a Microsoft Graph api query.
When running as a normal user it gives the error: User is not in the allowed roles.
To fix this error you need to give the user the "Global Reader" role within o365.
Questions:
Is there an App security scope that will allow a user to view SignInActivity even if they don't have the "Global Reader" role?
The app already has the scope AuditLog.Read.All. This was needed to run the query.
Is there a way to use Microsoft Graph api to verify a user has the "Global Reader" role?
You can check the scopes through Microsoft Graph Api by decoding the access token, you can try to login into https://developer.microsoft.com/en-us/graph/graph-explorer with work or school accounts (Azure AD), you can just look inside the access token to see a list of permissions by decoding the access token into https://jwt.io/
1- We created a webpart to change user’s password using app services / graph api (/users/username {passwordProfile:{“password”:”xxxx”})
2- Because Directory.AccessAsUser.All is a delegated permission we need to add the user to the right role in order to get the access to change the password.
3- We tried adding the user to different roles and none of them worked but global admin. We always got insufficient privileges to complete the operation”
Is there a way to do this with less privilege then Global Admin?
Password changing is one of those privileged roles that cannot be just given in application api permissions.
2. that is correct. The Directory.AccessAsUser.All permissions is delegated only which means only users with the correct role can perform the functionality. See below for roles that can change passwords.
You should be able to change the passwords using the application only without delgated permissions for graph. you can if you assign the service principal of the app (app registration) to the Password Administrator role in azure ad. if you manage any other properties, you may be better off giving it Helpdesk administrator Role. same applies for the delegated user, if you put them in one of those 2 roles they should have access to change the passwords.
If you want to give a role other than Global Admin role you can try with the Privileged authentication administrator which can also help you modify the password for other users.
Make sure you have the Directory.AccessAsUser.All permission as well with the role to modify passwordProfile property.
I am integrating my SPA web app with Microsoft 365. I have got a question regarding permissions which were granted while integrating with M365.
After successful integration and approving the permissions by admin in pop-up login window experience i would like to reach the resource to graph api to query for permissions that were granted by administrator in order to enumerate them on front end to show our user which permissions were requested and which are granted.
I know there are resources to check granted permissions but those are for example for drives, share-point user groups. I was unsuccessful in finding any kind of resources that i could reach and call Graph Api to give me all permissions granted for application itself. It is important for me to get this information because user can log in to M365 Azure Active Directory and remove one of granted permission. In such a case my app will not be notified anyhow about that change and reaching out for - lets say User's Message resource without signed in user will not be possible.
Thanks in advance for any help
You can use:
List oauth2PermissionGrants: all delegated (user) permissions granted.
List appRoleAssignments granted to a service principal: application permissions granted to other applications trough their service principals.
List oauth2PermissionGrants: delegated (user) permissions granted for a specific application trought its service principal.
2 and 3 use the beta endpoint with is subject to change and not supported in production applications.
I am building an app where anybody in my organization can create planner task under a specified plan.
I am using Azure AD v2 endpoints for getting access token:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize
https://login.microsoftonline.com/common/oauth2/v2.0/token
And using that access token to make POST request to following endpoint:
https://graph.microsoft.com/v1.0/planner/tasks
I have registered my App on: https://apps.dev.microsoft.com
And given necessary delegated and application permissions EDIT: ie Group.ReadWrite.All
(along with many others)
I am(having admin rights) able to create planner tasks using the API calls but no one else in the organization can. User gets this error message:
Need admin approval
Planner Task App
Planner Task App needs permission to access resources in your organization that
only an admin can grant. Please ask an admin to grant permission to this
app before you can use it.
I know that this user account has required permissions (because when using graph explorer api calls with same account, it works) so the problem lies in App permissions.
Any help is highly appreciated.
EDIT:
Bearer token for Admin (where app successfully creates a planner task):
eyJ0eXAiOiJKV1QiLCJub25jZSI6IkFRQUJBQUFBQUFCSGg0a21TX2FLVDVYcmp6eFJBdEh6MmtUREpfbzduN3lETXJvVzhkUjR1YWZVZ050OEctbmhuNm5HalpvN1p5SDNqNEl0a3E5N3lFX091cEI2eEdITVVpcWpfeFVkdkFWdmx2SVgtV3FlSmlBQSIsImFsZyI6IlJTMjU2IiwieDV0IjoiRlNpbXVGckZOb0Mwc0pYR212MTNuTlpjZURjIiwia2lkIjoiRlNpbXVGckZOb0Mwc0pYR212MTNuTlpjZURjIn0.eyJhdWQiOiJodHRwczovL2dyYXBoLm1pY3Jvc29mdC5jb20iLCJpc3MiOiJodHRwczovL3N0cy53aW5kb3dzLm5ldC9jZDc3NzI5NS0xN2IwLTQ0YjMtYjUxNC02YzJlMzE2ZjI5YzcvIiwiaWF0IjoxNTIzMzg5MjcwLCJuYmYiOjE1MjMzODkyNzAsImV4cCI6MTUyMzM5MzE3MCwiYWNyIjoiMSIsImFpbyI6IlkyTmdZTEQ2WUp2WDlEZlR4dTNLMUNVdTd4YWEzVkZNRnphd3NpN2NGTGplL01ianVjSUEiLCJhbXIiOlsicHdkIl0sImFwcF9kaXNwbGF5bmFtZSI6IlBsYW5uZXIgVGFzayBBcHAiLCJhcHBpZCI6IjQ4NzQ3NmM5LWM2OTctNDhhMC1hODViLWUzYjdkMTEyMTU0MyIsImFwcGlkYWNyIjoiMSIsImZhbWlseV9uYW1lIjoiUmFnaGF2IiwiZ2l2ZW5fbmFtZSI6Ik5pdGluIiwiaXBhZGRyIjoiNjcuNzEuMjI3LjE2MiIsIm5hbWUiOiJOaXRpbiBSYWdoYXYiLCJvaWQiOiJlN2JhOTVkNi1jMGIzLTQwYTEtOTU5MS0zOWYwN2YzZWZlMDUiLCJvbnByZW1fc2lkIjoiUy0xLTUtMjEtMTA2Mjg4Nzk2MS0zOTczMjgyMzc2LTE4NTU2ODk4MjEtMTQ3MSIsInBsYXRmIjoiMyIsInB1aWQiOiIxMDAzM0ZGRkE4MUEyMzBBIiwic2NwIjoiR3JvdXAuUmVhZC5BbGwgR3JvdXAuUmVhZFdyaXRlLkFsbCBNYWlsLlNlbmQgVGFza3MuUmVhZCBUYXNrcy5SZWFkLlNoYXJlZCBUYXNrcy5SZWFkV3JpdGUgVGFza3MuUmVhZFdyaXRlLlNoYXJlZCBVc2VyLlJlYWQgVXNlci5SZWFkLkFsbCIsInNpZ25pbl9zdGF0ZSI6WyJrbXNpIl0sInN1YiI6IjB6RkdKeVA5Ym8yeDdYdlNqRVNIbnkwUXZ1Ym03YTJsVXRLcHpoVEtzclEiLCJ0aWQiOiJjZDc3NzI5NS0xN2IwLTQ0YjMtYjUxNC02YzJlMzE2ZjI5YzciLCJ1bmlxdWVfbmFtZSI6Im5pdGluLnJhZ2hhdkBhbWZyZWRlcmlja3MuY29tIiwidXBuIjoibml0aW4ucmFnaGF2QGFtZnJlZGVyaWNrcy5jb20iLCJ1dGkiOiJOZlR1U2RyeFYwYVQzdlk0ckZwSkFBIiwidmVyIjoiMS4wIiwid2lkcyI6WyI2MmU5MDM5NC02OWY1LTQyMzctOTE5MC0wMTIxNzcxNDVlMTAiXX0.T50Ae8vFtdobi4GFHL4o-rqU9sbNYqhhV0KRcA7HYzUI-4M4Latma8kJ7ssqx4djdQigPnjJTCVOg9oFBXE_iSWRPbZbRGbfuvwj9iPePCtzCERZwWn0bHOltk0o0LFWW1UoplUsMJJgxoZyeMlruWBxOIQXOQxRnHlnmMLzU-Nwr2Ex87hAMnFPBN7uD9x7WIJtc3vO-sIecKLmwKgchfbI8vIXMOgs1DsVByWBljHSN-DJ9FwxklS_r-Hco9x6g5SPJ_gXfANL8KXXK51D1Xnc7TKd3IebnjermycCKw5t-ViNPlX0r-og4iKsT2oo_k1UTi5-TO2mMIKPXMjirQ
Even after Admin has given consent to the app using (https://login.microsoftonline.com/common/adminconsent?client_id=my-app-id&state=12345&redirect_uri=https://localhost/myapp), non-admin user gets this:
As you have mentioned that you are adding planner task not just reading data, you have to grant permission Group.ReadWrite.All accordingly. Please check the permission and confirm about this.
ref: https://developer.microsoft.com/en-us/graph/docs/api-reference/beta/api/planner_post_tasks
In order to use Group.ReadWrite.All you need the consent of a tenant Admin. To obtain this you need to have an Admin on the tenant execute the Admin Consent process.
I have a walkthrough that might help you here:
v2 Endpoint & Consent (explains the various consent workflows involved)
v2 Endpoint & Admin Consent (explains how to obtain Admin Consent)