I want to create custom directory role with specific permissions like:
microsoft.directory/users/create
microsoft.directory/users/delete
microsoft.directory/groups/create
microsoft.directory/groups/delete
microsoft.directory/applications/create
microsoft.directory/applications/delete
microsoft.directory/serviceprincipals/create
microsoft.directory/serviceprincipals/delete
I found how to automate this from MS graph:
POST https://graph.microsoft.com/v1.0/roleManagement/directory/roleDefinitions
Body
{
"description": "Can manage basic aspects of application registrations.",
"displayName": "Application Support Administrator",
"isEnabled": true,
"templateId": "<GUID>",
"rolePermissions": [
{
"allowedResourceActions": [
microsoft.directory/users/create
microsoft.directory/users/delete microsoft.directory/groups/create
microsoft.directory/groups/delete
microsoft.directory/applications/create
microsoft.directory/applications/delete
microsoft.directory/serviceprincipals/create
microsoft.directory/serviceprincipals/delete
]
}
]
}
What is template Id and how to get the value of this?
TIA
Note that, "templateId": "<GUID>" is an optional parameter and you can include it while creating multiple custom directory roles with common parameters.
To get the value of "templateId", you can create one GUID using this PowerShell command: (New-Guid).Guid
I tried to reproduce the same in my environment via Graph Explorer and got below results:
I ran the same query as you and created custom directory role from MS Graph like below:
POST https://graph.microsoft.com/v1.0/roleManagement/directory/roleDefinitions
{
"description": "Can manage basic aspects of application registrations.",
"displayName": "Application Support Administrator",
"isEnabled": true,
"templateId": "38837bf2-39d8-4c14-89f3-3e9c5e6c9b23", //GUID created from PowerShell
"rolePermissions": [
{
"allowedResourceActions": [
"microsoft.directory/users/create",
"microsoft.directory/users/delete",
"microsoft.directory/groups/create",
"microsoft.directory/groups/delete",
"microsoft.directory/applications/create",
"microsoft.directory/applications/delete",
"microsoft.directory/serviceprincipals/create",
"microsoft.directory/serviceprincipals/delete"
]
}
]
}
Response:
When I checked the same in Portal, I am able to find the new custom directory role like below:
To assign this role to user via Graph API, you can make use of below query:
POST https://graph.microsoft.com/v1.0/roleManagement/directory/roleAssignments
{
"principalId":"<GUID OF USER>",
"roleDefinitionId":"<GUID OF ROLE DEFINITION>",
"directoryScopeId":"/<GUID OF APPLICATION REGISTRATION(ObjectID)>"
}
Response:
When I checked the same in Portal, role assigned to user successfully like below:
Related
I'd like to find a way using PowerShell to assign a group to a Intune endpoint security policy like disk encryption or a security baseline for Windows 10 (not iOS or Android). I managed to create policies using PS but can't find how to assign a group.
I used the Graph API to create the policy using https://graph.microsoft.com/beta/deviceManagement/templates/$TemplateId/createInstance.
Any help would be appreciated.
Cheers
The endpoint for a security baseline assignment would look like this:
POST https://graph.microsoft.com/beta/deviceManagement/intents/$IDOFYOURNEWSECURITYBASELINE/assign
Example body for one include and one exclude group:
{
"assignments": [
{
"target": {
"#odata.type": "#microsoft.graph.groupAssignmentTarget",
"groupId": "$IDOFYOURAADGROUPTOASSIGN1"
}
},
{
"target": {
"#odata.type": "#microsoft.graph.exclusionGroupAssignmentTarget",
"groupId": "$IDOFYOURAADGROUPTOASSIGN2"
}
}
]
}
Using the MSFT Graph API, is there a way to differentiate Drives (which are documentLibraries) that are used for Team-Channels versus those that are "simply" documentLibraries created WRT a more generic, SharePoint Online Site?
Retrieving a user's /v1.0/sites?search=* returns a union of SPO Sites the user is a member of and Teams the user is a member of. (Yes, Teams are SPO sites or libraries within a site natively.)
I need to differentiate either the Sites by whether or not they're a Team-Site (because I can then filter Drives returned), or specifically all the Drives returned to differentiate whether the Drive is a Channel-Drive or simply a plain-old documentLibrary that is part of a Site.
Retrieving Sites from Graph shows no apparent properties that indicate what "type" of Site it is, and neither do the Drives queried from each Site (/v1.0/sites/SITE-ID/drives).
Thanks.
One of the way can be check the owner of the drive associated with the site
GET https://graph.microsoft.com/v1.0/sites/{siteId}?$expand=drive
That endpoint will return site info including drive info
{
"description": "...",
"id": "xxx",
...
"drive": {
"description": "",
"id": "xxx",
"driveType": "documentLibrary",
...
"owner": {
"group": {
"email": "xxx",
"id": "42857780-3ab6-412d-a9b8-5e6adc73aabb",
"displayName": "xxx"
}
},
"quota": {}
}
If the owner has property group then you can use group id in the following endpoint
GET https://graph.microsoft.com/v1.0/groups/{groupId}?$select=id,resourceProvisioningOptions
Response:
{
"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#groups(id,resourceProvisioningOptions)/$entity",
"id": "xxx",
"resourceProvisioningOptions": [
"Team"
]
}
select resourceProvisioningOptions which specifies the group resources that are provisioned as part of Microsoft 365 group creation, that are not normally part of default group creation. If one of the value is Team then the drive is used for teams.
Resources:
group
I am trying to get call records from MS Teams and store it in another database and I'm calling callRecord to do that. I am running a python script on a console app and used these steps: (https://learn.microsoft.com/en-us/azure/active-directory/develop/console-app-quickstart?pivots=devlang-python).
I have created a subscription in the function app in the portal, and I'm able to grab the ID from there through an HTTP trigger. The app information is stored in a JSON file, as seen below and that's what I'm running through the script.
{
"authority": "https://login.microsoftonline.com/xxx",
"client_id": "xx",
"scope": [ "https://graph.microsoft.com/.default" ],
"secret": "xx",
"endpoint": "https://graph.microsoft.com/v1.0/communications/callRecords/ID(from subscription)
}
When I run the script, I get this:
Error
Any help would be appreciated!
I'm trying to Share Files on a SharePoint Document Library that I have as a part of an Office 365 Developer Program instance.
My AD has a variety of users, some "native" users created in the AD manually and the rest are "guests" from different domains that my team and I work for.
I'm executing the following API request on the graph via code using NestJs (as per snippet). I've all the required Delegated Permissions in the Application Registration to do everything too.
REST View:
POST /drives/{drive-id}/items/{item-id}/invite
{
"requireSignIn": true,
"sendInvitation": false,
"roles": [
"sp.full control"
],
"recipients": [
{
"email": "xxx.xxx#xxx.com"
}
]
}
Code View:
//build list of all to add: PL, PLB, Main, Current User and whatever is added in DTO
const participantsToAdd = [project.projectLead]
.concat(project.projectLeadBackup)
.concat(project.participants.filter(p => newRoles.includes(p.participantRole.name)).map(p => p.user))
.map(u => ({
oid: u.microsoftId,
mail: u.mail,
}));
const permission = {
recipients: participantsToAdd.map(p => ({ email: p.mail })),
requireSignIn: true,
sendInvitation: false,
roles: ['sp.full control'],
};
// add the right permissions to the file
const result = await client.api(`/drives/${this.libraryId}/items/${fileId}/invite`).post(permission);
The above code is building up a list of "User" objects which contain an "oid" which I use later, and a "mail" object. I give these users "sp.full control" role on a file. Some are granted direct access and others are given links (grantedToIndentities) with write permissions.
This only seems to be happening when Guests on the active directory make the request; though it's only occurring for some guests. Two guest users in particular that I grant access to are fine, they get "Direct Access". Others go into the "link sharing" category. I don't see any differences in the users in AD anywhere.
I've tried looking through all admin sites (SharePoint, M365) and tweaked External Sharing permissions but the problem still persists.
When I invoke the action from a "native" user on AD to the Graph using the same request, it all works fine. All users (native and guests) are added with "direct access".
Can anyone share any thoughts? Hope I've given enough info.
Snippet from Graph response:
Image
I'm trying to use the Sample Graph API app to change a user's password but I'm getting:
Error Calling the Graph API Response:
{
"odata.error": {
"code": "Authorization_RequestDenied",
"message": {
"lang": "en",
"value": "Insufficient privileges to complete the operation."
}
}
}
Graph API Request:
PATCH /mytenant.onmicrosoft.com/users/some-guid?api-version=1.6 HTTP/1.1
client-request-id: ffd564d3-d716-480f-a66c-07b02b0e32ab
date-time-utc: 2017.08.10 03:04 PM
JSON File
{
"passwordProfile": {
"password": "Somepassword1$",
"forceChangePasswordNextLogin": false
}
}
I've tested updating the user's displayName and that works fine.
{
"displayName": "Joe Consumer"
}
AD Application Permissions
I've configured my app permissions as described here.
Check out this article. Seems like it has the same symptoms.
Solution 1:
If you are receiving this error when you call the API that includes only read permissions, you have to set permissions in Azure Management Portal.
Go to Azure Management Portal and click Active Directory.
Select your custom AD directory.
Click Applications and select your Application.
Click CONFIGURE and scroll down to the section 'Permissions to other applications'.
Provide required Application Permissions and Delegated Permissions for Windows Azure Active Directory.
Finally save the changes.
Solution 2:
If you are receiving this error when you call the API that includes delete or reset password operations, that is because those operations require the Admin role of Company Administrator. As of now, you can only add this role via the Azure AD Powershell module.
Find the service principal using Get-MsolServicePrincipal –AppPrincipalId
Get-MsolServicePrincipal | ft DisplayName, AppPrincipalId -AutoSize
Use Add-MsolRoleMember to add it to Company Administrator role
$clientIdApp = 'your-app-id'
$webApp = Get-MsolServicePrincipal –AppPrincipalId $clientIdApp
Add-MsolRoleMember -RoleName "Company Administrator" -RoleMemberType ServicePrincipal -RoleMemberObjectId $webApp.ObjectId
To connect to your B2C tenant via PowerShell you will need a local admin account. This blog post should help with that, see "The Solution" section.
Try below settings, works for me.
Used the below JSON
{
"accountEnabled": true,
"signInNames": [
{
"type": "emailAddress",
"value": "kart.kala1#test.com"
}
],
"creationType": "LocalAccount",
"displayName": "Joe Consumer",
"mailNickname": "joec",
"passwordProfile": {
"password": "P#$$word!",
"forceChangePasswordNextLogin": false
},
"passwordPolicies": "DisablePasswordExpiration",
"givenName": "Joe",
}
Also make sure you assign the application the user account, administrator role which will allow it to delete users link here