I'm using SecureApp Model to connect to partner tenants with an App Registration.
MgGraph doesn't seem to pass through application permissions.
Using Get-MgUser -Property MailboxSettings errors out with access denied.
I have set the application and delegate permissions in the app for MailboxSettings.Read
Related
I have added a custom User Attribute named Company Name via:
Azure AD B2C > User attributes
so that this information can be returned in the identity token after successful sign in.
I want to update these values for each user in the Azure AD B2C tenant.
As I understand it:
I cannot update these values via Azure Portal
The only way to update these values is via Microsoft Graph, specifically these methods:
Get user
Update user
I don't want to have to create an application just to be able to perform this basic administrative task.
So I am looking at:
Microsoft Graph PowerShell SDK
I installed the Microsoft Graph PowerShell SDK in PowerShell 7.
I was prompted to sign in via the browser after running this command:
Connect-MgGraph -Scopes "User.Read.All","Group.ReadWrite.All"
At this point I was confused which credentials to login with.
I logged in using my 'home tenant' Azure AD credentials.
(i.e the admin credentials of the Azure AD tenant from which I created the Azure AD B2C tenant - which then automatically created a guest account in the B2C tenant with the user principal name of info_my-home-tenant.onmicrosoft.com#EXT##my-dev-tenant.onmicrosoft.com).
I made the decision because I don't think I have any Azure AD B2C credentials.
(to access Azure AD B2C when I am logged into Azure Portal with my Azure AD credentials, I just click on 'switch directory').
I then ran:
Get-MgUser
And it, predictably, returned the users from my home Azure AD tenant, not the Azure AD B2C tenant.
So my question is:
In PowerShell 7, with the Microsoft Graph PowerShell SDK installed, how do I sign in so that I can interact with the Azure AD B2C tenant users, rather than my 'home' directory tenant users.
EDIT:
I started trying to follow the process described here:
Use app-only authentication with the Microsoft Graph PowerShell SDK
The first step is:
You'll need an X.509 certificate installed in your user's trusted store on the machine where you'll run the script
I created an Application Registration, however in the Certificates & secrets section it says:
Please note certificates cannot be used to authenticate against Azure AD B2C.
I agree this is tricky. Below are the steps you can use to successfully sign in to Azure AD B2C using Microsoft Graph SDK, and update a user's custom attribute value.
This post is divided into two sections:
Variables (which lists the variable values required and where to find them)
Commands (which lists the commands required)
This post assumes we have a custom attribute named Company Name defined in Azure AD B2C:
PowerShell Microsoft Graph SDK Reference
To orientate yourself, here is the link to the Microsoft.Graph.Users section:
Microsoft.Graph.Users
Variables
Below are the variables that will be referenced in this post and where to find them.
You might want to grab them at the start of the process so you can easily reference them later.
azure_ad_b2c_tenant_id
Azure AD B2C directory > Azure AD > Tenant ID
extensions_app_id
Azure AD B2C > App registrations > [ select 'All applications' ]
Click on the item named:
b2c-extensions-app. Do not modify. Used by AADB2C for storing user data.
Copy the Application (client) ID value
Remove the dashes from this value when using it in PowerShell
custom_attribute_property
This is a string of concatenated values with this syntax:
extension_<your-extensions-app-application-id>_<your-custom-attribute>
For example: extension_lalala1234etc_CompanyName
user_id
Azure AD B2C > Users > [ click on desired user ] > Object ID
Commands
01. Connect to your Azure AD B2C tenant
Connect-MgGraph -TenantId "<azure_ad_b2c_tenant_id>" -Scopes "User.ReadWrite.All"
This will prompt you to login with your Azure AD home tenant credentials.
02. Sanity check - list all users to confirm you are in the right tenant
Get-MgUser
// you can make the results prettier by using Format-List and defining the columns you want displayed
Get-MgUser | Format-List ID, DisplayName, UserPrincipalName
03. Sanity check - see what the value of the custom attribute currently is for all users and a single user
// all users - these do not work:
Get-MgUser | Format-List ID, extension_<your-extensions-app-application-id>_CompanyName
Get-MgUser -Property "id,extension_<your-extensions-app-application-id>_CompanyName"
// single user - these do not work:
Get-MgUser -UserId "<user-id>" | Format-List ID, DisplayName, UserPrincipalName, extension_<your-extensions-app-application-id>_CompanyName
Get-MgUser -UserId "<user-id>" -Property "id,extension_<your-extensions-app-application-id>_CompanyName"
// single user - this works:
$existingUser = Get-MgUser -UserId "<user-id>" -Property "id,extension_<your-extensions-app-application-id>_CompanyName"
$existingUser.AdditionalProperties | Format-List
04. Update a single user's custom attribute
$params = #{extension_<your-extensions-app-application-id>_CompanyName='Test Company'}
Update-MgUser -UserId "<user-id>" -BodyParameter $params
05. Verify the update was made
$existingUser = Get-MgUser -UserId "<user-id>" -Property "id,extension_<your-extensions-app-application-id>_CompanyName"
$existingUser.AdditionalProperties | Format-List
The decoded idToken that is returned after sign in will look like this:
Or, if signing in via an identity provider (in this case the home AD tenant), the decoded idToken will look like this:
I am not able fetch mailFolders details for some user present in my tenant and I m able to fetch the user info.Using graph explorer to fetch details.
On top of that I have tried fetching mailFolders details for my admin account in the tenant (logged in with admin account) and it was successful.
I have already given the required permission to my application. Mail.read and Mail.ReadBasic.All. Both are the application permission.
Users are added into my Azure Active Directory as well as app.
The API GET URL is this one -
https://graph.microsoft.com/v1.0/users/*****#******.onmicrosoft.com/mailFolders
I am trying to fetch other user mailFolders while logged in with an admin account of that tenant, but getting the error Access Denied.
Error Access Denied
How do I fix this?
I tried adding users to graph app in Azure enterprise applications but this also didn't help.
I also modified mailbox permission on the Admin console for some of the users but this also didn't help.
Please help
Regards,
Apoorv.
There is still one permission is missing I think in the permissions tab "Mail.ReadWrite"
Also please check the token if the required scopes are present in there in https://jwt.ms/
If in Azure portal, I set Enterprise applications > Properties > User assignment required? to No, then authentication works as expected. However, if I turned it on, users get error Application needs permission to access resources in your organization that only an admin can grant. I understand that I need to add an API permission to my app, but what is it?
Interestingly, if a user has signed in into the app before, then they are not affected when turning the option on. Only users who have never use it are affected
Edit: To clarify, I already have App roles created. Users without app roles can't sign in, as expected. Users WITH app roles who sign in for the first time after the the option turned to Yes get the above error
Finally, I reproduce your issue with the request URL below, the scope also could be another one, e.g. https://storage.azure.com/.default, which has been added in the API permissions of the AD App.
https://login.microsoftonline.com/<tenant0id>/oauth2/v2.0/authorize?
client_id=xxxxxxx
&response_type=code
&redirect_uri=http://localhost
&response_mode=query
&scope=https://management.azure.com/.default
&state=12345
If the User assignment required is set to Yes, I notice it will not promote the user to consent the permissions. (e.g. user_impersonation in the Azure Service Management API.)
To fix the issue, we need the admin consent to the App, just navigate to the API permissions, click the Grant the admin consent for xxx button, then it will work fine.
Scenario: Native app with user (user role) present including a user profile page allowing the user to update his profile.
Azure AD v2.0 endpoint used & app registration done accordingly. App is used by many tenants, therefore we have admin consent flow included in the apps sign-up flow.
Account Types: Work & School Account
Admin consented scopes (delegated permission per tenant on registered app):
User.ReadWrite
Directory.AccessAsUser.All (Admin Only)
Directory.ReadWrite.All (Admin Only)
User.ReadWrite.All (Admin Only)
From the documentation:
User permission
User.ReadWrite and User.Readwrite.All delegated permissions allow the app to update the following profile properties for work or school accounts:
aboutMe
birthday
hireDate
interests
mobilePhone
mySite
pastProjects
photo
preferredName
responsibilities
schools
skills
Question 1: Did we understood the terms and documentation correctly?
Question 2: What about other user fields not in this list? Is there no Graph Scenario at all to change them? The documentation is a bit unclear in terms of if possible with user delegated rights or just application delegated right or not possible at all.
Concrete:
Job Title? Can a user with delegated permission ever updated this field or do we need application permission to do so?
User Profile Photo? Can a user with delegated permission update his/her own profile picture or do we need application permission to do so?
The next sentence after that list you referenced from the documentation explains this:
With the User.ReadWrite.All application permission, the app can update all of the declared properties of work or school accounts except for password.
So yes, you can only update the full set of user properties using Application permissions (aka the Client_Credentials flow).
I want my application to access my users OneDrive for Business files (both read and write access). It should work as an alternative browsing client, so the user just has to login and then browse his files.
With personal OneDrive using the v2 Endpoint, it works flawlessly.
When I try to login my OneDrive for Business account I get an error stating that my application requires some privileges that only Admins can grant.
But.. From the app panel ( https://apps.dev.microsoft.com ) my application requires only permission that non-admin users can request (under delegate authorization). The Application authorization list empty.
I also tried to remove ALL the permission required, save, wait some minutes and retry.. and even without any permission required i still get the same error.
I tried making new application, checking all the permission, refreshing the app's key.. but i always get the same error. If i try to login the same account from other commercial application it works.
I also don't have access to any admin account to see a list of authorization required by my app.
I'm really out of ideas, what i can try?