az ad app permission add needs Azure Active Directory Graph - Application.ReadWrite.All:
az ad app permission add - Insufficient privileges to complete the operation
However, Azure AD Graph API is being deprecated. Will az ad at some point be updated to use Microsoft Graph API instead?
az ad manage Azure Active Directory Graph entities needed for Role Based Access Control. And it is still using AD Graph API but not the new Microsoft Graph API. You could feedback to UserVoice.
You could call Microsoft Graph API with az rest in Azure CLI, see here.
Since Microsoft Graph Service Principal API is GA, we recommend using
az rest instead of az ad for the time being until we fully migrate az ad to Microsoft Graph.
According to this comment from a member of the Azure cli team, they plan to migrate az ad to MS Graph: https://github.com/Azure/azure-cli/issues/12946#issuecomment-737196942
Azure CLI team is currently working on the ADAL -> MSAL migration. We
will start the planning and implementation of Active Directory Graph
-> Microsoft Graph migration once the previously task is done. + #achandmsft
You can achieve it by adding required role to service principle.
You don't require AAD graph permissions. You need to add the service principal to the Global Administrator Role using Azure portal->Azure AD->Roles and Administrators->Application Administrator
Related
I'm trying to help someone to ingest Office 365 Alerts with the Graph Security API. This requires SecurityEvents.ReadAll as minimum permission. The docs mention that the permission setting is done in the Microsoft Graph API Explorer (see e.g. this blog). However, the account admin insists on setting the permissions using Azure AD. The question is how that is actually done. Azure AD / Enterprise Applications / Graph Explorer apparently doesn’t list any permissions. Would anyone know how to achieve this?
Many thanks!
If you want to test Graph Security API in Microsoft Graph Explorer, your just need to set SecurityEvents.Read.All in Microsoft Graph Explorer.
If you want to call Graph Security API in your app, you should set SecurityEvents.Read.All in the app registered on Azure portal.
You could refer to Authentication and authorization basics for Microsoft Graph to learn more about how to handle the permissions and authorization to call Microsoft Graph API.
I’m currently working on application built on ASP.NET MVC which uses Microsoft account (MSA) authentication. To implement a new requirement, during a flow (say on step 2) the application has to validate the user against Azure Active Directory (AAD) authentication for organization account (while MSA login should persist) to grant special privileges and move to step 3.
So during step 2 to 3 navigation, MSA authentication should not be logged out and user can be validated against AAD.
Is it possible to allow have concurrent logged-in via two different identity providers (MSA and AAD)?
It is not possible if you are suing Azure AD v1.0 endpoint. However, you can Azure AD v2.0 end point to implement. This document helps in Comparing the Azure AD v2.0 endpoint with v1.0 endpoint.
To build an app that accepts both personal Microsoft account (MSA), and work or school account (Azure AD) sign-in, you'll need to register an app with the Azure Active Directory (Azure AD) v2.0 endpoint. At this time, you won't be able to use any existing apps you may have with Azure AD or MSA - you'll need to create a brand new one. refer to this document to help on it - Quickstart: Register an app with the Azure Active Directory v2.0 endpoint.
You can also use Azure AD B2C and use custom policy to add MSA as Identity Provider. Refer to this document for details - Azure Active Directory B2C: Add Microsoft Account (MSA) as an identity provider using custom policies.
Does Microsoft Graph already have functionalities for Azure AD B2C User CRUD?
I found these related SO questions:
Which Graph API should be used with Azure AD B2C
Correct Graph API to manage Azure AD B2C
But both have answers that are dated 2017, so I am wondering if there are already updates from Microsoft that I am not aware of. I still have not find in my searches.
Below are the links I have found so far that seems to be conflicting each other (some of the links were also mentioned in the other questions).
In (D), it seems to offer options for User CRUD but I am not sure if it is just for Azure AD and not for Azure AD B2C.
Any help is appreciated. Thanks!
A. Azure AD B2C: Use the Azure AD Graph API (Date: 08/07/2017)
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet
It says: You must use the Azure AD Graph API to manage users in an Azure AD B2C directory. This is different from the Microsoft Graph API. Learn more here.
B. Operations on users | Graph API reference (Last Updated: 2/12/2018)
https://msdn.microsoft.com/en-us/library/azure/ad/graph/api/users-operations
It says: We strongly recommend that you use Microsoft Graph instead of Azure AD Graph API to access Azure Active Directory resources. Our development efforts are now concentrated on Microsoft Graph and no further enhancements are planned for Azure AD Graph API. There are a very limited number of scenarios for which Azure AD Graph API might still be appropriate; for more information, see the Microsoft Graph or the Azure AD Graph blog post in the Office Dev Center.
C. Microsoft Graph or Azure AD Graph (Date: July 8, 2016)
https://blogs.msdn.microsoft.com/aadgraphteam/2016/07/08/microsoft-graph-or-azure-ad-graph/
It says: In general, we recommend the use of Microsoft Graph over Azure AD Graph, as Microsoft Graph is where we are investing for Microsoft cloud services.
But then, it says at the bottom:
AAD Graph Capability | Status in Microsoft Graph (March 23, 2018)
12. Manage users in a B2C tenant (set local accounts, sign in names) | Coming soon (preview)
D. Microsoft Graph: User resource type
https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/resources/user
It list options to Create, Update and Delete user.
It is a bit ambiguous but I believe it is clear from the Azure AD B2C documentation that "you must use the Azure AD Graph API to manage users in an Azure AD B2C directory".
For example, according to the Microsoft Graph API documentation, you can't create a local account in an Azure AD B2C directory with a sign-in name.
I have also experienced issues which getting and setting a few properties, including any extension properties, for users in an Azure AD B2C directory using the Microsoft Graph API.
Does anybody know if there is a rest API to the office 365 Security and Compliance center that can give me back any alerts raised by the Alert Policy?
It seems that there are some PowerShell cmdlets that allow the creation of new Alert Policies, but I would like to pull down the alerts generated by these policies (preferably without using PowerShell).
Maybe this is on the road-map for a future Microsoft Graph API?
Office365 security alerts are not yet supported, but this should be possible for Microsoft security products using the Public Preview of Graph Security API - aka.ms/graphsecurityapi.
Microsoft Graph Security API only has access to the following(now GA).
Microsoft Graph Security API to easily access alerts from the following security solutions:
Azure Active Directory Identity Protection,
Azure Information Protection,
Azure Security Center,
Microsoft Cloud App Security,
Microsoft Intune,
Windows Defender ATP, and
Office 365 ATP and Azure ATP (coming soon)
I have a test office 365 install to run some sample queries against Microsoft Graph.
Part of the authentication flow outlined here, describes getting the tenant ID from Azure AD. To get your tenant ID you have to go through manage.windowsazure.com according to the guidance provided.
So, is it that to build these MS graph apps, you have to provision an Azure Subscription?
No. You don't have to provision an Azure Subscription. The the tenant ID from Azure AD is referenced because I guess 'behind scenes' office 365 is on Azure, its authentication based on Azure AD, etc.
You can create application in https://portal.azure.com, even if you don't have azure ad subscription.