I assigned an AAD Service Principal as an Owner of an AAD Group in order to allow this Service Principal to manage certain groups without having to provide him with the ability to manage all groups.
I would expect that this SP is now able to manage the membership but receive the following error message when using the MS Graph.
Code: Authorization_RequestDenied
Message: Insufficient privileges to complete the operation.
The old AAD Graph API causes a similar error.
How can I provide a Service Principal with the means to only manage selected AAD Groups?
Related
I have an AD registered application which has an integration with Azure AD for SSO. It uses the Oauth2 strategy, by using the omniauth-azure-activedirectory-v2 gem.
I want to map a users security groups to my applications authorization model and for this I need the names of the security groups.
I want to reliably get a users security groups and the group names on login and I'm not able to. I get them sometimes correctly, sometimes in a uuid format and sometimes not at all.
I have an optional group claim set up for my application in Token Configuration and configured to return sam_account_name for all attached groups.
This seems to work fine for some clients, the groups are returned as for example "Admin_APP", but for others I seem to have the following issues:
A Users groups are returned but only as a ID(c5bb3738-59f1-4718-b34c-2dfac761e023), even tough I requested the name.
A User has "readable groups" but not all assigned in AD, some are missing.
Is this a configuration on my application side or should the organization adding my application to their AD configure their groups or my application? Or should I not rely on the token cliam at all and fetch the groups using the GraphQL API Azure offers?
I noticed when adding the application myself I need to give permissions for my user.profile but it doesn't show allowable permissions for groups. Also in the Enterprise application tab for the organization under permissions I can't seem to find the group claim I added. Only openid, profile and email.
I tried to reproduce the same in my environment and got the results like below:
I configured the Optional claims in Azure AD Application:
I generated the access token via Postman by using below parameters:
https://login.microsoftonline.com/TenantID/oauth2/v2.0/token
client_id:ClientID
client_secret:ClientSecret
scope:user.read openid
grant_type:authorization_code
redirect_uri:redirectUri
code:code
When I decoded the token, I got the Group IDs instead of Group Name like below:
Note that: If you are configuring sAMAccountName as the claim value in the token, then it only returns the Group which is synced from on-premises AD. By default, Group ObjectID is returned in the group claim value.
By default, groups emitted in a token is limited to 150 for SAML
assertions and 200 for JWT.
I agree with junnas, you can make use of Graph API to get the user groups like below:
https://graph.microsoft.com/v1.0/users/UserID/memberOf
To get the only list of security groups user belongs to, you can make use of below query:
https://graph.microsoft.com/v1.0/users/UserID/memberOf?Filter("mailEnabled eq false and securityEnabled eq true")
References:
List a user's direct memberships - Microsoft Graph v1.0 | Microsoft Learn
How to get groups to appear as claims in the access_token by AmanpreetSingh-MSFT
I'm trying to programmatically determine which Graph permissions a user is inheriting when it's assigned to a specific AAD Directory role. When you look at a built-in Azure Active Directory role, its permissions are listed in the form of a path. For example, for the Global Reader role, the first one is
microsoft.directory/accessReviews/allProperties/read, as displayed on the Azure portal
or using the Microsoft.Graph Powershell module:
PS> $roleDef = Get-MgRoleManagementDirectoryRoleDefinition -Filter "DisplayName eq 'Global Reader'"
PS> $roleDef.RolePermissions.AllowedResourceActions
microsoft.directory/accessReviews/allProperties/read
microsoft.directory/accessReviews/definitions/allProperties/read
However, Graph permissions are usually expressed in this format: User.Read, Directory.ReadWrite.All. For example, for a user, you can check its delegated and application permissions with:
Get-MgUserOauth2PermissionGrant -UserId $userId
Get-MgUserAppRoleAssignment -UserId $userId
I have 2 questions:
Why the difference between AAD Role permissions and Graph permissions ?
How can I map AAD Directory Role permissions to Graph permissions ?
I just got confirmation from a Microsoft engineer that it's not possible to map built-in AAD role permissions to Graph permissions.
Azure AD built-in roles will grant access to data that's also possible through Graph permissions, but Graph permissions allow for more granular management of access to data.
With this said, certain endpoints will require you to have both Azure AD built-In roles and Graph permissions.
For example, the "delete user" endpoint requires the logged-in user to have at least the User Administrator role to proceed.
I created an app that displays SignInActivity pulled from a Microsoft Graph api query.
When running as a normal user it gives the error: User is not in the allowed roles.
To fix this error you need to give the user the "Global Reader" role within o365.
Questions:
Is there an App security scope that will allow a user to view SignInActivity even if they don't have the "Global Reader" role?
The app already has the scope AuditLog.Read.All. This was needed to run the query.
Is there a way to use Microsoft Graph api to verify a user has the "Global Reader" role?
You can check the scopes through Microsoft Graph Api by decoding the access token, you can try to login into https://developer.microsoft.com/en-us/graph/graph-explorer with work or school accounts (Azure AD), you can just look inside the access token to see a list of permissions by decoding the access token into https://jwt.io/
I have created a microsoft chat bot, and have set up the /adminconsent workflow, where another application has given admin consent to my bot to act on behalf of them.
#shawn-tabrizi wrote a great article about how to remove my own bot's access to their application from the UI, but I can't find a way to remove access using Microsoft Graph.
Any help would be appreciated!
I believe you're looking for Delete an appRoleAssignment granted to a service principal:
App roles which are assigned to service principals are also known as application permissions. Deleting an app role assignment for a service principal is equivalent to revoking the app-only permission grant.
I want to access Microsoft Graph periodically from a console application in order to copy messages from an Outlook mailbox to a database.
In order to authenticate programmatically, I had to use the Microsoft Graph's "Client Credentials Flow".
These are the steps I had to take:
Register an App in the Azure portal and create a Client Secret for it.
Add all the permissions I need and grant them access:
Have an Admin confirm those permissions by accessing it for the first time. This is done using the following URL:
https://login.microsoftonline.com/{tenant}/v2.0/adminconsent
?client_id={app id}
&state=1234
&redirect_uri=https://login.microsoftonline.com/common/oauth2/nativeclient
&scope=https://graph.microsoft.com/.default
I received the following response:
admin_consent: True
tenant: ca566779-1e7b-48e8-b52b-68**********
state: 12345
scope**: scope: https://graph.microsoft.com/User.Read https://graph.microsoft.com/.default
(The scope might explain the problem described later here: Why do I only get User.Read when I've configured 13 different permissions??)
Get an access token (with success!):
Try to read users (with success):
Try to read my own emails (without success):
Try to read somebody else's emails (the user was invited to access the app as a guest, but still, no success):
I don't understand why I can't read Messages but I can read Users. It seems the permissions were completely ignored (I confirmed that I don't need any permission to read the users).
UPDATE
This is my tenant name:
These are the users added to the tenant:
Important: I don't own an office 365 subscription in my Azure AD. All these emails belong to a different AD.
The previous question "The tenant for tenant guid does not exist" even though user is listed on users endpoint? is similar to mine but I believe this is not a duplicate as my problem is slightly different and the proposed solution uses OAuth1 (I am using OAuth2).
Microsoft Graph can only access data within the tenant you have authenticated to. This means that you cannot access a mailbox from another tenant, even if that User is a guest in the tenant you authenticated to. Allowing this would violate the fundamental principle of data isolation in AAD/O365 tenants.
It is also important to note that AAD/O365 and Outlook.com are distinct platforms. Microsoft Graph's core value prop is a common API layer across AAD and MSA, but under the covers, they are calling into distinct backends.
Beyond data isolation and these being distinct platforms, Outlook.com simply does not support Application Permissions (Client Credentials). You can only access Outlook.com using delegated permissions, and even only a limited set of scopes are supported:
Not all permissions are valid for both Microsoft accounts and work or school accounts. You can check the Microsoft Account Supported column for each permission group to determine whether a specific permission is valid for Microsoft accounts, work or school accounts, or both.
With regards to which scopes are included, I suspect the issue here is that you don't have a license for O365 in this tenant. If it allowed you to consent without a subscription, this could (in theory) lead to apps unexpectedly receiving consent when/if a subscription got added later. That said, it is hard to tell without seeing an example of an actual token you're getting back (feel free to post one of you'd like me to look into this more).
Finally, juunas is also correct with regards to /me. The /me segment is an alias for "the currently authenticated user". Since you are not authenticating a user when you use Client Credentials, /me is effectively null.
/me won't work with a client credentials token.
What would /me refer to? There is no user involved so it cannot mean anything.
For the second problem, does this user have an Exchange Online mailbox in your tenant?
The accepted answer is the one that helped me out. However, I ended-up testing what I needed to test joining the :
Office 365 Developer Program (free)
This program will allow you to create an Azure Active Directory with up to 25 email accounts. It also allows you to create 16 fictitious email accounts with emails inside (by clicking one single button). You can use this infrastructure for 90 days for free.