I am working on managing user access to workspaces via the API. [Cleaning inactive users], and am running into issues where I can authenticate the user, but don't have a way to check if the user is a workspace admin.
This becomes an issue because I am authenticating the user, and then managing users in a later step. I would like to show an error when the user authenticates if they are able to manage users on the chosen workspace.
Any ideas?
There currently is not an endpoint to determine if a user is an admin. I do think this would be helpful, and I will surface it with our API team.
There are endpoints that can only be accessed by admins, such as user management. Unfortunately, I don't think this solves your requirements.
Related
We have an app registered on Azure AD (we got app ID, secret, redirect URL). This app is a daemon/background application which is performing actions on behalf of a user, there is no signed-in user that can grant permissions. In particular, the app will periodically retrieve all emails from a particular outlook mailbox called my.test#org.com
We are following the permission scoping documentation and the permission documentation when there is no signed in user.
In my understanding we need
to give application-permissions on the API permissions page in Azure AD
create a security group which is somehow assigned to the mailbox we want to read from via
New-ApplicationAccessPolicy
-AppId e7e4dbfc-046f-4074-9b3b-2ae8f144f59b
-PolicyScopeGroupId EvenUsers#contoso.com <-- would I put here my.test#org.com or the ID of the security group?
-AccessRight RestrictAccess
-Description "Restrict this app to members of distribution group EvenUsers."
Is my understanding correct that both of the above steps are needed. It seems strange that in the first step we can only give tenant wide permissions to the application when we really only need to limit it to one particular mailbox.
Thanks for the help
The above steps looks good to me and i would do the same as well. Just provide necessary Graph permissions while you grant permissions to access your/others mailboxes - as described in the documentation/steps.
I have an ASP.NET MVC application that is used by different customers. Currently the app is set up to use individual user accounts. I have built some authorization logic around that and would like to keep the logic unchanged.
I got a request that some of the customers would like to perform authentication for their users with their Azure Active Directory. I have uncommented the app.UseMicrosoftAccountAuthentication part from Startup.Auth.cs. I registered the app as multi-tenant in my AAD. I managed to get the whole thing running and users now have the possibility to link their accounts with AAD and use it for authentication.
However, I encountered a few problems I am struggling with:
In order for the user to link his account with AAD he needs to set up an individual login/pass account in the first place. How can I avoid that? I want to have the users either authenticating with login/pass or with AAD, not both at the same time.
I have no control over which account the user uses to authenticate. Let's assume I expect the user to use an account in domainx.com, but if they link domainy.com account it will still work. I need to have some kind of way to compare the expected domain with the actual one that comes back from AAD. How can I do that?
One of the ideas to tackle the problem was to have a customer admin create the user accounts for them. The issue is that in AspNetUserLogins I need to store the user's AAD ID, not the email. How can I query AAD to check the UserID based on the email?
In my application I want to be able to programmatically create and delete user accounts in Azure Active Directory. This program needs to run unattended.
I am able to create Azure AD users but keep getting failures when deleting a user account. Specifically, I am getting the following error message:
Microsoft.Graph.ServiceException:
Code: Authorization_RequestDenied
Message: Insufficient privileges to complete the operation.
I think this is by design because the documentation states that only delegated permissions are supported. Can someone from MS Graph team confirm that it is not possible to delete AD users in unattended fashion (e.g. without prompting for admin user account and password)? Is this functionality going to be supported in the future?
Are there different ways to solve this problem? Would the Azure AD Graph API work for this (even though it is not recommended to use now)?
That is correct, DELETE /users/{id} requires Directory.AccessAsUser.All which is only available for delegated scenarios.
This is unlikely to change given the security exposure this would introduce. A rogue application creating users would certainly be extremely annoying, but a rogue application deleting users would be outright catastrophic.
My suggestion would be to have your application maintain a "deletion queue". Whenever you need to delete a user, simply add that id to the queue. Then provide an interactive experience for Admins that allows them to login and delete the queued users after reviewing the list.
When using the Graph API normally you first ask the user to sign in. I want to have a user master that has access to read/write the calendars of all other users in the tenant (this is already done).
I want the credentials (userName and password) of master to be stored in my app (webconfig) so that I can make calls to an endpoint that edits users calendars using the master user, without any manual sign-in.
Since MS Graph is an oauth based application, what you are looking for is called App-only access. This is described in detail here. https://graph.microsoft.io/en-us/docs/authorization/app-only.
The advantages of this is that as new users get added or their password change you don't need to update your configuration. In addition, it much secure since you don't have to deal with passwords at all.
I have an app that currently allows users to enter in a company name and we use the LinkedIn API to pull all the public posts that this company has made on LinkedIn.
The new API rollout has occurred and while I have a difficult time finding the information I need in the LinkedIn API docs it seems that no one can access company info for a company they are not an administrator of.
I am not trying to access company info or to change their page or anything like that, I just want a list of their public posts. I don't require my users to sign in and even if I did I doubt most of them are administrators of these company pages. Is this totally no-longer possible with the LinkedIn API?
The new API rules for Company profiles stipulates:
"New requirement for Companies API
All calls to Companies API endpoints will require the authenticated user to be flagged as an administrator of the LinkedIn Company Page that is the target of the API call. You become the administrator of a page when you create it. If the page already exists, you will have to contact the existing administrator to grant admin access to other LinkedIn members.
Your API call will return a 403 Forbidden error if you do not have the appropriate admin permission to interact with the target company."
Link here.
LinkedIn is making things really tough for everyone. You'll need to apply to be a partner, but even in your case, the admin would have to sign in. Effectively, unless you're akin to a Hootsuite that gets the page admin's rights for the sake of publishing, you're not going to be able to do what you were. Bummer.