I am playing off with Microsoft Graph Group.ReadWrite.All delegated permission scope. The Azure AD App is configured with this permission.
Since it is a delegated permission, the privileges granted to the app will be the least privileged combination (the intersection) of the privileges granted by the scope and those possessed by the signed-in user.
After admin consent to the app, I have used normal user credential and retrieved the token. With this token, I can update the members of a private Office 365 Group, even though the user is not an admin in that private group.
This behavior seems incorrect. Please clarify.
So when you use delegated permissions, the app has the same permissions as the signed-in user, further limited by the permissions granted to the app. In this case, you are correct about the intersection of permissions - the app is allowed to update the private group's membership, BUT only if the signed-in user has the ability to also update the private group's membership. In this case, if the user is not an admin of the group, then the app should not be able to update the group membership through the API (in the context of this signed in user).
UPDATE:
I was able to repro this. Currently (through the API) members of a private can add other members to the group. I suspect your user in your test is a member of the group. (Non-members could not add members to the private group.) We are presently working on a fix for this issue.
Hope this helps,
Related
We have an app registered on Azure AD (we got app ID, secret, redirect URL). This app is a daemon/background application which is performing actions on behalf of a user, there is no signed-in user that can grant permissions. In particular, the app will periodically retrieve all emails from a particular outlook mailbox called my.test#org.com
We are following the permission scoping documentation and the permission documentation when there is no signed in user.
In my understanding we need
to give application-permissions on the API permissions page in Azure AD
create a security group which is somehow assigned to the mailbox we want to read from via
New-ApplicationAccessPolicy
-AppId e7e4dbfc-046f-4074-9b3b-2ae8f144f59b
-PolicyScopeGroupId EvenUsers#contoso.com <-- would I put here my.test#org.com or the ID of the security group?
-AccessRight RestrictAccess
-Description "Restrict this app to members of distribution group EvenUsers."
Is my understanding correct that both of the above steps are needed. It seems strange that in the first step we can only give tenant wide permissions to the application when we really only need to limit it to one particular mailbox.
Thanks for the help
The above steps looks good to me and i would do the same as well. Just provide necessary Graph permissions while you grant permissions to access your/others mailboxes - as described in the documentation/steps.
I have created an app in azure AD, in my company tenant.
In application permissions, I have added Calendars.Read and Calendars.ReadWrite (Read and write calendars in all mailboxes) with application permission type, and I have grant admin consent.
In users, I have added user with personal Microsoft account (outlook.com) as a guest user.
When I am calling a graph for Member users, I am able to receive calendar events (and create a new ones),
but when I am calling a graph for a Guest users I get exception MailboxNotEnabledForRESTAPI.
Message: REST API is not yet supported for this mailbox.
Is there some limitation that I can create event only to a Member user, or I have miss-configured something?
You can only read mails/calendar events of users in your tenant only. So, it's better to filter users using userType eq 'member'.
https://graph.microsoft.com/v1.0/users?$filter=userType eq 'member'
I'm trying to create Planner Plan using Microsoft Graph API. As documented it requires groupId. I also create Group, but when i create a Planner plan using Graph Explore it returns a 403 with the message
"You do not have the required permissions to access this item, or the item may not exist."
I'm aware that in order to create a plan, It required Group.ReadWrite.All permission on Delegated (work or school account). I granted these in the Azure Portal but still get same error.
One thing is I don't know how to determine if my account is a "work or school account". My account was created by the admin of my tenant and it uses the of my organization so I guest it is Work account.
What do I have wrong here, do I need another API to assign plan to group before create?
EDIT1:
Here is the request body when i'm create a Planner Group, I'm also tried to toggle "securityEnabled" to true but it still fail when create a plan
And Here is the Request body when I create Planner Plan
EDIT2:
I also tried to update Planner plan by this API and it still failed. It seems Group.ReadWrite.All permissions does not apply to my account
Your request is failing because you are not a member of the group in which you are trying to create a plan. Changing group content requires the calling user to be a member. Owners of the group currently cannot edit the Planner content in the group, unless they are also members.
Although you have requested Group.ReadWrite.All, you cannot authorize this permission until you have received "Consent" from an Administrator.
If you're using the Azure Portal to register you app (aka the v1 Endpoint) then your admin can either use the Admin Consent workflow or directly grant permission within the portal. You can read more about he Consent Framework in Integrating applications with Azure Active Directory.
So, basically I have a multi-tenant App that makes numerous calls to Graph API. The problem is with the call to assign license to a user - POST /users/{id | userPrincipalName}/assignLicense.
In the Azure App registration portal , in the permissions section, I have given all the delegated permissions under Azure AD and Graph API.
Permissions Assigned screenshot.
Then, I made an global admin consent to this app for all the users in the organization using admin consent flow through the link such as below :-
https://login.microsoftonline.com/common/oauth2/authorize?client_id=ffa835f3-417f-415c-b8f5-6f8833f93901&response_type=code&redirect_uri=http%3a%2f%2flocalhost%3a8910%2f&nonce=1234&resource=https://graph.microsoft.com&prompt=admin_consent
The admin consent was successful which means that all users from this directory have been authorized.
Now, when I log to my multi-tenant application through a global admin, the call to assignLicense endpoint is a success which means my code is working well.
However, when a non Global Admin logs in to the application , he is able to login too ( due to the consent given above ) but when I call is made to the graph api to AssignLicense, I get a 403 Forbidden error.
I am not able to understand what should I do to get rid of this error.
This looks like an effective permissions issue. From https://developer.microsoft.com/en-us/graph/docs/concepts/permissions_reference
For Delegated permissions, the effective permissions of your app will
be the least privileged intersection of the Delegated permissions the
app has been granted (via consent) and the privileges of the currently
signed-in user. Your app can never have more privileges than the
signed-in user. Within organizations, the privileges of the signed-in
user may be determined by policy or by membership in one or more
administrator roles. For more information about administrator roles,
see Assigning administrator roles in Azure Active Directory.
For example, assume your app has been granted the User.ReadWrite.All
Delegated permission. This permission nominally grants your app
permission to read and update the profile of every user in an
organization. If the signed-in user is a global administrator, your
app will be able to update the profile of every user in the
organization. However, if the signed-in user is not in an
administrator role, your app will be able to update only the profile
of the signed-in user. It will not be able to update the profiles of
other users in the organization because the user that it has
permission to act on behalf of does not have those privileges.
What is the minimum set of permissions require in AAD App to access graph API -checkMemberGroups ?
Here are the list of permissions I tried with. Can this set be reduced any further? And am I missing any mandatory permissions?
Delegated Permissions -
Microsoft Graph API
Read all users' full profiles
Read all groups
Access directory as the signed in user
Sign in and read user profile
Windows Azure Active Directory
Read all users' full profiles
Read all groups
Access directory as the signed in user
Sign in and read user profile
If you were developing checkMemberGroups with Microsoft Graph, there is no need to config the corresponding permission for the Windows Azure Active Directory.
And to call the this API, if you have granted the User.Read.All, there is no need to grant other three permission. As the document mentioned that One of the scopes is required.
It depends on the type of data you want to get from Graph. If you just want to sign in the end user and get their basic profile info, you can simply set Sign in and read user profile.
Each scope relates to some data or endpoint you want to access. Figure out that list of data your scenario requires, then compare that with the scopes.
After some experimentation, it seems that the minimum permissions are the following:
/me/checkMemberGroups
User.Read
GroupMember.Read.All
/users/{userId}/checkMemberGroups
User.ReadBasic.All
GroupMember.Read.All