How to include directory extension into access token in azure AD? - azure

I have created directory extension and assigned data for it but when I add it in Token configuration but it still not include in access token so how to include directory extension in Azure AD ?

I tried to reproduce the same in my environment to add custom extension attribute in azure AD.
Create a new app registration like below
Azure AD Portal>Azure Active Directory>App registrations
Create custom extension attribute using Graph Explorer and login graph explorer with global admin account.
You can get the application object ID like below
Azure Portal>Azure Active Directory>App Registration>Select your App
Execute the code in graph explorer like below
GET https://graph.microsoft.com/v1.0/applications/<AppregistrationObjectID>
Modify the code to create the custom extension
POST https://graph.microsoft.com/v1.0/applications/<AppregistrationObjectID>/extensionProperties
{
"name": "CustomAttribute",
"dataType": "string",
"targetObjects": [
"User",
"Group"
]
}
Add the custom attribute to user object like below
PATCH https://graph.microsoft.com/v1.0/users/<UserObjectID>
{
"extension_47c8caba8d924ac9a0f159b0dcc8d4c7_CustomAttribute": "Demo"
}
You can get the user object ID like below
Azure Portal>Azure Active Directory>Users>Select your Global Admin user
Added custom attribute in access token
Finally added custom extension attribute like below

Related

Accessing 'preview feature' properties of enterprise application in Microsoft Azure

My subscription has preview feature enabled.
I created application in Microsoft Azure.
To access claims preview feature of application edited the URL by adding '?feature.claimseditorpreview=true'
Also added some custom claims to 'Claims (preview)'.
Now I would like to access the preview feature of application's claim using REST api.
I tried to reproduce the same in my environment and got the below results:
You can retrieve the list of claims mapping policy that is applied to a Service Principal/Azure AD Enterprise Application.
To create claims mapping policy, please try the below query in Microsoft Graph Explorer:
POST https://graph.microsoft.com/v1.0/policies/claimsMappingPolicies
{
"definition": [
"{\"ClaimsMappingPolicy\":{\"Version\":1,\"IncludeBasicClaimSet\":\"true\", \"ClaimsSchema\": [{\"Source\":\"user\",\"ID\":\"assignedroles\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/Role\"}, {\"Source\":\"user\",\"ID\":\"userprincipalname\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/RoleSessionName\"}, {\"Value\":\"900\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/SessionDuration\"}, {\"Source\":\"user\",\"ID\":\"assignedroles\",\"SamlClaimType\": \"appRoles\"}, {\"Source\":\"user\",\"ID\":\"userprincipalname\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/nameidentifier\"}]}}"
],
"displayName": "Test Claims Policy",
"isOrganizationDefault": false
}
Claims mapping policy will be created like below:
To assign the created policy to a Service principal, execute the below query:
POST https://graph.microsoft.com/v1.0/servicePrincipals/servicePrincipalObjectID/claimsMappingPolicies/$ref
{
"#odata.id": "https://graph.microsoft.com/v1.0/policies/claimsMappingPolicies/PolicyID"
}
A response of 204 will be returned if successful:
To retrieve the claims mapping policy, switch to beta:
GET https://graph.microsoft.com/beta/servicePrincipals/servicePrincipalObjectID/claimsMappingPolicies
Unfortunately, listing Attributes & Claims for an Azure Service Principal is not possible.
Please refer this MsDoc which describes the possible methods on Azure Service Principal.

Azure Graph API can't create localaccount without domain in userPrincipalAccount

I am creating users using the Azure Graph API (using Microsoft.Graph;), and I am seeing issues when I try to add local account users. I want to be able to create an account where the user can log in with a username, such as "jimmy" and not have to specify a domain. I am able to do this with the Azure Portal, but not with Graph API.
When I add users through Graph API, the issue is with the userPrincipalName. I must include a userPrincipalName, and userPrincipalName must include a domain. Conversely, when I create a user account with Azure Portal, I do not specify a userPrincipalName, and the userPrincipalName is created automatically with the format being objectid#mydomain.onmicrosoft.com.
In summary, I want to be able to use the graph API to create a user who can log in as "Jimmy" as I can with the Azure Portal, but I am only able to create a user who can log in as jimmy#mydomain.onmicrosoft.com.
You could generate a GUID and set the UPN to "guid#domain.onmicrosoft.com"? If that's what the portal does, shouldn't it be fine for your app too? If you specify an identity for the user with the username type, they should be able to log in with that.
So you can set the user's identities to something like:
{
"identities": [{
"signInType": "userName",
"issuer": "mydomain.onmicrosoft.com",
"issuerAssignedId": "jimmy"
}]
}
And the UPN can be the generated one with the GUID.
Reference: https://learn.microsoft.com/en-us/graph/api/resources/objectidentity?view=graph-rest-1.0

Removing application access to user from User interface by using Microsoft graph API or Azure AD graph api

I created admin console in the User interface where admin can perform all the operations such create, delete the user, assign applications to user and remove application access to users from the user interface
I tired to remove application access to the users from the User Interface by using Microsoft graph API and Azure AD graph api
i used following azure AD graph api
https://graph.windows.net/tenantid/users/{userId}/appRoleAssignments/{appId}?api-version=1.6
but it is showing the error when i tested in the postman "Invalid resource identifier for EntitlementGrant."
Idont know what to do can anyone help me about these error and how to resolve these problem.
You may be getting this error because you are trying to delete the application access using AppId of the application. Please make sure to use "AssignmentID" from Azure Portal which is unique ID of the specific role assignment and links the user/group and the service principal object.
Go to Azure Active Directory > Users > Select specific User > Applications > Select any application to navigate to "Assignment Details" blade.
See screenshot below -
This unique id is also available as "ObjectID" if querying application role assignments through Graph API -
https://graph.windows.net/{TenantID}/users/{UserID}/appRoleAssignments
Here is the sample output of the above API call.
"odata.metadata": "https://graph.windows.net/sasharms.onmicrosoft.com/$metadata#directoryObjects/Microsoft.DirectoryServices.AppRoleAssignment",
"value": [
{
"odata.type": "Microsoft.DirectoryServices.AppRoleAssignment",
"objectType": "AppRoleAssignment",
"objectId": "r7rDMrnDo0uCuwnosRwwzuziiF5B8s9FnsotYya5DMU",
"deletionTimestamp": null,
"creationTimestamp": "2018-05-10T14:10:49.8197813Z",
"id": "00000000-0000-0000-0000-000000000000",
"principalDisplayName": "SaurabhSharma",
"principalId": "32c3baaf-c3b9-4ba3-82bb-09e8b11c30ce",
"principalType": "User",
"resourceDisplayName": "WebAppOpenIdGraphApi",
"resourceId": "90658e39-2559-48fb-a27a-5e50cca94288"
}
This Id is ideally used for performing various operations against the application using any programmatic interfaces like PowerShell and Graph APIs.

Add Custom Attribute Not Used in Sign-Up nor Edit Policy

How do I add a Custom Attribute, when using custom policies, that is not used in a sign-up nor edit policy?
Background
I need to define custom attributes that will be set via the AD Graph API, not the user.
I found this note:
There is a known limitation of custom attributes. It is only created the first time it is used in any policy, and not when you add it to the list of User attributes.
So I'm thinking what I'm trying to do is not achievable directly. I guess a workaround would be:
Create an edit (or sign-up) policy
Perform a user edit prompting for the new custom attribute(s)
Delete the edit policy
Update
I started implementing my workaround via a sign-up policy and after uploading my custom policies, the new attribute, NewCustomAttribute, is there without creating a user.
What magic added this new attribute?
.\b2c Get-Extension-Attribute [my-ad-app-guid]
{
"odata.metadata": "https://graph.windows.net/ebenefitsdev.onmicrosoft.com/$metadata#directoryObjects/Microsoft.DirectoryServices.ExtensionProperty",
"value": [
{
"odata.type": "Microsoft.DirectoryServices.ExtensionProperty",
"objectType": "ExtensionProperty",
"objectId": "[some-guid]",
"deletionTimestamp": null,
"appDisplayName": "",
"name": "extension_[my-ad-app-guid]_NewCustomAttribute",
"dataType": "String",
"isSyncedFromOnPremises": false,
"targetObjects": [
"User"
]
}
}
The extensions app, which is added to the Azure AD B2C directory when it is created, registers the extension property when a custom attribute is created via the Azure AD B2C blade.
The extensions app ID should match the middle part of the extension property name.
After the extension property is registered by the extensions app and before it is referenced by any built-in or custom policy, it can be read from and written to via the Azure AD Graph API.

Azure Active Directory B2C User Management

I was following this article and created a sample which works perfectly well. I can sign up, sign out and edit my profile with it but can't find out how to add a user in AAD B2C and assign it some role, so that I can differentiate them on the basis of roles, i.e. when I get to the Claims Page and get a user object, I can check the user by writing something like this:
User.IsInRole("client")
I added a custom attribute in "User Attributes" with the name of "Role" but that didn't solve my problem. I can only see that when I write:
foreach (Claim claim in ClaimsPrincipal.Current.Claims)
...claim.Type .... claim.Value
But I want it as I explained above
Thanks in advance.
Ok by now, I have found out the roles by clicking on the directory name -- users, but the available roles are User, Global Admin, Billing Admin, Service Admin, User Admin and Password Admin, but User.IsInRole("User") didn't work for me. So,
1. can I add any customized roles
2. how can I check if my user belongs to a particular role programmatically?
Thanks.
You can add custom roles by modifying application manifest file (application configured in Azure Active Directory). You just have to download manifest json file, add your custom roles and upload file again. You can do it here:
Then open the file and add custom role like that:
"appRoles": [
{
"allowedMemberTypes": [
"User"
],
"description": "some text",
"displayName": "Super role",
"id": "c530a40b-a47c-42b7-ba9a-f34d8ca7e443",
"isEnabled": true,
"origin": "Application",
"value": "Super role"
}
],
User attributes in Azure B2C are prefixed with "Extension_", so a user attribute "Role" will be called "extension_role" in your claims.
This is the reason the UserIsInRole doesn't work
Something that works for Azure AD, maybe for B2C also(not tried by me):
Try to use Groups (create a new group), add the user to the group.
Group membership isn't added to your claims by default:
http://justazure.com/azure-active-directory-part-4-group-claims/

Resources