My subscription has preview feature enabled.
I created application in Microsoft Azure.
To access claims preview feature of application edited the URL by adding '?feature.claimseditorpreview=true'
Also added some custom claims to 'Claims (preview)'.
Now I would like to access the preview feature of application's claim using REST api.
I tried to reproduce the same in my environment and got the below results:
You can retrieve the list of claims mapping policy that is applied to a Service Principal/Azure AD Enterprise Application.
To create claims mapping policy, please try the below query in Microsoft Graph Explorer:
POST https://graph.microsoft.com/v1.0/policies/claimsMappingPolicies
{
"definition": [
"{\"ClaimsMappingPolicy\":{\"Version\":1,\"IncludeBasicClaimSet\":\"true\", \"ClaimsSchema\": [{\"Source\":\"user\",\"ID\":\"assignedroles\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/Role\"}, {\"Source\":\"user\",\"ID\":\"userprincipalname\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/RoleSessionName\"}, {\"Value\":\"900\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/SessionDuration\"}, {\"Source\":\"user\",\"ID\":\"assignedroles\",\"SamlClaimType\": \"appRoles\"}, {\"Source\":\"user\",\"ID\":\"userprincipalname\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/nameidentifier\"}]}}"
],
"displayName": "Test Claims Policy",
"isOrganizationDefault": false
}
Claims mapping policy will be created like below:
To assign the created policy to a Service principal, execute the below query:
POST https://graph.microsoft.com/v1.0/servicePrincipals/servicePrincipalObjectID/claimsMappingPolicies/$ref
{
"#odata.id": "https://graph.microsoft.com/v1.0/policies/claimsMappingPolicies/PolicyID"
}
A response of 204 will be returned if successful:
To retrieve the claims mapping policy, switch to beta:
GET https://graph.microsoft.com/beta/servicePrincipals/servicePrincipalObjectID/claimsMappingPolicies
Unfortunately, listing Attributes & Claims for an Azure Service Principal is not possible.
Please refer this MsDoc which describes the possible methods on Azure Service Principal.
Related
I have a scenario, I need to write functional tests for my API(s). API uses Azure AD authentication. There are multiple roles in system and role of a user is decided on the basis of membership of different AD groups.
so for functional test I need different users with in different groups.
I created a service principals with contributor rights in subscription and added them in groups and granted following Microsoft graph Application type API permissions.
- Application.Read.All
- Directory.Read.All
Now I used these apis to complete my use case.
1- https://login.microsoftonline.com/{tenant-Id}/oauth2/token
to get the access token against service principal.
2- GET https://graph.microsoft.com/v1.0/me/memberOf
to get the list of user's groups. but i got following response with authentication token of service principal.
{
"error": {
"code": "Request_ResourceNotFound",
"message": "Resource 'xxxx471-bxxxa-45a2-b61b-18xxxxx42af88' does not exist or one of its queried reference-property objects are not present.",
"innerError": {
"request-id": "fxxxxc41-319e-xxxx-xxxx-360xxxx58077",
"date": "2020-04-13T11:41:01"
}
}
}
I also have tried this
3- https://graph.microsoft.com/v1.0/users/{princialId}/memberOf
and get the following response
"error": {
"code": "Request_ResourceNotFound",
"message": "Resource 'xxxxx-xxxx-xxxx-b61b-18421142af88' does not exist or one of its queried reference-property objects are not present.",
"innerError": {
"request-id": "fxxxxc41-319e-xxxx-xxxx-360xxxx58077",
"date": "2020-04-14T05:59:03"
}
}
}
I have used object id of app registered in azure AD. when i searched service principal using power shell using following command I found different Object_Id than which is written on AD app on azure portal
command : get-AzureADServicePrincipal
with this Object_Id I was able to get service principal's groups using beta services.
https://graph.microsoft.com/beta/servicePrincipals/{object ID}/memberOf
anybody can explain why i was not able to get the groups of service principal using v1.0 service.
Thanks
anybody can explain why i was not able to get the groups of service principal using v1.0 service.
Because the v1.0 version does not support this API GET /servicePrincipals/{id}/memberOf , it just could be availale in the Beta version currently.
You could check this doc - List servicePrincipal memberOf, select the Version with 1.0, then it will give a prompt message like below.
I have used object id of app registered in azure AD. when i searched service principal using power shell using following command I found different Object_Id than which is written on AD app on azure portal
The Object Id of the service principal is not the same with that of the App Registration, the one you got from the powershell is correct, also, you can find it in the portal in the Enterprise applications like below.
I agree that beta service was not part of V1.0 but according to V1 documentation
https://graph.microsoft.com/v1.0/users/{id | userPrincipalName}/memberOf
should work.
please visit
https://learn.microsoft.com/en-us/graph/api/user-list-memberof?view=graph-rest-1.0&tabs=http
Please find documetation image here
I've got an app registration in Azure with the required permission - Directory.AccessAsUser.All (delegated) and that registration has Security Reader over all of my subscriptions.
When I GET https://graph.microsoft.com/beta/privilegedRoles/{id}/assignments with my access token (bearer auth), I get the following response:
{
error: {
code: 'UnknownError',
message: '',
innerError: {
'request-id': 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx',
date: '2020-03-13T11:53:41'
}
}
}
The {id} in this case is the ID of the permission I want check the assignments of.
I'm using this as a reference: https://learn.microsoft.com/en-us/graph/api/privilegedrole-list-assignments?view=graph-rest-beta&tabs=http
This is a beta version API, the current endpoints of AAD roles have been disabled for your tenant for migration purpose, see this link.
When customers have the updated version rolled out to their Azure AD organization, the existing graph API will stop working. You must transition to use the Graph API for Azure resource roles. To manage Azure AD roles using that API, swap /azureResources with /aadroles in the signature and use the Directory ID for the resourceId.
So you need to use this API currently, swap /azureResources with /aadroles, test it in the Graph Explorer.
GET https://graph.microsoft.com/beta/privilegedAccess/aadRoles/resources/<tenant-id>/roleAssignments?$filter=RoleDefinitionId+eq+'RoleDefinitionId'
In Azure AD I setup SCIM which is working great. However for some reason roles as well as appRoleAssignments are never sent in the body of a SCIM POST or PATCH request.
As an example, here's the SCIM body for a POST request:
{
"schemas": [
"urn:ietf:params:scim:schemas:core:2.0:User",
"urn:ietf:params:scim:schemas:extension:enterprise:2.0:User"
],
"userName":"testBlaBla#example.com",
"active":true,
"displayName":"Test Bla bla",
"meta": {
"resourceType":"User"
},
"roles":[]
}
This test user has been assigned with Directory Roles and Application Roles. An attribute (with default value "n/a") for the appRoleAssignments was added and mapped. And API permissions for read/write Application Role Assignments was added.
Screenshot of SCIM Attribute mappings with target application
Screenshot of custom added appRoleAssignments attribute
How can I get SCIM in Azure AD to also sent Roles and Application Roles information to the target application?
Ensure that you are using a mapping of type expression rather than direct and user the appRoleassignment function.
https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/customize-application-attributes#provisioning-a-role-to-a-scim-app
Select the target attribute that comes out of the box or if you extend the schema follow the format described here, e.g.:
urn:ietf:params:scim:schemas:extension:2.0:CustomExtensionName:appRoles
or
urn:ietf:params:scim:schemas:extension:CustomExtensionName:2.0:User.appRoles:value
https://learn.microsoft.com/en-us/azure/active-directory/app-provisioning/customize-application-attributes#provisioning-a-custom-extension-attribute-to-a-scim-compliant-application
I want to learn Azure directory services, so I created a free Microsoft Azure account to play around with Azure, and then I created a new App registration at portal.azure.com. So I have this registered application in Azure with a Client ID, Tenant ID, and even a Client Secret, because I want to learn API permissions with this app.
Now in the Microsoft Graph Explorer, I want to try using API methods like Get Application and List Applications.
However, if I log in and run the API to list my applications (GET https://graph.microsoft.com/beta/applications), the response has an empty array of applications.
Also if I try to GET the specific app that I registered in AD, I get a 404: Resource Not Found found error.
What am I doing wrong? How can I use the Graph Explorer with my test Azure account so my registered application can be retrieved and edited with Microsoft Graph APIs?
More Details Below
When I run GET https://graph.microsoft.com/beta/applications in Microsoft Graph Explorer, I expect a list of my applications, including the one app I registered in Azure. Instead, here is the response:
{
"#odata.context": "https://graph.microsoft.com/beta/$metadata#applications",
"value": []
}
When I run GET https://graph.microsoft.com/beta/applications/{client-id}, with my registered app's client-id, I expect all the details of my registered app, but instead, the response is error 404:
{
"error": {
"code": "ResourceNotFound",
"message": "Resource not found.",
"innerError": {
"request-id": "*****",<--I commented this out
"date": "2019-05-28T20:17:11"
}
}
}
If this were a permissions issue, I would expect unauthorized errors instead of "resource not found". I've tried adding Microsoft Graph permissions to my registered App (Directory.Read.All, Directory.ReadWrite.All), but this hasn't helped.
This is nothing to do with Azure free account. If you login in Graph Explorer using outlook account, it will identify this account as a personal account(with tenant outlook.com). That's why you can not find the applications you created in your tenant.
It is recommended to create a new user in your tenant to do the tests.
Here are the steps.
1.Click Azure Active Directory->Users->New User. The username should be something like username#{your tenant name}(XXX.onmicrosoft.com)
2.After the creation, add the roles for this user.
How can I update the SignInName of an existing user in Azure AD using Microsoft Graph or Azure AD Graph Client.
Thanks!
Looks like it won't be possible to update SignInName through either Microsoft Graph API or Azure Graph API. It may be worth a try using PowerShell if that fits your use case (again this may or may not work). Details about each one below..
Update User SignInName using Microsoft Graph API
This isn't possible because SignInNames collection isn't even
available as part of the user entity in Microsoft Graph yet.
Here is a GitHub issue thread on this topic, look towards the end.
Add signInNames property to User. #91
Update User SignInName using Azure AD Graph API
You would be able to set the User SignInNames collection only at the time of creation of user. See the documentation mentions only POST and GET (no PATCH)
https://msdn.microsoft.com/en-us/library/azure/ad/graph/api/entity-and-complex-type-reference#user-entity
Update User SignInName using PowerShell
This may work out, but I'm not sure about it. Then again, you asked specifically for Microsoft Graph or Azure AD Graph API so your scenario may not be suited for PowerShell.
Set-AzureADUser
You can PATCH the signInNames using the Azure AD Graph API (graph.windows.net) as an update.
PATCH https://graph.windows.net/{tenantId}/users/{userId}?api-version=1.6
Content-Type: application/json
BODY:
{
"givenName": "James Wood",
"signInNames": [
{
"type": "userName",
"value": "jamesWoodUserName"
}
]
}
Or just use GraphBeta sdk.
https://github.com/microsoftgraph/msgraph-beta-sdk-dotnet
> Install-Package Microsoft.Graph.Beta
var users = await graphClient.Users.Request().GetAsync().ConfigureAwait(false);
The email is then under "Identities"
debug-watch