Currently I can assign roles to users using the azure portal. How can I do by just hitting an api so that I don't have to go the portal for every user ?
This can be achieved using the Activate directoryRole API:
POST https://graph.microsoft.com/v1.0/directoryRoles
Content-type: application/json
{
"roleTemplateId": "fe930be7-5e62-47db-91af-98c3a49a38b1"
}
For checking the Directory role object id please refer:https://learn.microsoft.com/en-us/graph/api/directoryrole-list?view=graph-rest-1.0&tabs=http.
Hope this helps.
Related
I am trying to get the access token for the Azure function app. I have enabled managed identity for the function app(system assigned). but while fetching the token using the nuget Azure.Identity.
var tokenCredential = new DefaultAzureCredential();
var accessToken = await tokenCredential.GetTokenAsync(
new TokenRequestContext(scopes: new string[] { "https://xxx.azure-api.net/" + "/.default" }) { }
);
I am getting the error.
The resource principal named 'xxx.azure-api.net' was not found in
the tenant 123
but when run az cli to check the subscription details, the subscription indeed part of the tenant 123 only.
Here is what I have finally done.
I have registered an App in AD. and Exposed the API of that App.
I have assigned System Assigned Managed Identity to the Function.
In the local I am not able to request token because Azure CLI is not given consent.
After deploying the application in Function my Function app can request a token using its identity.
You need to register the application in azure ad and enable the access token. Once that is done the you need to provide RBAC access to your xxx.azurewebsites.net
Follow this article for the step by step documentation Microsoft Document Reference
Unfortunately, the error message is not really helpful. But adding a scope to the app registration solved the problem for me:
In Azure Portal navigate to App Registrations
Find your app, in the left side menu select Manage => Expose an API
Add a scope. I named mine api_access as this was where this error occurred.
In my case I then got an API URI (like api://client-id/scope_name) which I used in my Angular app. Error message was gone.
Also, make sure that in the Enterprise Application you have created, under Manage => Properties, "Assignment required" and "Visible to users" is turned on.
does anyone of you know how I can set the 'Signing Option' of an azure enterprise app single sign-on to 'Sign SAML response and assertion' using the Graph API?
If you want to use Microsoft Graph API to set the 'Signing Option' of an azure enterprise app single sign-on, please refer to the following steps
Get the azure enterprise app token Issuance Policy
Get https://graph.microsoft.com/v1.0/servicePrincipals/<the enterprise app object id>/tokenIssuancePolicies
Update token Issuance Policy
Patch https://graph.microsoft.com/v1.0/policies/tokenIssuancePolicies/{id}
Content-type: application/json
{
"definition":["{\r\n \"TokenIssuancePolicy\": {\r\n \"Version\": 1,\r\n \"SigningAlgorithm\": \"http://www.w3.org/2001/04/xmldsig-more#rsa-sha256\",\r\n \"TokenResponseSigningPolicy\": \"ResponseAndToken\",\r\n \"SamlTokenVersion\": \"2.0\"\r\n }\r\n}"]
}
The origin setting
The new setting
For more details, please refer to here and here
How do you get the authentication contact info from azure ad b2c with the microsoft graph, I am looking to retrieve the email address.
I checked the documentation on Microsoft Graph API and could find no mention of how to get the Authentication Contact Info besides using PowerShell (learn.microsoft.com/en-za/azure/active-directory/authentication/…)
Based on this article, there are still some gaps between the Microsoft Graph API and the older Azure AD Graph API, but seems neither will fully retrieve what's required.
As of now, the following with get the Alternate Email field only from the "Authentication contact info" section using the Azure AD Graph API;
Register the Application in Azure AD
In the Azure Active Directory instance;
Register a new application (client_id)
Grant "Read all users' full profiles" permissions to Windows Azure Active Directory
Create a private key (client_secret) for the application
Authentication Flow
Reference: Service to Service Calls Using Client Credentials
Retrieve an access token
Request
POST https://login.microsoftonline.com/<tenant id>/oauth2/token
Payload
{
"client_id": "<client_id>",
"client_secret": "<client_secret>",
"resource": "https://graph.windows.net",
"grant_type": "client_credentials"
}
User Authentication Contact Info
Reference: Basic operations on users
Get user
Request
GET https://graph.windows.net/<tenant_id>/users/<user_id>?api-version=1.6
Headers
{
"Authorization": "Bearer <access_token>"
}
Response
{
...
"otherMails": ["<Alternate Email>"],
...
}
As you mentioned it seems that there is no microsoft Graph API could get the authentication Contact Info Email.
But we could get that information with following API, I capture it with browser. It seems a litte hack.
Get https://main.iam.ad.ext.azure.com/api/UserDetails/{userId}
About how to get the access token, please refer to this blog.
Note: I don't find this API in the Azure official document. Please don't use it for product, you could use it for test.
I am getting below error while connecting to Azure Active Directory
"AADSTS90009: Application 'xxxxxxxxxxxxxxxxx' is requesting a token for itself. This scenario is supported only if resource is specified using the GUID based App Identifier.
If you want to use web application to call web API, please refer to the sample. The detailed steps.
Register your Web API application in Azure Portal. For more details, please refer to the document.
Register your Web app application in Azure Portal
Grant permission.(add you web API application in you web app application)
a. select you web application
b. set permissions.
Get access token
Method : POST
URL : https://login.microsoftonline.com/ [Directory ID]/oauth2/token
Headers
Cache-Control : no-cache
Content-Type : application/x-www-form-urlencoded
Body
grant_type : password
resource : Your App ID URI
client_id : [application id]
client_secret : [key value]
username : [account name]
password : [Password]
This error is saying that the field you provided in the resource parameter is requesting tokens for itself.
Alternatively, you can provide an app ID URI of a web API you've registered or another resource with scopes to get tokens for that resource (Microsoft Graph, Office API, etc).
The error information indicates that you are using Azure AD application url as resource.
As qwe mentioned that you need to use the WebApp API(Not Azure AD application) you wanted to access as resource. For more information please refer to this link.
POST https://login.microsoftonline.com/{tenantId}/oauth2/token
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials&client_id={clientId}&client_secret={secret key}=&resource={resourceaddress}
Note: If we want to use the OAuth 2 grant type: password, we need to registry Azure AD native application. For more information please refer to another SO thread.
How can I update the SignInName of an existing user in Azure AD using Microsoft Graph or Azure AD Graph Client.
Thanks!
Looks like it won't be possible to update SignInName through either Microsoft Graph API or Azure Graph API. It may be worth a try using PowerShell if that fits your use case (again this may or may not work). Details about each one below..
Update User SignInName using Microsoft Graph API
This isn't possible because SignInNames collection isn't even
available as part of the user entity in Microsoft Graph yet.
Here is a GitHub issue thread on this topic, look towards the end.
Add signInNames property to User. #91
Update User SignInName using Azure AD Graph API
You would be able to set the User SignInNames collection only at the time of creation of user. See the documentation mentions only POST and GET (no PATCH)
https://msdn.microsoft.com/en-us/library/azure/ad/graph/api/entity-and-complex-type-reference#user-entity
Update User SignInName using PowerShell
This may work out, but I'm not sure about it. Then again, you asked specifically for Microsoft Graph or Azure AD Graph API so your scenario may not be suited for PowerShell.
Set-AzureADUser
You can PATCH the signInNames using the Azure AD Graph API (graph.windows.net) as an update.
PATCH https://graph.windows.net/{tenantId}/users/{userId}?api-version=1.6
Content-Type: application/json
BODY:
{
"givenName": "James Wood",
"signInNames": [
{
"type": "userName",
"value": "jamesWoodUserName"
}
]
}
Or just use GraphBeta sdk.
https://github.com/microsoftgraph/msgraph-beta-sdk-dotnet
> Install-Package Microsoft.Graph.Beta
var users = await graphClient.Users.Request().GetAsync().ConfigureAwait(false);
The email is then under "Identities"
debug-watch