Are nested groups supported in Azure B2C?
This page suggests there is some support, because it links to https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-limitations#restriction-on-nested-groups
If there are restrictions on them then I assume they are at least partially supported. Unfortunately that page no longer exists.
I couldn't find any information in MSFT docs about the status of this feature.
I've tried their User Voice, but the only thing I found is an entry about plain "Azure AD" (I thought that is supported already, but it appears it's not if there is an open request about it)
FWIW I cannot add a nested group in the way that's suggested by MSFT documentation. I don't see that option in the UI, though it lists "0 groups" as members.
Trying to add a group to another group via Graph API results in
{"error":{"code":"Request_BadRequest","message":"An invalid operation was included in the following modified references: 'members'.","innerError":{"date":"2022-04-20T15:32:34","request-id":"7d183819-019a-4f23-b31f-1765dcd7d44a","client-request-id":"7d183819-019a-4f23-b31f-1765dcd7d44a"}}}
Azure AD has some support for nested groups.
B2C has no groups support. Typically, you assign the groups in Azure AD and then access them from B2C via Graph via REST API.
After wrangling with MSFT support I got an answer that nested groups are not supported in B2C enabled tenants.
This can be done in Azure AD and not on the B2C AD. Adding a group as a member of another group in Azure AD B2C is not supported.
Related
I have an Azure AD tenant and I am looking for a way to include extra attributes while creating members within my organization. I have poked around the interface and can't find a way to achieve this on the Azure portal. From my findings, I can see tones of documentation and blog posts on how to achieve this using the B2C feature and graph API for external customers. However, this does not meet my requirements.
I believe this is a basic requirement that should be possible on Azure AD. Can someone please point me to the right documentation to achieve this?
Azure portal doesn't provide such a feature but we can archive this using Microsoft Graph API: Create extensionProperty.
You need to specify the targetObjects as "User".
An example (you can use any of your app registrations for {object id of the app registration}):
Post https://graph.microsoft.com/v1.0/applications/{object id of the app registration}/extensionProperties
{"name":"customAttribute","dataType":"string","targetObjects":["User"]}
It will generate an extension property named extension_{client id of the app registration without "-"}_customAttribute.
Then you can update the extension property for a user:
Patch https://graph.microsoft.com/v1.0/users/{user id}
{"extension_{client id of the Azure AD application without "-"}_customAttribute":"value"}
While the Azure Starter Pack for B2C is helpful for getting started with creating custom policies, is there an actual list of built-in claims that one can reference? There are several claims that are referred in several of the files, though I have no clue of their purpose or why they're needed (for example upnUserName, nca, resource_id, etc.).
I did find some pages, such as Graph API reference or Customize Claims, though I'm not sure if these are the goto page for getting all built-in claims.
You can find list of all such claims from two places
User profile attributes documentation - https://learn.microsoft.com/en-us/azure/active-directory-b2c/user-profile-attributes#azure-ad-user-resource-type
User attributes blade in Azure Portal. The Built in user attributes are almost same for user flows and custom policies.
Have been using Azure for Single Sign On.
For group claims, during the assertion we see only the security group object ID during the response.
e4feedb1-df0e-46ff-8a02-e63474015610
Is it possible to get Group name here in response instead of groups Object ID
If (and only if) the groups in question are groups which have been synced from on-premises AD, you can configure the groups claim to include the on-premises sAMAccountName or the on-premises SID.
Note: Including the display name is not supported. (Display names are not unique, and in most organization, any user is able to create and manage their own groups, making any sort of authorization decision based on group display names a very risky proposition.)
To issue group can be done both for gallery or non-gallery (i.e. custom) SAML apps (i.e. under Enteprise apps), through the app registration in the Azure portal (App registrations > Token configuration), or directly on the app registration's Application object by updating the optionalClaims property (e.g. via the manifest editor or through Microsoft Graph).
https://learn.microsoft.com/azure/active-directory/hybrid/how-to-connect-fed-group-claims
I'm afraid that it's only supported to get the object ids currently.
You need to call Microsoft Graph to get the Group name.
If you do need this feature, upvote this post on UserVoice and it may be implemented in the future.
A similar question which is answered by Microsoft Engineer here.
I can add normal SharePoint Group to SharePoint using below HTTP request
https://imfdevdm.sharepoint.com/sites/SiteName/_api/web/lists/getByTitle('Sample Library')/items(1)/roleassignments/addroleassignment(principalid=12, roledefid=1073741827)
Similarly is there a method to add an Azure AD Group??
There is no initial principal Id for a AAD Group initially. If an AAD group is already added manually to SharePoint, then for that Group, a principal ID is generated. Else, we can't find a principal Id for the AAD Group.
If a principal Id was present, the same above HTTP request was enough to add role assignments.
Any help is appreciated. Thanks.
Updated:
I think this is not possible. The usual procedure is to add AAD Group to a SharePoint Group and then add it to SharePoint Sites/Lists
You can do this either through the Azure Portal or the O365 portal. I don't think it's possible to do this via HTTP requests and you're right that the recommended procedure is to create the Group in Azure AD and then assign it to SharePoint. You can also do this through Powershell but unless your creating a ton at once the portal is the easiest way.
https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/sharepoint-on-premises-tutorial
I created some AD user in Azure Management Portal, too and would like to assign some roles to these users. My user has role "Global Administrator". There are only roles available that do not fit to my business requirements. So I would like to know whether there is already a solution how to add new roles because Graph Api or azure ad powershell seems not to support this feature.
Thx for the support
Azure AD doesn't yet allow creating custom "app roles". You can however create security groups and add users to those groups. The application that needs to check for these roles for authorization can check for the signed in user's group membership (transitively using this graph API: http://msdn.microsoft.com/en-us/library/azure/dn424889.aspx) for the group that represents the role(s).
App roles is on our radar - however you shouldn't block on it.
Hope this helps.
Now this is supported and in your app you can
[Authorize(Roles = "Admin, Observer, Writer, Approver")]
In this example of Microsoft you can see how to do it https://github.com/AzureADSamples/WebApp-RoleClaims-DotNet
You can red more about this feature in http://blogs.msdn.com/b/aadgraphteam/archive/2014/12/12/announcing-the-new-version-of-graph-api-api-version-1-5.aspx