Insufficient privileges to complete the operation (Azure AD Issue) - azure

I try to get all users from azure ad on behalf of user, I have my custom role, my question is what is the needed permission to add it to custom role to get all users from azure ad ?!

In custom directory role, there is no permission specifically to list users. There are permissions for Groups, Applications and ServicePrincipals but not Users. You can either assign built in Directory Role like User Admin role or Directory Reader role.
You may use below PS commands to assign directory reader role if there are many users who need this permission.
$role1 = Get-AzureADDirectoryRole -ObjectId ID
Add-AzureADDirectoryRoleMember -ObjectId $role1.ObjectId -RefObjectId object_id_of_user
Get-AzureADDirectoryRoleMember -ObjectId $role1.ObjectId | Get-AzureADUser

Related

How do I specify Permissions in a custom app consent policy?

I have successfully made a Custom App Consent Policy using New-AzureADMSPermissionGrantConditionSet and following the MS docs. I specified ClientApplicationIds and it works great.
Now I also want to specify the permissions that must match. On Permissions, the docs say:
I need help understanding (and accessing) the permission IDs in the "OAuth2Permissions property of the API's ServicePrincipal object".
What ServicePrincipal is the doc referring to? The one in the application’s Home Tenant, or one in the Tenant that is using the application? If the app has not been consented to yet, then there is no ServicePrinciple in the Tenant using the app so I have a chicken-and-egg problem.
And what are the Permissions I'm expecting to get? I'm wondering why MS didn't just let us pass the scopes as strings e.g. email, mail.read etc. I don't understand exactly what the Permissions are in this particular context.
I need help understanding (and accessing) the permission IDs in the "OAuth2Permissions property of the API's ServicePrincipal object".
The permission ID means the id of the Delegated permission of the API( i.e. oauth2Permissions defined in the API) you added in the client app registration.
For example, you created a multi-tenant client app in tenant A, you added the Mail.Read Delegated permission of Microsoft Graph, by default, there would also be a User.Read Delegated permission automatically, so there are two permissions totally in the API permissions of your client app.
Now, you want to use the custom app consent policy in tenant B, you want the user to consent the two permissions, then the -Permissions should be the id of the two permission defined in Microsoft Graph, to find it easily, just navigate to the client app in tenant A -> Manifest, then you can get the ids like below.
The complete command should be
New-AzureADMSPermissionGrantConditionSet `
-PolicyId "joy-custom-policy" `
-ConditionSetType "includes" `
-PermissionType "delegated" `
-ResourceApplication "00000003-0000-0000-c000-000000000000" `
-Permissions #("e1fe6dd8-ba31-4d61-89e7-88639da4683d","570282fd-fa5c-430d-a7fd-fc8dc98a9dca")
In another scenario, you use the custom API(created in tenant A) in the client app instead of a Microsoft API.
If so, you need to grant admin consent for the API App in tenant B first, otherwise you will get an error The app needs access to a service (\"api://tenantA/myapi\") that your organization (tenant B) has not subscribed to or enabled, or you can use the admin account to run New-AzureADServicePrincipal -AppId <appid of the API app> in tenant B, it will also work, after consent, the normal user will be able to consent the permission you defined in the policy.
Note: Sometimes, you may get an error This app may be risky like below.
This means Microsoft detects a risky end-user consent request, the request will require a step-up to admin consent instead, if you still want the user to consent the permission, you need to disable the risk-based step-up consent first, then the user will be able to consent the permission.
Here's an example for how you would get the permission IDs for three delegated permissions for Microsoft Graph, using Azure AD PowerShell:
# The appId for the client application
$clientAppId = "{client-app-id}"
# The claim values for the Microsoft Graph delegated permissions to include
$claimValues = #("User.Read", "Mail.Send", "User.ReadBasic.All")
# Get the service principal for Microsoft Graph
$resource = Get-AzureADServicePrincipal -Filter "servicePrincipalNames/any(n:n eq 'https://graph.microsoft.com')"
# Get the delegated permission IDs for the given claim values
$permissionIds = $resource.OAuth2Permissions `
| ? { $claimValues.Contains($_.Value) } | select -ExpandProperty Id
# Use these permission IDs in a condition set for a custom permission grant policy
New-AzureADMSPermissionGrantConditionSet `
-PolicyId "my-custom-policy" `
-ConditionSetType "includes" `
-ClientApplicationIds #($clientAppId) `
-PermissionType "delegated" `
-ResourceApplication $resource.AppId `
-Permissions $permissionIds

Unable to get Application using ServicePrincipal Credentials in Azure

I have a Service Principal created which has contributor access. I have a user which also has contributor access.
When i login to powershel using ServicePrincipal credentials and run this command i am getting insufficient privileges error.
Get-AzADApplication|Select-Object DisplayName, ObjectId
When i login to powershel using User Credentials and run the same command i am getting the results.
DisplayName ObjectId
----------- --------
App1 XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX
App2 XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX
in azure there are two kind of roles :
Cloud resources roles ( contributor, owner, reader, etc...)
Azure AD roles ( https://learn.microsoft.com/en-us/azure/active-directory/users-groups-roles/ )
I guess that to run your command you need the second category and your principal is currently, as you said , only a contributor.
So you should assign an AD role to your principal based on what you need to do and retry .

How to assign 'User administrator' role to service principal in Azure B2C Tenant

We need to assign the 'User Administrator' role to an already existing service principal to allow updating the password on the users of the b2c tenant.
Using the MSOnline module as described in
B2C Graph API - insufficient permissions even when Directory.ReadWrite.All is enabled
seems to be outdated and doesn't work for us (In powershell core / cloud powershell we only get errors about missing files or assemblies)
Is there a some new way to do that?
What we tried to do is to connect to azure using the right subscription and the b2c tenant set (it complains that the b2c tenant does not have a subscription but one can override that with a cmdline switch: az login --tenant B2C-TENANT-ID --allow-no-subscriptions).
We can see the service principal that is in the b2c tenant and we can get a list of roles (az role definition list --subscription SUBSCRIPTION-ID). But the 'User Administrator' role you can see in the 'Roles and administrators' panel of the Active Directory blade is not a part of these roles. The roles that are printed out are only the roles that are defined in the subscription itself.
Trying to assign the 'User Administrator' role (az role assignment create) yields an error that the role doesnt exist.
Ok so we found a solution - using powershell the following steps were required:
Install-Module AzureAD
Connect-AzureAD -TenantId TENANT-ID
Get-AzureADServicePrincipal -> look for Service principal ObjectId
Get-AzureADDirectoryRole -> look for Helpdesk Administrator
Add-AzureADDireectoryRoleMember -ObjectId ROLE-ID -RefObjectId SERVICE-PRINCIPAL-OID

Azure function, App registration, certificate - New-PnPTenantSite : The remote server returned an error: (401) Unauthorized

I'm trying to create a Azure function to provisioning different kind of sites.
I've created a App in Azure AD and granted the app sharepoint and graph.
When connecting to the site I use a certificate but I'm unable to create new sites.
New-PnPTenantSite -Url $url -Title $LinkTitle -Description $description -Template "STS#0" -Owner $username -TimeZone 4 -Lcid 1044 -Force
error:
New-PnPTenantSite : The remote server returned an error: (401) Unauthorized
it returns site and lists if I use get-pnplist and get-pnpsite ..
Connect using this command:
Connect-PnPOnline -CertificatePath .\certkeyname.pfx -Tenant 'xxx.onmicrosoft.com' -ClientId 'xxxx-xxx-xx-xx-xxxxxxx' -Url 'https://xxx.sharepoint.com'
answer is in this post
Azure AD application with Global Administrator rights
You can elevate the level of access an Application has in your tenant by adding the service principal of that application to the Company Administrator Directory Role. This will give the Application the same level of permissions as the Company Administrator, who can do anything. You can follow these same instructions for any type of Directory Role depending on the level of access you want to give to this application.
Note that this will only affect the access your app has in your tenant.
Also you must already be a Company Administrator of the tenant to follow these instructions.
In order to make the change, you will need to install the Azure Active Directory PowerShell Module.
Once you have the module installed, authenticate to your tenant with your Administrator Account:
Connect-MSOLService
Then we need to get the Object ID of both the Service Principal we want to elevate, and the Company Administrator Role for your tenant.
Search for Service Principal by App ID GUID:
$sp = Get-MsolServicePrincipal -AppPrincipalId
Search for Directory Role by Name
$role = Get-MsolRole -RoleName "Company Administrator"
Now we can use the Add-MsolRoleMember command to add this role to the service principal.
Add-MsolRoleMember -RoleObjectId $role.ObjectId -RoleMemberType ServicePrincipal ->RoleMemberObjectId $sp.ObjectId
To check everything is working, lets get back all the members of the Company >Administrator role:
Get-MsolRoleMember -RoleObjectId $role.ObjectId
You should see your application in that list, where RoleMemberType is ServicePrincipal >and DisplayName is the name of your application.
Now your application should be able to perform any Graph API calls that the Company >Administrator could do, all without a user signed-in, using the Client Credential Flow.

Cannot delete user in Azure B2C using Graph API

We are attempting to delete a user within Azure B2C by using the Graph API, but have had no luck up to this point. Documentation here suggests that it is possible:
https://msdn.microsoft.com/Library/Azure/Ad/Graph/api/users-operations#DeleteUser
We currently have no issues when it comes to creating/updating users, but when attempting a delete operation we get the following error:
Authorization_RequestDenied - Insufficient privileges to complete the operation.
I'm aware there are limitations to using the Graph API with B2C, but the documentation out there suggests this should not be one of them.
If you want to have enough privileges to Delete Users, you need to assign Company Administrators Role to your Service principal. You can refer to this document to do that.
Use AAD Powershell to Connect AAD:
Connect-AzureAD
Get the Role of Company Administrator:
$role = Get-AzureADDirectoryRole | Where-Object {$_.displayName -eq 'Company Administrator'}
Assign the role to your SP:
Add-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $yoursp.ObjectId
Try to Get a new token and use it in the head to Delete the user again. Here is my result:

Resources