I'm trying to add an Azure AD security group (without mail/upn) to a Devops Permission with the rest api.
Is this possible?
In this page https://learn.microsoft.com/en-us/rest/api/azure/devops/graph/users/create?view=azure-devops-rest-6.0#add-an-aad-user-by-oid I see the following
The body of the request must be a derived type of GraphUserCreationContext:
GraphUserMailAddressCreationContext - Create a new user using the mail address as a reference to an existing user from an external AD or AAD backed provider.
GraphUserOriginIdCreationContext - Create a new user using the OriginID as a reference to an existing user from an externalAD or AAD backed provider.
GraphUserPrincipalNameCreationContext - Create a new user using the principal name as a reference to an existing user from an external AD or AAD backed provider.
The groups are created as universal security groups on our onprem AD, and synced to Azure AD.
I don't have a mailadress nor a UPN; but I can't find more info on what exactly OriginID is.
Edit; OriginID seems to work for a user, but not for a group.
To add an Azure AD group to Azure DevOps, you need to use the REST API Groups - Create.
POST https://vssps.dev.azure.com/{organization}/_apis/graph/groups?api-version=6.0-preview.1
Click this link for an example. The originId in the request body is the Object id of your Azure AD group.
The REST API link your provide in the question is to create a user, not a group.
I ended up connecting with the Azure commandlets to get my ObjectID, as #jane-ma-msft suggested.
Related
Our system contains two applications, A and B. Application A makes a series of REST API calls to application B which creates a user account and creates another entity data for the user account on application B. The user only can access application B.
Now, we are asked to create the user account on CIAM, centralized user management, instead. To my understanding, the user account data won't get into our system until the user signs in to our system the first time. That would break the workflow as We shall not wait for a user to sign in to our system, application B, to create another entity for the user account.
To my understanding, user data on CIAM would be connected to Azure AD and the sign-in process will go through Azure AD for all users.
Any work around for this situation?
• Since the user that first signs into application B is creating his account in Azure AD B2C through the GUI of this application in the backend, as such I am considering. Because, in Azure AD B2C, the user creates his own account after he signs up by entering his details as asked using either his social account email id or creating a new one. But as per what you have asked, it is quite imperative that the user whose data you want in your system or Azure AD will either need to be entered already or synced while the user is signing up for the application B. Thus, you will need a script to export the user data from the Azure B2C tenant and import it into Azure AD/system.
• Thus, to export the customer data from Azure AD B2C and to import it in Azure AD/system, please refer to the below documentation link which describes the steps on exporting the user data from Azure B2C.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/manage-user-data#export-customer-data
The following link explains in detail about how to export the user data along with the extension attributes and other attributes using powershell script and similarly import the same in Azure AD.
https://blog.redbaronofazure.com/?p=7804
• One more suggestion is that you can add the Azure AD tenant where you want to sync this user data from Azure B2C as an external identity in the same Azure AD B2C tenant. And create user IDs of specific users whom you want can login to Azure AD B2C account through their Azure AD user ID credentials. This would help you to manage the Azure AD B2C users’ data via the selected user IDs created in Azure AD. Also, these selected privileged users can also be bestowed upon the responsibility of exporting and importing other users in original Azure AD tenant. To do the above, please refer to the link below for more details: -
https://medium.com/the-new-control-plane/connecting-azure-ad-b2c-to-azure-ad-via-the-b2c-custom-identity-provider-42fbc2832e32
I'd like to use Microsoft Graph Explorer to work with my Azure AD B2C Tenant.
Initially, all I want to do is retrieve a Custom Attribute that I've assigned to an application registration. The custom attribute will store the UserAppPermission value, a 'role' replacement for B2C since it doesn't natively support them.
Can I get a second set of eyes on my process? I'd like to make sure I'm reading this properly.
First goal: Get a list of applications registered to my B2C Tenant. Reasoning is... if the app registration doesn't appear then future queries are unlikely to be successful.
Resource#1 "Manage Azure AD B2C with Microsoft Graph" (Note B2C in the title)
(1) I registered an application in my B2C tenant with permissions in excess of the minimum, checked this process twice: Register a Microsoft Graph application (Note B2C in the opening paragraph, and throughout the document).
(1a) Uncertain if the Azure portal was being buggy, I also registered this application with the 'Global Administrator Role' ... absolute overkill & insecure ..
(1b) I am certain that I assigned the appropriate Microsoft Graph API permissions in the app registration tab
(1c) As described in the doc, I also granted the application the user administrator role, although that is contained within the global administrator role.
(1d) Per the doc, "Now that you've registered your management application and have granted it the required permissions, your applications and services (for example, Azure Pipelines) can use its credentials and permissions to interact with the Microsoft Graph API."
When I run "https://graph.microsoft.com/beta/applications" to get a list of registered applications, all I see is the single App Registration our 'root' Azure account has for our Azure Functions App. Since this was an article on managing azure ad B2C with Microsoft Graph, I was expecting to see the applications registered to my B2C Tenant.
? Does anyone read (1d) to mean that I should not be able to use https://developer.microsoft.com/en-us/graph/graph-explorer, logged in as the B2C global administrator, and granting all permissions the endpoint requires, to make Microsoft Graph API queries?
Next goal: Get a list of users registered to my B2C Tenant
Resource#2 "List Users" - the link to this resource was provided by Resource #1, link provided above.
(1) There only mention of B2C in this article is: "The $count and $search parameters are currently not available in Azure AD B2C tenants."
(2) The request to get all users is GET "https://graph.microsoft.com/v1.0/users"
(2a) The request returns a list of users for the MyOrg's root AD tenant, not the application's B2C tenant. Not surprising since there's nothing in the request to specify the B2C tenant.
(3) Another resource provides this request format: https://graph.microsoft.com/beta/.onmicrosoft.com/users, which specifies the b2c tenant.
(3a) This executes without error in Graph-Explorer but does not return any of the users that registered for the application using the sign-up/sign-in policy (Consumer B2C Users). It still returns a list of users for the 'root' Azure account.
Update re:specifying tenant in graph-explorer:
While logged in to Graph Explorer us my work MS email which is registered as a global admin for our Azure account and owner of the B2C tenant I specified:
This returns a list of applications for the root Azure account, not app registrations for the B2C Tenant I specified. Perhaps I misunderstood the intent of this Graph API call.
I optimistically ran 'https://graph.microsoft.com/beta/identity/b2cUserFlows' with the tenant specified in the URL (as in screenshot). Result:
"error": {
"code": "AADB2C",
"message": "'4fba2ea8-XXXX-XXXX-964e-99f48b79d925' is not an Azure AD B2C directory...
I'm still not certain what the UUID returned in the message represents. The UUID has no correlation, that I can find, with the tenant I specified in the URL.
The reason is that you are using an Azure account which is from your root AAD tenant.
You have two options to resolve it.
Specify the tenant in the Graph Explorer URL:
https://developer.microsoft.com/en-us/graph/graph-explorer?tenant={Your b2c tenant}.onmicrosoft.com. Still use that Azure account from root
AAD tenant to sign in and you can get a list of applications and
users of your B2C Tenant now.
Another method is creating a new user in your B2C tenant and assign
Global admin role to it. And then sign into
https://developer.microsoft.com/en-us/graph/graph-explorer with
this new user. Now you can list applications and users of your B2C
Tenant as well.
Update:
Don't use a Consumer account (local account) for the second suggestion. You should create an AAD user (work account, format: mytenantname.onmicrosoft.com ) in Azure portal in B2C tenant and assign it global admin role.
Overview of user accounts in Azure Active Directory B2C for your reference.
#AllenWu's second solution was, in effect, correct but not explicit enough for me.
The New user interface in the B2C Tenant offers three options for creating users: Create user, Invite user and Create Azure AD B2C user. Most of my work has revolved around B2C users so I did that and gave the user Global Admin rights and my Graph Explorer results were unchanged.
Another user provided this suggestion and made it clear that I needed to create a user w/an email address of #my-tenant-name.onmicrosoft.com. I created such a user, assigned it Global Admin rights, and I was able to use Graph Explorer as I expected.
Note that users with an email of "SomeTestUser_gmail.com**#EXT#**#my-tenant-name.onmicrosoft.com do not behave in the same way.
Thanks for the suggestions & feedback & I hope this helps if you ended up here with the same question.
Lets say I set up and create a new Azure Account and Subscription. Azure automatically creates me an Azure AD called "somedomain.onmicrosoft.com".
Later I deploy REST API and Angular SPA app to Azure. Since I'm using Azure AD for authentication and authorization on both of the applications I register them on my Azure AD, under the domain "somedomain.onmicrosoft.com".
Everything works fine, however after some time I realize that I want to allow access to my services/apps to other organizations. After doing some research I realize that what I want to achieve is multi-tenancy.
In order to register a new tenant I do the following:
Go to Azure portal.
On the left blade menu click on "Create a resource" and search for "Azure Active Directory".
Create a new directory called "tenant-1.onmicrosoft.com".
Next, I update my registered apps (on "somedomain.onmicrosoft.com") according to this documentation - enabling multi tenancy and common endpoint.
After all of this, both users from AD "somedomain.onmicrosoft.com" and "tenant-1.onmicrosoft.com" should be able to authenticate and access my services.
Question
Is this the correct way of achieving and implementing multi tenancy?
You don't need to create a new Azure AD tenant (xyz.onmicrosoft.com). Just register the application in the existing tenant or mark the existing application as multi-tenant. Then, existing other AAD tenants will be able to signup to use your app without doing further registrations. You will need to modify your app code to accept tokens from other tenants, e.g. enter link description here This link points to a regular .NET web app, not SPA. You will need to translate it to your SPA environment.
I'm not sure of your high level use case but one thing to note about the AAD multi-tenant approach. You are assuming that person signing in has an Azure AD tenant, for example through Office365.
If they don't have an Azure AD then they won't be able to sign in.
You 'could' create an AAD for each new tenant and create a user account in there.
They would have the bob#mydomain.onmicrosoft.com address and could add their own domain later.
That way they can then take advantage of all the enterprise features of AzureAD.
It might be a use case, but I think you would need an AAD per tenant and I'm not sure of the limits or if this is best practice.
You can also look at B2C if you want social logins/other OpenIDConnect.
I am referring following example : https://azure.microsoft.com/en-in/resources/samples/active-directory-dotnet-webapp-roleclaims/
I have created main (physical) Azure B2C Tenant, in that I am managing virtual tenant.
e.g. Azure B2C Tenant (Main)
- Virtual tenant in Storage table
- Tenant 1
- Tenant 2 etc.
But I have single AD and I want to separate the user based on Tenant.
How can I achieve this with Role base user management for tenant ?
Role based user management is yet not supported in Azure AD B2C. I would recommend you request this in the Azure AD B2C feedback forum.
I can think of two options for you:
Use a custom attribute to assign users their "tenant". You would then need to make sure you set this custom attribute via the Azure AD Graph. You can then include this claim in your token and use it in your application to drive behavior.
Define Azure AD groups that map to "tenants". However, given that in Azure AD B2C, groups are not included in the claims, you won't be able to do what's recommended for Azure AD, instead, you will need to query the Azure AD Graph to retrieve the user's group membership and drive behavoir from that.
Is it possible to assign an application (as an Application or Service Principal) to a group programatically, via the graph client or API? (Including the app user credentials needed to allow access of the members of the group to the app)
I searched everywhere and couldn't find documentation for it.
Thanks
No, 'Applications' in Azure AD are used to segment authorization and settings within Azure AD. It creates a trust between Azure AD and your application. The Application is not a User.
Users are Azure AD entities that have identity and can be authorized to access resources (like an Application). Users can be added to groups. See the below link for the Azure AD graph API documentation:
https://msdn.microsoft.com/Library/Azure/Ad/Graph/api/groups-operations#AddGroupMembers
And the documentation on what a user entity looks like:
https://msdn.microsoft.com/Library/Azure/Ad/Graph/api/entity-and-complex-type-reference#UserEntity
Thanks for the answer emseetea, but we do have a little more than that.
Back to the original question - can you programmatically "assign a group to an application". The answer is yes, using appRoleAssignments on the service principal. The service principal represents an application instance, that typically gets provisioned as part of a consent grant. On this tenant specific app instance (service principal) you can attach tenant specific permissions and policy. Permissions get created as part of consent, but you can also programmatically assign an application role (defined by the application) to a user or group. If no application role is assigned, then you can make a "default" assignment. You can find a little more on this topic here http://blogs.msdn.com/b/aadgraphteam/archive/2014/12/12/announcing-the-new-version-of-graph-api-api-version-1-5.aspx which describes a little about this with some sample REST API calls.
This same operation is also possible through the client library. You can take a look at https://github.com/Azure-Samples/active-directory-dotnet-graphapi-console. Look at the section titled "#region Assign Direct Permission". This shows how to assign an app role to a user. You can do the same thing on a group too. If your app doesn't specify any app roles, set the appRoleAssignment.Id to a zero GUID.
Hope this helps,