my purpose is to get permissions for a given user. In particular, I'd like to get whether he can create/delete users and groups in the Azure AD.
Is there a way to get this information using some Graph APIs or C# classes?
You can call List memberOf api to get the information of the Azure AD user role, and then determine whether the user has the permission to create/delete users and groups based on the role.
GET https://graph.microsoft.com/v1.0/users/{id}/memberOf
You can try to use Graph Explorer to test:
Related
I am trying to add users to the AD Group via MS Graph API using application permission, and can't give GroupMamber.ReadwriteAll permission as this will allow app registration to add people to any group which is a security concern. My app registration is the owner of the AAD group.
Any help is much appreciated.
Thanks.
Please note that, to add users to the Azure AD Group via MS Graph API, you must have one of the below permissions as mentioned in this MsDoc.
Without having at least one of the above permissions, you cannot add users to the Azure AD group.
I assigned the app as owner of the group like below:
I tried to add users to the Azure AD group without granting any of the above permissions and got the error like below:
After granting the required permission, I was able to add the user to Azure AD group successfully like below:
We are trying to get list of users from a particular group in Azure Active Directory.
Steps tried:
Created new app registration
Created client secrets
Gave permissions for Graph API (application permissions) with admin consent.
Then we are getting all the users from all the groups.
Is there any way to restrict the app to only be able to return a specific group's users?
For application permissions, the effective permissions of your app are the full level of privileges implied by the permission. For example, an app that has the User.ReadWrite.All application permission can update the profile of every user in the organization, see here.
You could get the users in particular group with List members API, but the application still has the permissions for all groups.
GET https://graph.microsoft.com/v1.0/groups/{group-id}/members
So far, it's only supported to control mailbox access of an app with ApplicationAccessPolicy.
Is it possible using Graph API or similar to automatically add users to a security group in Azure B2C?
The background is that during an Azure B2C user journey for signup/sign the user will access an application after successful authentication. But I would like to role assign based on the security group the user is a member of.
Therefore if a new user signs up, they could be defaulted to lets say "DefaultUsersGroup" and this will be present in their token thus giving them default access to the app. Otherwise if an existing user signs in, this will perform some logic to determine the group the user should be a member of and then grant them access dependant on their membership.
Thank you.
You can do this by introducing your own REST API/s during your user journey. Your API should then call MS Graph API to do the Group+Role assignment, and on sign in, the Role resolution based on group membership.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/custom-policy-rest-api-claims-exchange
This sample may also help
https://github.com/azure-ad-b2c/samples/tree/master/policies/relying-party-rbac
I created an application registered in Application registration portal and granted the admin consent there. As a user from our Azure AD, I can use my web app to read e.g. groups I have been assigned to in AD.
But when I invite a MS user to our AD (he becomes a Guest user there) the user can sign in into the application but he cannot read the groups (used the same method like the internal user). I always get an error: "Authorization_RequestDenied Insufficient privileges to complete the operation."
Is there a way to get it work? I have tried to browse through the Azure portal to check permissions or whatever but nothing helped so far.
Actually, for both AAD Graph API and Microsoft graph api , you cannot use a MS account guest user to read the groups data like a member in that tenant.
Even you can set guest user permissions with no limitation, but you still cannot get the data of a group in that tenant. This is because that MS Account is not a member of that tanant. So, it cannot specify a tenant to query.
I suggest you can use/create a member in your tenant to achieve this.
I have 1 SPA-Application which uses another WebApi. (ASP.NET Core) Both are running in Azure and I am able to authenticate the user against Azure AD B2C with OAuth 2.0 Implicit Flow
Now I am asking myself how I can control the permissions of a single user. (Delete, Read, etc.) Do I have to work with claims? Do I have to leverage the graph API on the server side to check if a user has a certain permission? Can I use scopes? Where can I set the User <--> Scope relationship?
I have found several questions on SO, but I don't get the idea of how it should be done the right way? My current understanding is that I ask the authentication provider for certain scopes and I will get a token with this scopes which then can be checked by the API. But how do I manage which user can ask for which scopes?
I really have a problem to wrap my head around OAuth2 and permissions. Hope one can help me here.
Unfortunately, for one specific user, you cannot assign permissions/scopes to the user.
Because Azure AD B2C doesn't support Application Role. Generally, Azure AD B2C is for all users to access your App wit their account. Even Azure AD B2C can let you store and manage users, but it cannot assign different scopes/permissions to different users. Multiple scopes are the permissions granted to the resource. Multiple granted permissions will be separated by space.It's not for users access assignment.
If this important to you, you can upvote this idea in this Uservoice Page. Azure Team will review it.
Hope this helps!
You can implement this by creating a custom attribute of type String that stores a comma- or space-separated list of roles for a user.
You can then issue this custom attribute in the ID and access tokens or read it using the Azure AD Graph API.