How to get AD user for Azure subscription Classic Administrators? - azure

My goal is to get the Azure AD users who have been assigned the Classic Administrator role in an azure subscription.
I use the REST api's Classic Administrators - List to retrieve all classic admins but it returns an Email which is not unique enough and an ID called netId/puid which is not present on the user returned from the Graph API.
I followed the Azure Portal's network to see how it gets the users for AAD but it queries the Graph API with an internal API version '1.61-internal' that I can't use.
Does anyone know on a way to retrieve this information?
Thanks

There is not an exposed API to match netId/puid with users.
But you can get the puid from the access token.
Or you could use Microsoft 365 Powershell cmdlet Get-MsolUser -UserPrincipalName "{upn}" | fl to get the user and find the LiveId property.
Record the puid or LiveId above and the corresponding user information to your local configuration file and match them with the name property in response of Classic Administrators - List.
Then you can get the corresponding users who are classic Administrators.
It's just a workaround and there are many workloads. I don't think it is a good method but there is no other way.

Related

Azure group claim returns Object ID - Need group name

Have been using Azure for Single Sign On.
For group claims, during the assertion we see only the security group object ID during the response.
e4feedb1-df0e-46ff-8a02-e63474015610
Is it possible to get Group name here in response instead of groups Object ID
If (and only if) the groups in question are groups which have been synced from on-premises AD, you can configure the groups claim to include the on-premises sAMAccountName or the on-premises SID.
Note: Including the display name is not supported. (Display names are not unique, and in most organization, any user is able to create and manage their own groups, making any sort of authorization decision based on group display names a very risky proposition.)
To issue group can be done both for gallery or non-gallery (i.e. custom) SAML apps (i.e. under Enteprise apps), through the app registration in the Azure portal (App registrations > Token configuration), or directly on the app registration's Application object by updating the optionalClaims property (e.g. via the manifest editor or through Microsoft Graph).
https://learn.microsoft.com/azure/active-directory/hybrid/how-to-connect-fed-group-claims
I'm afraid that it's only supported to get the object ids currently.
You need to call Microsoft Graph to get the Group name.
If you do need this feature, upvote this post on UserVoice and it may be implemented in the future.
A similar question which is answered by Microsoft Engineer here.

Query for specific Azure AD permission

Is there a way in Microsoft Graph how to check whether signed-in user (device code auth is used) has a specific AAD permission? In my case that would be Microsoft.Directory/groups/members/update - I'd like to notify a user that he/she is not permitted to add service principal to an AD group.
My initial idea was to find DirectoryRoles a user is member of. Then view related DirectoryRoleTemplates and somehow check permissions attached to the template. It looks like this is not possible.
I'm a program manager at Microsoft working on Azure AD access control. Thanks for your question and feedback. As Allen says, we don't have an API for this today. The best we have is what's called the 'wids' claim in the user's access token. Search this article for 'wids' for more information.
The wids claim contains the list of directory role template object ids the user is a member of. Role template object ids are immutable and consistent across the system, so you can hardcode your check against them. There is a role to template id mapping table here.
We're looking at exposing an API that returns the list of underlying permissions of the signed-in user following the syntax Allen mentions from the documentation. However, I don't have a date yet on when that would be available.
Let me know if you have any questions.
Thanks again,
Vince Smith
Currently Microsoft has not exposed an API for obtaining Role permissions corresponding to DirectoryRole.
Based on the official document, microsoft.directory/groups/members/update permission only exists in the following roles:
Directory Writers
Groups Administrator
User Account Administrator
Intune Service Administrator
Partner Tier1 Support
Partner Tier2 Support
A workaround is to customize a config file in your project to set the fixed values. Read them to see if the user's directory role matches one of them.

Add Azure AD Group like normal SharePoint Group to SharePoint Sites/Lists using HTTP request

I can add normal SharePoint Group to SharePoint using below HTTP request
https://imfdevdm.sharepoint.com/sites/SiteName/_api/web/lists/getByTitle('Sample Library')/items(1)/roleassignments/addroleassignment(principalid=12, roledefid=1073741827)
Similarly is there a method to add an Azure AD Group??
There is no initial principal Id for a AAD Group initially. If an AAD group is already added manually to SharePoint, then for that Group, a principal ID is generated. Else, we can't find a principal Id for the AAD Group.
If a principal Id was present, the same above HTTP request was enough to add role assignments.
Any help is appreciated. Thanks.
Updated:
I think this is not possible. The usual procedure is to add AAD Group to a SharePoint Group and then add it to SharePoint Sites/Lists
You can do this either through the Azure Portal or the O365 portal. I don't think it's possible to do this via HTTP requests and you're right that the recommended procedure is to create the Group in Azure AD and then assign it to SharePoint. You can also do this through Powershell but unless your creating a ton at once the portal is the easiest way.
https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/sharepoint-on-premises-tutorial

How do I get a list of Azure users from Microsoft Graph?

Basically, I just want to use Microsoft Graph to get a list of active directory users and their email addresses.
Ideally, I could get all the admin users for a certain subscription.
How do I do that? I couldn't find any good examples online.
Assuming you have the correct access to a tenant, and an authenticated token granting you access to the Microsoft Graph, you can use the following REST API calls to get the data you are looking for:
List Users - Documentation
GET https://graph.microsoft.com/v1.0/users
List Admins (via directory roles) - Documentation
This is a multi-step process. First you must find the directory role for the Company Administrator, which will always have the roleTemplateId of 62e90394-69f5-4237-9190-012177145e10. This should not be confused by the actual directory role id, which will be different per directory.
GET https://graph.microsoft.com/v1.0/directoryRoles
Then you want to list the users who are a part of that directory role:
GET https://graph.microsoft.com/v1.0/directoryRoles/<id>/members
If you really need to get started from scratch, I recommend you look at this PowerShell sample I made which simplifies authentication, and allows you to make queries to resource endpoints like the Microsoft Graph.
https://github.com/shawntabrizi/Microsoft-Authentication-with-PowerShell-and-MSAL

How to configure email address for a user in Microsoft Azure AD?

I have created a trial account for Microsoft Azure. In Azure Active Directory, I'm trying to create a new user, but I'm not seeing email address field. I see only username, firstname, lastname and display name fields. Will Azure treat username (like testuser#mydomain.onmicrosoft.com) as an email? or I'm I missing something? I didn't find much information in its documentation.
No, Azure AD will not assume that the username (known as "UserPrincipalName", in the Azure AD Graph API and Azure AD PowerShell module) is actually an email address that can receive emails.
If you would simply want a place to store a given user's email address (one that actually has a mailbox behind it), you can use the "Alternate Email Address" field in the Azure Portal (under "Profile" section for a given user in your directory):
(Note: This field is known as otherMails in Azure AD Graph API, AlternateEmailAddresses in Azure AD PowerShell v1 (MSOnline), and OtherMails in Azure AD PowerShell v2 (AzureAD). In all cases, it's an array of strings, not a single value.)
You can create more user-friendly usernames by adding and verifying a custom domain name to you Azure AD directory: https://learn.microsoft.com/en-us/azure/active-directory/active-directory-add-domain. Once you've done this, you can create users that have usernames such as user#contoso.com (assuming contoso.com is the domain you added).
At this point, it may be that user#contoso.com is also the email address of that user, but again—there is no assumption in Azure AD that this is the case.
For anyone running into issues using with this with an Office 365 developer account, make sure you go through the entire registration process. I thought I had completely setup my office 365 dev account, but I had missed a part related to setting up email.
Also if you are using your personal Microsoft account, for testing etc., be aware that it may appear like some things work the same as the full version or Office 365 dev, but they don't.

Resources