I have developed a domain-based modeling tool and code-generator that provides the ability to capture domain models per DDD and automatically generates ASP.Net Web API microservices.
I also created an Azure B2C CLI tool that uses MS Graph API to programmatically generate an Azure B2C AD Application for each Web ASP.NET Web API of which includes all possible scopes that are applied to protect some of the generated Web API operations.
As some of these generated API services often interact with other generated services via REST and/or gRPC, the Azure B2C CLI tool also adds the list of dependent API permissions that would be required by each Web API in order to integrate with the other Web API.
My Azure B2C CLI tool works great and is creating/updating the underlying Azure B2C Web/API application per each domain service within the Home Tenant along with the necessary Service Principal.
Currently I still need to log into the Azure Portal in order to grant the API permissions per each B2C Application.
My Question is : Is it possible to automate the granting of the API Permissions using the B2C Application that I am using to create these same B2C Web/API applications ?
It seems like this should be possible as the Azure B2C CLI tool's B2C Application is the owner of these created Apps.
To help illustrate and support my question I have included some screen shots below.
To begin, the following image shows the permission set that my Azure B2C CLI tool runs under in order to create the other B2C applications for each Web API via MS Graph API.
On each pass, the Azure B2C CLI tool processes a particular domain model to understand the definition for each domain service within that model and will automatically create a series of B2C applications within Azure B2C per each service in a particular domain model.
The following domain model has 4 domain services which results with 4 B2C Apps being generated by my Azure B2C CLI tool as illustrated below ..
The Azure B2C CLI tool creates as many permission scope items per API operation and adds that to the underlying API OAuthPermissionScopes. Here is a few examples of generated permission scopes services for "WorkSpace" and "SharedServices" Web API's...
The Azure B2C CLI also adds any API permissions to each generated B2C API Application. The following example shows that "CoreServices" API requires permissions from both the "SharedServices" App API and the "WorkSpace" App API
Once that is completed I can log into the Azure Portal and Grant these permissions, manually, per each API.
Instead of granting these manually I would like to programmatically grant these permissions via MS Graph within the Azure B2C CLI tool I've created.
The code-generator domain modeling tool will be producing 100's upon 100's of services so I want to automate securing the generated domain services as much as possible, including granting of API permissions.
What is the MS Graph API to allow me to fully automate this process within my Azure B2C CLI tool?
Microsoft Graph doesn't support the "grant admin consent" feature currently.
AAD Graph has an endpoint https://graph.windows.net/myorganization/consentToApp?api-version=2.0 which is used to grant admin consent but it is only available within Microsoft. Calling this endpoint from outside will get this error.
You could consider using Azure CLI cmd az ad app permission grant or az ad app permission admin-consent --id $appid. See reference here.
There is a difference between the 2 cmds. You can find more details from my previous answer.
Related
I have two separate web applications, one built with .NET Framework and the other built with .NET Core. Both web applications make up one solution which we ship to our customers. The solution itself is a SaaS subscription-based solution, where users would be able to sign-up with using either a Microsoft/Office 365, GSuite, or organizational account (basic username/password). We would like to restrict sign-up to organizational/business accounts only.
As I understood, Azure B2B is mainly useful when you have something internal and you would like to give external users some limited access to it. Given that I have a multi-tenant SaaS solution, I believe that Azure B2C makes more sense.
Furthermore, in our solution, we would also want the ability for external users to access Tabular Models in Azure Analysis Services and SSRS.
Is access to only organizational accounts, something that can be configured through Azure AD B2C?
Can access be granted to external users to Azure Analysis Services or other Azure tools when using Azure B2C?
You have two options
Option 1, Using Azure AD External identities solution - recommended
You can use newly released self service sign up solution in Azure AD external identities . You can very well restrict sign up to other Azure AD accounts only. However for sign up using other federation systems - you need to try on. I think as of today only Google and Facebook are supported apart from Azure AD.
Option 2, use Azure AD B2C and use app only authentication.
Azure AD B2C consumer accounts are by default not supported by Azure services or Office. But you can use app based authentication to provide these services. Your client app will call your backend api using Azure AD B2C token. Your backend app can perform all auth validations and then call the backend Azure or any other service using app only authentication mode.
From what I read, AppRoleAssignment.ReadWrite.All should allow application to use Microsoft Graph SDK to do app role management programmatically. But how do I grant permission such that the application principal can only allow to manage it's own role but not other enterprise application?
The goal is to build a role management page in the web application to allow designated users to add/remove user to an app role for the same application without granting them access to the Azure portal.
Unfortunately, it's impossible currently.
Although we can add the user as the admin of the application principal on Azure portal and then we can do anything to the application principal on Azure portal, calling Microsoft Graph is different. It has to rely on the permission of Azure AD app.
But the Microsoft Graph permission AppRoleAssignment.ReadWrite.All is for all the application principals.
If you click on "F12" to open the developer tool of Chrome, you will find that the Azure Portal is using another API to finish the operation.
I tried to add my user as the admin of only one application principal through Powershell, but it still doesn't work for Microsoft Graph.
You can go to Microsoft Graph user voice to make a request to get the attention of the product group.
I'm developing a tool, similar to Visual Studio's Cloud Explorer, that performs a limited set of management and deployment tasks inside a user's Azure subscription.
I'm thrown-off by a few things relating to authenticating against Azure and how the application represents itself to Azure.
Most of the documentation about authentication with Azure is concerned with web-applications that let users authenticate themselves against an Azure Active Directory. This is not my scenario. While me application necessarily authenticates users against Azure AD (as all Azure users are), my users are administrators, not "users".
I understand previously software that performed administration tasks would be assigned a Management Certificate which is separately-registered in the web-based Azure Management Portal. I understand this fine.
...however I also understand that Management Certificates are almost deprecated and are replaced with Service Principals, which itself makes more sense from a security perspective (as it enables more granular role-based security) - however the downside is that there are a lot of manual steps and hoops to jump through in order to enable the use of Service Principals with administration software - in particular you need to pre-register your application in Azure Portal.
I don't like this because it greatly increases user-friction with the software I'm writing. I want my software to behave like the Visual Studio Cloud Explorer or Azure PowerShell in that you don't need to pre-register anything: 1. just run the program on your desktop; 2. you'll get a prompt to sign-in with your Azure administrator account credentials. 3. my softwware lists the contents of your subscriptions and lets you perform your management tasks.
So far I have actually got something that does this - I perform the following steps:
Use Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext to authenticate against https://login.microsoftonline.com/common (using AcquireTokenAsync which presents the webview to login). I use clientId: "1950a258-227b-4e31-a9cf-717495945fc2" which is the Azure PowerShell clientId.
Use the token from step 1 to enumerate Tenants and Subscriptions in the user's account.
The user is prompted to select a tenant and then a subscription from the list downloaded in step 2.
Send a new authentication request to https://login.microsoft.com/{tenantId} (where {tenantId} is retrieved from step 3), again using the same clientId.
However I don't like impersonating Azure PowerShell - Microsoft could revoke that clientId.
...but how do I register a clientId that can be used to login in step 1 (when there's no tenantId or subscription context, thus no Azure AD which contains Service Principals)?
I don't like this because it greatly increases user-friction with the software I'm writing. I want my software to behave like the Visual Studio Cloud Explorer or Azure PowerShell in that you don't need to pre-register anything: 1. just run the program on your desktop; 2. you'll get a prompt to sign-in with your Azure administrator account credentials. 3. my softwware lists the contents of your subscriptions and lets you perform your management tasks.
Actually, the Visual Studio Cloud Explorer also register the app on the Azure AD and use the Service Management REST to manage the Azure subscription. And you can caputer the request using the Fiddler when you add account to the Cloud Explorer.
...but how do I register a clientId that can be used to login in step 1 (when there's no tenantId or subscription context, thus no Azure AD which contains Service Principals)?
We need to develope a multi-tenant application which enables the users from different tenant to use the application. After that we can use the Common endpoint instead of the specific tenant id you register the app. Then users login-in with their account which associate with Azure subscription and get the access token for the Service Management REST. At last the applicaiton can manage the Azure resource with the access token. For example, we can use the REST below to list the Azure Sbuscriptions:
Get:https://management.core.windows.net/subscriptions
Authorization: Bearer {token}
x-ms-version: 2013-08-01
And more detail about the authenticating Service Management requests, you can refer here.
We are trying to register applications with AAD B2C in a programmatic fashion (either Powershell or C#/.NET) in order to create and deploy app service web apps from azure automation during automatic tenant creation.
Given the context of AAD B2C Graph API seems like the way to go.
Is adding an application to AAD B2C possible?
If yes, via what technology (vanilla REST? we could not find documentation specific to AAD B2C applications)?
So far we tried using the Graph API from the Azure AD 2.0 preview as well as the Graph Client.
After figuring out that the step of creating an app requires a service principal with global administrator rights (we would love to further restrict the permissions) we face the issue that applications do not show up in B2C but are present in the AAD section of the Azure portal.
One of our attempts to add via powershell (we tried to set all parameters to closely match an application manually created in the portal B2C tenant management blade):
New-AzureADApplication -DisplayName $tenantCname -IdentifierUris "https://$tenantCname.$aadTenant.onmicrosoft.com" -ReplyUrls $tenantUrl -AvailableToOtherTenants $true -Oauth2AllowImplicitFlow $true -PublicClient $false
The command succeeds but the application does not show up in the portal under AZURE AD B2C SETTINGS > Settings > Applications but only in Azure Active Directory/App registrations. Given that both blades relate to the same directory we are not sure what differentiates our app creation from an interactive one.
Are there any additional steps we are missing? Specific properties/extensions?
I also created the application and service principal using PowerShell and then compare them with the B2C application created by manually using Azure AD Graph. However not able to find there is any property would effect the application.
Are there any additional steps we are missing? Specific properties/extensions?
Also there is no such properties/extensions about this feature was public based on the entity reference for the application and service principal here. So I don't think it is possible to create a B2C application programatcially at present.
If you require this feature, you may submit the feedback from here.
I am creating a rest API which I am securing using OAuth2 client-credentials flow in Azure Active Directory. This requires me to set up the clients who should get access to my API as applications in Azure AD.
I would really like to take the AD thing a step further and have SQL Database access using AD Security Groups.
The question is; can I add an AD application to a security group and get Azure Active Directory login to work?