Is there a way to retrieve a full list of Active Directory groups using the OneLogin API? the /roles and /groups API calls do not return a full list.
When retrieving User details, there is an array for "member_of" that contains the full list of Active Directory groups a specific User is a part of, however, I do not see a way to bring back the full list of Active Directory groups that are available overall.
Thx!
Because AD can contain literally thousands of groups, OneLogin doesn't compile an internal list of these groups for surfacing via the APIs.
Instead, you can use the user mappings to assign users in selected AD groups to roles in OneLogin and then access that information via the API.
What's your use case?
Related
I've an Azure Active Directory for B2B client.
AAD provides all the necessary fields like name, email, custom email, etc.
I need to store some more information in it.
I'm using a VOIP provider and it has a unique data for each User, I need to store some of that data in AAD itself.
I've seen B2C allows us to create the custom fields.
My question is can we create the custom fields in AAD-B2B, if yes then how to create it?
I did not found any well documented steps for that
As you can see my question above, I was wondering if it is possible to retrieve the assigned groups of an Azure Active Directory (AAD) based user via Microsoft GraphAPI.
My situation is, that I have an ASP.NET MVC project with Microsoft Azure enabled. My goal is, that an Azure user can login on my website with it's Azure account.
The idea is, that an azure user is an admin or an user (depending on the azure groups) and depending of this role group, the user can view more or less of my webpage.
For example:
When Peter logs in with his azure account on my webpage, he should only be able to see:
Add new Document
Edit Document
Remove Document
because he is only assigned as "User" in Azure Active Directory.
But when Sabrina logs in with her azure account on my webpage, then she should be able to do the same as Peter, but she also can see:
Manage Products
Add new customer
etc.
because she is been assigned as an admin in Azure Active Directory.
My problem is, that I did not find out how I retrieve the assigned group of an user with Microsoft GraphAPI. The part, which user can see or not after I got the roles is not a big deal.
I already tried this API call:
https://graph.microsoft.com/v1.0/me/
But it seems, that the response of this call does not include the actual assigned group of that user.
Do you think it is possible to retrieve the assigned group of an azure user? Is this even possible? Or do I have to do something else to retrieve these information?
I hope you understand my point and I am also looking forward for any response. Thanks in advance!
Add /memberOf to the URL to receive the groups a user is member of.
https://graph.microsoft.com/v1.0/me/memberOf
Here's a link to the specific graph api - https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/user_getmembergroups
Take a look at this sample application on Github. It does something very similar with a task tracker application, where different users are able to perform different actions based on the group they belong to -
https://github.com/Azure-Samples/active-directory-dotnet-webapp-groupclaims/blob/master/README.md
Also, in cases where a user is a member of too many groups, you get back an overage indicator and have to make a separate call to get all groups. Read about “hasgroups” and “groups:src1” claims here - https://learn.microsoft.com/en-us/azure/active-directory/develop/v1-id-and-access-tokens
According to your system architecture, if some user has too many joined groups, the API https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/user_getmembergroups will return too many groups.
But if the groups with permissions in your system are not too much, you can use this API: https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/user_checkmembergroups to check if the current user is the member of specified groups.
It is not good idea to use this API: https://graph.microsoft.com/v1.0/me/memberOf. Because it returns only the groups that the user is a direct member of, but security group can be member of security group.
Basically, I just want to use Microsoft Graph to get a list of active directory users and their email addresses.
Ideally, I could get all the admin users for a certain subscription.
How do I do that? I couldn't find any good examples online.
Assuming you have the correct access to a tenant, and an authenticated token granting you access to the Microsoft Graph, you can use the following REST API calls to get the data you are looking for:
List Users - Documentation
GET https://graph.microsoft.com/v1.0/users
List Admins (via directory roles) - Documentation
This is a multi-step process. First you must find the directory role for the Company Administrator, which will always have the roleTemplateId of 62e90394-69f5-4237-9190-012177145e10. This should not be confused by the actual directory role id, which will be different per directory.
GET https://graph.microsoft.com/v1.0/directoryRoles
Then you want to list the users who are a part of that directory role:
GET https://graph.microsoft.com/v1.0/directoryRoles/<id>/members
If you really need to get started from scratch, I recommend you look at this PowerShell sample I made which simplifies authentication, and allows you to make queries to resource endpoints like the Microsoft Graph.
https://github.com/shawntabrizi/Microsoft-Authentication-with-PowerShell-and-MSAL
I can Authenticate user in Active directory but I need to know can we authenticate a specific user in group if we have multiple groups.
Basically I am redirecting to http://[mydirectory].onmicrosoft.com and validating the user but I need to know do we have mechanism to validate a user from specific group so that I can give access according to that.
Assuming this is Azure AD (and not on-premises Windows Server AD), then you have three options to restrict access to an application via groups.
Option 1: Require user/group assignment to application
This is the only option that does not require adding authorization logic in your application.
When configuring your application in the classic Azure portal, you can set the application to require user assignment:
Then, under "Users and Groups" for that application, you can choose which individual users or groups should have access to the application.
The most important thing to consider here is that this will only apply to direct members of the group, not to nested members.
Option 2: Request group claims
This option will allow you to request that the token returned to the application after a user has signed in contain the list of groups that the user is a member of. This includes groups that they are transitive members of (i.e. nested groups).
From your application's configuration page in the classic Azure portal, you can download and upload the app's manifest JSON file. In the manifest, locate the "groupMembershipClaims" attribute, and set it to "All" or "SecurityGroup" (the latter will exclude distribution lists).
Once this is set, after the user signs in, the resulting token will have a groups claim that contains a list of group object IDs that the user is a member of. Your application can then use these claims to decide whether or not the user should have access.
Dushyant Gill goes into group claims in detail in his blog post: http://www.dushyantgill.com/blog/2014/12/10/authorization-cloud-applications-using-ad-groups/ (archive.org link)
The important consideration here is that there is a limit to the number of groups that can be returned. If the user is a member of more groups that this limit, then an "overage" claim is issued, and your application will need to make an Azure AD Graph API call to get the full list. (This is also described in Dushyant's blog post.)
Option 3: Use the the Microsoft Graph API or the Azure AD Graph API directly
The final option is to simply call the Microsoft Graph API (or the Azure AD Graph API, they both act almost identically for this) to establish if the signed in user is a member of a given group. Your application can then make the authorization decision.
There are several approaches you can take (these are all transitive checks, so nested groups are supported):
isMemberOf to check whether a the user is a member of a specified (single) group. This is the simplest if a single group should grant access to your app.
checkMemberGroups to check if the user is a member of any groups in a list of groups. This is useful if different groups grant different roles or permissions in your application.
getMemberGroups to return the full list of groups the user is a member of. This is generally not particularly useful for doing authorization checks.
I have an Azure Active Directory Application (and associated Service Principal). That Service Principal needs to be able to add and remove members from an Azure Active Directory Group...so I have added Read and write directory data under Application Permissions:
And I have code that uses the Client ID and Client Secret to get an Authentication Token an perform these operations using the Azure Graph API.
However, this permission is far too broad. I need the Application/Service Principal to only have the ability to add and remove members from specific groups (not all)...and not the ability to perform other types of operations.
Is there a way to do this?
Thank you.
There is a preview feature that partly fits your requirement: "Group.ReadWrite.All". It lets your principal create and update groups and their navigation properties (incl. members). It does not however reduce the permissions to modify only certain groups.
AAD permission scopes are described here: https://msdn.microsoft.com/Library/Azure/Ad/Graph/howto/azure-ad-graph-api-permission-scopes
Preview features may be subject to change and you'll have to agree to reduced service terms etc.: https://azure.microsoft.com/en-us/services/preview/