Azure Graph API - ClaimsMappingPolicy with ClaimsTransformation - azure

Im trying to automate the configuration of an enterpise application via the Azure Graph API.
Specifically, its the Azure Palo Alto Admin UI - https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/paloaltoadmin-tutorial#configure-azure-ad-sso
Ive managed to get this working via the frontend, but im having trouble configuring the custom claims via the Graph Api.
For now, i just want to use a string claim in the custom claim as the customadmin value with a hardcoded value for the admin role
When creating via the portal, you can easily enter a string value as the source type of the claim.
However, via the Graph API the source type must be user, resource, audience, company or transformation.
https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-claims-mapping#claim-schema-entry-elements
It seems that you can create a string type of transformation and then link the transformation into the main ClaimsSchema.
There is a similar example documented here https://learn.microsoft.com/en-us/graph/api/resources/claimsmappingpolicy?view=graph-rest-1.0#example-definition-that-uses-a-claims-transformation
But I cannot get the example to work. Even with a bit of massaging, the example fails. This is what ive been trying:
cat <<- EOF > claims.json
{
"definition": [
"{\"ClaimsMappingPolicy\":{
\"Version\":1,
\"IncludeBasicClaimSet\":\"true\",
\"ClaimsSchema\":[
{\"Source\":\"user\",\"ID\":\"extensionattribute1\"},{\"Source\":\"transformation\",\"ID\":\"DataJoin\",\"TransformationId\":\"JoinTheData\",\"JwtClaimType\":\"JoinedData\"}
],
\"ClaimsTransformation\":[
{\"ID\":\"JoinTheData\",\"TransformationMethod\":\"Join\",\"InputClaims\":[{\"ClaimTypeReferenceId\":\"extensionattribute1\",\"TransformationClaimType\":\"string1\"}], \"InputParameters\": [{\"ID\":\"string2\",\"Value\":\"sandbox\"},{\"ID\":\"separator\",\"Value\":\".\"}],\"OutputClaims\":[{\"ClaimTypeReferenceId\":\"DataJoin\",\"TransformationClaimType\":\"outputClaim\"}]}
]
}}"
],
"displayName": "Azure Reference Claim",
"isOrganizationDefault": false
}
EOF
az rest --method post --headers Content-type="application/json" --url "https://graph.microsoft.com/v1.0/policies/claimsMappingPolicies" --body #claims.json
Ive tried both the v1.0 and beta APIs but they both have the same behaviour
Which returns with the following error:
Bad Request({
"error": {
"code": "Request_BadRequest",
"message": "Property has an invalid value.",
"innerError": {
"date": "2020-09-01T13:03:10",
"request-id": "bc7cf58e-fe6d-47d1-b1e5-cae43326864f"
}
}
})
I was able to get the rest of the Palo Alto claim working (excluding the custom string) with the following:
{
"definition": [
"{\"ClaimsMappingPolicy\":{
\"Version\":1,
\"IncludeBasicClaimSet\":\"true\",
\"ClaimsSchema\": [{\"Source\":\"user\",\"ID\":\"userprincipalname\",\"SamlClaimType\":\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier\"},{\"Source\":\"user\",\"ID\":\"givenname\",\"SamlClaimType\":\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname\"},{\"Source\":\"user\",\"ID\":\"displayname\",\"SamlClaimType\":\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name\"},{\"Source\":\"user\",\"ID\":\"surname\",\"SamlClaimType\":\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname\"},{\"Source\":\"user\",\"ID\":\"userprincipalname\",\"SamlClaimType\":\"username\"}]
}}"
],
"displayName": "Palo Alto Claims Policy",
"isOrganizationDefault": false
}
And i was able to create a CustomString transformation which isnt linked to anything with the following:
{
"definition": [
"{\"ClaimsMappingPolicy\":{
\"Version\":1,
\"IncludeBasicClaimSet\":\"true\",
\"ClaimsTransformation\":[{\"ID\":\"CreateTermsOfService\",\"TransformationMethod\":\"CreateStringClaim\",\"InputParameters\": [{\"ID\":\"value\",\"DataType\":\"string\", \"Value\":\"sandbox\"}],\"OutputClaims\":[{\"ClaimTypeReferenceId\":\"TOS\",\"TransformationClaimType\":\"createdClaim\"}]}]
}}",
],
"displayName": "sdfa",
"isOrganizationDefault": false
}
However, when i try them together in the format of the example I get an error.
{
"definition": [
"{\"ClaimsMappingPolicy\":{
\"Version\":1,
\"IncludeBasicClaimSet\":\"true\",
\"ClaimsSchema\": [
{\"Source\":\"user\",\"ID\":\"userprincipalname\",\"SamlClaimType\":\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier\"},{\"Source\":\"user\",\"ID\":\"givenname\",\"SamlClaimType\":\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname\"},{\"Source\":\"user\",\"ID\":\"displayname\",\"SamlClaimType\":\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name\"},{\"Source\":\"user\",\"ID\":\"surname\",\"SamlClaimType\":\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname\"},{\"Source\":\"user\",\"ID\":\"userprincipalname\",\"SamlClaimType\":\"username\"},{\"Source\":\"transformation\",\"TransformationID\":\"xxxxxxxxx\",\"ID\":\"DataJoin\",\"SamlClaimType\":\"test\"}
],
\"ClaimsTransformation\":[
{\"ID\":\"xxxxxxxxx\",\"TransformationMethod\":\"CreateStringClaim\",\"InputParameters\": [{\"ID\":\"value\",\"DataType\":\"string\", \"Value\":\"sandbox\"}],\"OutputClaims\":[{\"ClaimTypeReferenceId\":\"DataJoin\",\"TransformationClaimType\":\"createdClaim\"}]}
]
}}"
],
"displayName": "Palo Alto Claims Policy",
"isOrganizationDefault": false
}
Which returns the same unhelpful error:
Bad Request({
"error": {
"code": "Request_BadRequest",
"message": "Property has an invalid value.",
"innerError": {
"date": "2020-09-01T13:03:10",
"request-id": "bc7cf58e-fe6d-47d1-b1e5-cae43326864f"
}
}
})
Any ideas what i am doing wrong? Im trying to base off of the example, which i cant get working.
I do not want to use powershell, i want to be able to automate via my desktop terminal.
I imagine i can avoid this situation and get the PA to integrate with AAD without a hardcoded value, but i feel that i should be able to get this working this way.
The mandatory encoding of the ClaimMappingPolicy object makes it quite fiddely to develop, so its possible there is a problem there somewhere.
Ive also tried just creating the ClaimsSchema without the ClaimsTransformation and then running a PATCH to amend the object with the transformed object, but it just overwrites the whole ClaimsMappingPolicy object rather than adding just the extra field.
When I remove the transformation source from the ClaimsSchema the request succeeds.
cat <<- EOF > claims.json
{
"definition": [
"{\"ClaimsMappingPolicy\":{
\"Version\":1,
\"IncludeBasicClaimSet\":\"true\",
\"ClaimsSchema\": [
{\"Source\":\"user\",\"ID\":\"userprincipalname\",\"SamlClaimType\":\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier\"},{\"Source\":\"user\",\"ID\":\"givenname\",\"SamlClaimType\":\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname\"},{\"Source\":\"user\",\"ID\":\"displayname\",\"SamlClaimType\":\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name\"},{\"Source\":\"user\",\"ID\":\"surname\",\"SamlClaimType\":\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname\"},{\"Source\":\"user\",\"ID\":\"userprincipalname\",\"SamlClaimType\":\"username\"}
],
\"ClaimsTransformation\":[
{\"ID\":\"xxxxxxxxx\",\"TransformationMethod\":\"CreateStringClaim\",\"InputParameters\": [{\"ID\":\"value\",\"DataType\":\"string\", \"Value\":\"sandbox\"}],\"OutputClaims\":[{\"ClaimTypeReferenceId\":\"DataJoin\",\"TransformationClaimType\":\"createdClaim\"}]}
]
}}"
],
"displayName": "Palo Alto Claims Policy",
"isOrganizationDefault": false
}
EOF
But there isnt an association between the ClaimsSchema and the ClaimsTransformation. This hints at a problem with the ClaimsSchema object
{\"Source\":\"transformation\",\"TransformationID\":\"xxxxxxxxx\",\"ID\":\"DataJoin\",\"SamlClaimType\":\"test\"}
But this looks suitable when looking at the documentation and the (possibly broken) reference example.

Providing information in answer as its too long to comment it.Please try this below query in Graph explorer
Post https://graph.microsoft.com/beta/policies/claimsMappingPolicies
{"definition":["{\"ClaimsMappingPolicy\":{\"Version\":1,\"IncludeBasicClaimSet\":\"true\", \"ClaimsSchema\":[{\"Source\":\"user\",\"ID\":\"extensionattribute1\"},{\"Source\":\"transformation\",\"ID\":\"DataJoin\",\"TransformationId\":\"JoinTheData\",\"JwtClaimType\":\"JoinedData\"}],\"ClaimsTransformations\":[{\"ID\":\"JoinTheData\",\"TransformationMethod\":\"Join\",\"InputClaims\":[{\"ClaimTypeReferenceId\":\"extensionattribute1\",\"TransformationClaimType\":\"string1\"}], \"InputParameters\": [{\"ID\":\"string2\",\"Value\":\"sandbox\"},{\"ID\":\"separator\",\"Value\":\".\"}],\"OutputClaims\":[{\"ClaimTypeReferenceId\":\"DataJoin\",\"TransformationClaimType\":\"outputClaim\"}]}]}}"],"displayName":"TestclaimsPolicy","isOrganizationDefault":false}
Post https://graph.microsoft.com/beta/policies/claimsMappingPolicies
{"definition":["{\"ClaimsMappingPolicy\":{\"Version\":1,\"IncludeBasicClaimSet\":\"true\",\"ClaimsSchema\": [{\"Source\":\"user\",\"ID\":\"userprincipalname\",\"SamlClaimType\":\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier\"},{\"Source\":\"user\",\"ID\":\"givenname\",\"SamlClaimType\":\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname\"},{\"Source\":\"user\",\"ID\":\"displayname\",\"SamlClaimType\":\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name\"},{\"Source\":\"user\",\"ID\":\"surname\",\"SamlClaimType\":\"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname\"},{\"Source\":\"user\",\"ID\":\"userprincipalname\",\"SamlClaimType\":\"username\"}],\"ClaimsTransformation\":[{\"ID\":\"CreateTermsOfService\",\"TransformationMethod\":\"CreateStringClaim\",\"InputParameters\": [{\"ID\":\"value\",\"DataType\":\"string\", \"Value\":\"sandbox\"}],\"OutputClaims\":[{\"ClaimTypeReferenceId\":\"TOS\",\"TransformationClaimType\":\"createdClaim\"}]}]}}"],"displayName":"Test1234","isOrganizationDefault":false}
for more information on CreateTermsOfService please refer to this document

Related

Can't create schema extension in microsoft graph

I am trying to create a schema extension but I get the following error message every time I make a request:
code: 400, error_message: ErrorMessage { error: Some(ErrorStatus { code: Some("Request_BadRequest"), message: Some("Object of class ComplexExtensionDefinition is not valid for Megatenant with ContextId: 11753285-9b24-41e2-bef1-********. Update to segmentation metadata failed.")
According to the error message seems like I cant extend azure AD with schema extension. Any help ?
Thanks
Here's the code for reference:
use graph_rs_sdk::oauth::OAuth;
use reqwest::StatusCode;
use graph_rs_sdk::prelude::*;
use graph_rs_sdk::error::GraphFailure;
pub async fn account_ext(client: OAuth) -> Result<StatusCode, GraphFailure> {
let graph_client = Graph::new_async(client.get_access_token().unwrap().bearer_token());
let properties = serde_json::json!({
"id": "tenantaccountExt",
"description": "Tenant account extension properties",
"targetTypes": [
"Group"
],
"owner": "90fd44ac-18d2-4920-909b-********",
"properties": [
{
"name": "region",
"type": "String"
},
{
"name": "contact",
"type": "String"
},
]
});
match graph_client.v1()
.schema_extensions()
.create_schema_extension(&properties)
.send()
.await {
Ok(response) => Ok(response.status()),
Err(GraphFailure::GraphError(err)) => {
println!("{:?}", err);
Ok(err.code)
},
Err(err) => Err(err)
}
}
I faced similar sort of error towards application :
"code": "Authorization_RequestDenied",
"message": "Attempt to update complex extension definition on application: xxxxxx belonging to different context",
with below query
POST https://graph.microsoft.com/v1.0/schemaExtensions
{
"id": "tenantcountext",
"description": "Graph Learn training courses extensions",
"targetTypes": [
"group"
],
"owner": "dexxxxxxxxxxx64",
"properties": [
{
"name": "region",
"type": "String"
},
{
"name": "contact",
"type": "String"
}
]
}
The id property must be unique string of the schema extension
definition. {domainName}_{schemaName} or echemaName only.
When I tried to check for available extension schema definitions for
id : tenantaccountExt :Add custom data to groups using schema
extensions - Microsoft Graph | Microsoft Docs.
I could not find any available status for that id which may mean that tenant has one or more applications that doesn’t have the owner permissions to add or update extensions or any changes or even the tenant doen not have proper permissions .( For me when I checked the appId in the error in azureAd apps , it is the Microsoft graph explorer)
which means the tenant or apps do not have proper permissions to access graph explorer or do any creation or updates .
So please check if that app or tenant in your case has proper
permissions to add any changes or extensions like
Applications.ReadWrite.All, User.Read.All, User.ReadWrite.All,Group.ReadWrite.All microsoft graph permissions.Please try to get permissions given by admin and
check to try again.
Also check to have ,Any of the following permissions: for
Delegated (work or school account) check Directory.Read.All, Directory.ReadWrite.All, Directory.AccessAsUser.All
Application: Directory.Read.All, Directory.ReadWrite.All
Importantly please make sure , the owner property must be having the value of the application Id where you are the owner i.e; you must be the owner of the app for which extension is done and request for creation must also be coming from that application.
If everything is correct, then then the schema extension is executed and we can get its available status like InDevelopment or available.
Reference: exercise-schema-extensions | microsoftDocs

Share azure devops variables across projects

I am trying to share linked variables across projects.
I read that is was not possible but I found this API endpoint that may do the trick.
https://learn.microsoft.com/en-us/rest/api/azure/devops/distributedtask/variablegroups/share-variable-group?view=azure-devops-rest-6.0
When I call this API:
PATCH https://dev.azure.com/{organization}/_apis/distributedtask/variablegroups?variableGroupId={variableGroupId}&api-version=6.0-preview.2
with this Body:
{
"variableGroupProjectReferences":[
{
"description":"test1",
"name":"test1",
"projectReference":{
"id":"50f7c113-de21-4e19-b910-b37ebffa984f",
"name":"Customer Services"
}
}]
}
I get this response:
{
"$id": "1",
"innerException": null,
"message": "Value cannot be null.\r\nParameter name: variableGroupProjectReferences",
"typeName": "System.ArgumentNullException, mscorlib",
"typeKey": "ArgumentNullException",
"errorCode": 0,
"eventId": 0
}
Value cannot be null.\r\nParameter name: variableGroupProjectReferences
The request body seems to have issue.
You can refer to the following sample:
[
{
"variableGroupProjectReferences":
{
"projectReference": {
"id": "ProjectID",
"name": "ProjectName"
},
"name": "variablegroupname",
"description": ""
}
}
]
But it will show the error: Sharing of variable group is not allowed.
The cause of this issue is that the variable group property: "isShared": false
You can get the variable group property with the Rest API: Variablegroups - Get
But currently it seems that we cannot change this property. So we couldn't share the variable group.
Refer to this feedback ticket: VariableGroup cannot be shared via REST API.
I suggest that you can report the issue to Developer Community.

How to use same value for AppRoles and oauth2Permissions with different Description and Display name?

My Azure AD application expose scope Roles.ReadWrite.All(Delegated permission). Now I want to use machine to machine communication, So I need to expose Application Permission. From the official documentation How to: Add app roles in your application and receive them in the token, I have created a AppRoles. Now I can give another application Application permission to the application.
But the issue is, I want to use the same value for Application Permission and Delegated Permission, As Microsoft is already doing this with their Microsoft Graph application's AccessReview.Read.All permission. But when I want to create appRoles, it shows an error -
Failed to update Backend API application. Error detail: It contains duplicate value. Please Provide unique value. []
I can only create same permission value if I keep the id, description and display name same for both appRoles and oauth2Permissions. But Microsoft Graph is using two different ID but the same value!
...
"requiredResourceAccess": [
{
"resourceAppId": "00000003-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "ebfcd32b-babb-40f4-a14b-42706e83bd28", // AccessReview.Read.All
"type": "Scope"
},
{
"id": "d07a8cc0-3d51-4b77-b3b0-32704d1f69fa", // AccessReview.Read.All
"type": "Role"
}
]
},
{
"resourceAppId": "96954c3d-fbb4-4899-be79-582b810acb7b",
"resourceAccess": [
{
"id": "fbeb72c6-dfcb-45b6-b83a-db2929314e70",
"type": "Scope"
},
{
"id": "42b90870-bbe2-46c6-a221-4f8981c559ae", // Roles.ReadWrite.All
"type": "Scope"
},
{
"id": "42b90870-bbe2-46c6-a221-4f8981c559ae", // Roles.ReadWrite.All
"type": "Role"
}
]
}
],
...
As it is shown in the above Manifest snippet, Graph API's AccessReview.Read.All has two different id for Delegated and Application permission, Where my Roles.ReadWrite.All has same ID as a result same Display Name and Description
I'm afraid that what you need is not supported currently.
As you have tested, if we use the same value for "AppRoles" and "OAuth2Permission", it will show this error: It contains duplicate value. Please Provide unique value.
When we set the same ID for "AppRoles" and "OAuth2Permission", we will be required to set the same value for (description, adminConsentDescription),(displayName, adminConsentDisplayName),(isEnabled, isEnabled),(origin, origin),(value, value).
In this case, we can say that we get the same object for "AppRoles" and "OAuth2Permission". But it will not affect your use. The access token can return the correct Delegated permission or Application permission.

Add or Delete an app's API permissions (requiredResourceAccess) via Microsoft Graph

In an application in my trial Azure AD tenant, I want to modify my API permissions via the Graph API. I am able to GET the application's requiredResourceAccess in the Graph Explorer (https://developer.microsoft.com/en-us/graph/graph-explorer#) via https://graph.microsoft.com/beta/applications/{app object ID}/requiredResourceAccess, but I am not able to modify or delete these values, or even GET specific resources. Here's my GET result:
{
"#odata.context": "https://graph.microsoft.com/beta/$metadata#applications('{app object id}')/requiredResourceAccess(resourceAccess)",
"value": [
{
"resourceAppId": "00000003-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "{id}",
"type": "Scope"
},
{
"id": "{id}",
"type": "Scope"
}
]
}
]
}
When trying to specify the resourceAppId above, I get an error about how segment 'requiredResourceAccess' refers to a segment, so this must be the last part of the request URI besides filters.
And when I try to delete, I get the error 'Specified HTTP method is not allowed for the request target.'
I can modify the API permissions via the Microsoft Azure Portal of course, but can you please let me know if there is a way to add or remove API permissions via the Microsoft Graph API?
You could use this API Update application, refer to my request sample as below.
Sample:
Request URL:
PATCH https://graph.microsoft.com/beta/applications/{App Object ID}
Request body:
{
"requiredResourceAccess": [
{
"resourceAppId": "00000002-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "311a71cc-e848-46a1-bdf8-97ff7156d8e6",
"type": "Scope"
}
]
},
{
"resourceAppId": "00000003-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "863451e7-0667-486c-a5d6-d135439485f0",
"type": "Scope"
}
]
}
]
}
If you want to delete the API permissions, just specify the requiredResourceAccess as below.
{
"requiredResourceAccess": []
}
Note: This API is a Beta version, I don't recommend you to use it in the production environment. Also, when we update the API permissions via this API, it just adds the permissions to this application, it will not consent the permissions for the application.

Adding User to Group using Graph API B2C

I am using Azure AD B2C to create users.
After a user is created I would like to add them to a Group
Using Postman I have made the following request (with access token in the header). Note: I have managed to successfully create a group using the Api.
POST
https://graph.windows.net/{azure-tenant}/groups/{group-objectId/members/$ref?api-version=1.6
With Body:
{
"#odata.id": "https://graph.windows.net/{azure-tenant}/directoryObjects/{user-objectId}"
}
Which is what the documentation specifies. No matter the body that is sent I get the following error
{
"odata.error": {
"code": "Request_BadRequest",
"message": {
"lang": "en",
"value": "The request URI is not valid. Since the segment 'members' refers to a collection, this must be the last segment in the request URI. All intermediate segments must refer to a single resource."
},
"requestId": "48cf65f3-20ba-411e-8121-f7ea54252f3a",
"date": "2019-05-27T06:09:25"
}
}
I tried removing the /$ref
POST
https://graph.windows.net/{azure-tenant}/groups/{group-objectId/members?api-version=1.6
Body:
{
"#odata.id": "https://graph.windows.net/{azure-tenant}/directoryObjects/{user-objectId}"
}
as well as
{
"#odata.id": "https://graph.windows.net/{azure-tenant}/users/{user-objectId}"
}
Now the error that gets returned now is:
{
"odata.error": {
"code": "Request_BadRequest",
"message": {
"lang": "en",
"value": "Unsupported resource type 'DirectoryObject' for operation 'Create'."
},
"requestId": "2c36cc6d-383c-44f8-8609-2ac3e3efc862",
"date": "2019-05-27T06:15:26"
}
}
The documentation that I have been using https://learn.microsoft.com/en-us/graph/api/group-post-members?view=graph-rest-1.0&tabs=javascript
You are using graph.windows.net endpoint, so you should refer to azure ad graph api.
POST https://graph.windows.net/myorganization/groups/b4bda672-1fba-4711-8fb1-5383c40b2c14/$links/members?api-version=1.6
{
"url": "https://graph.windows.net/myorganization/directoryObjects/3eb6055a-baeb-44d4-a1ea-2fee86d8891b"
}
The document you referred to is microsoft graph api. The endpoint should be https://graph.microsoft.com.
You can use Microsoft Graph explorer to call these apis.

Resources