I'm using New-AzureADApplication -DisplayName MyApp -PasswordCredentials $PasswordCreds (Password creds are defined elsewhere), which successfully creates the app registration (not enterprise app) alongside passkey without issue.
Where I'm failing is that I also have 5 graph application based permissions I want to add to this app including User.Read.All
I've tried to follow several answers on StackOverflow and read countless blogs, but, I'm simply failing at this. Some guides/answers seem to be out of date or when I run some examples, I'm getting about 6-8 different GUIDs for User.Read.All, and other answers just include the permission that the question answer was asking without explaining why/how.
I don't want an answer for User.Read.All, I really want to learn and understand how I can ultimately provide '-RequiredResourceAccess` the correct parameters when all I know is the permission name as above.
Here's the best example of doing this: https://github.com/mjisaak/azure-active-directory/blob/master/README.md#well-known-appids
because the graph app has a unique object id in your tenant, you need to get that ID first.
Get-AzureADServicePrincipal | Where-Object AppId -Match '\w{8}-\w{4}-\w{4}-c000'
this just matches a few to show you a bunch of system apps. You'll note that Microsoft Graph has a well known app id of 00000003-blabla. but you'll also see the Object ID, you take that object id. and you then query it for either all the oauth2permissions (Delegated) or the AppRoles (Application Permissions)
Delegated Permissions :
Get-AzureAdServicePrincipal -ObjectId ObjectIDyouFoundAbove |
Select-Object -expand Oauth2Permissions |
Select-Object Id, Value, AdminConsentDisplayName |
Sort-Object Id
Application Permissions :
Get-AzureAdServicePrincipal -ObjectId AgainObjectIDYouFoundAbove |
Select-Object -expand AppRoles |
Select-Object Id, Value, DisplayName |
Sort-Object Id
This will List the guids for the permissions. Value is basically the read.user text. where as displayname is the description. ID is your Guid.
From looking through the web, you should be able to do the whole thing via Powershell, but it felt fairy convoluted and it did not work for me immediately. It might not be worth it unless you need to resolve these guids dynamically.
This did NOT work for me, but if you want to investigate, look at $sp = Get-AzureADServicePrincipal -SearchString "Microsoft Graph" and $sp.Oauth2Permissions (https://gcits.com/knowledge-base/automate-creation-azure-ad-applications-access-microsoft-graph-customer-tenants/).
This is what does work for me:
I usually just set up one app manually in the portal, and then have a look at the application manifest.
"requiredResourceAccess": [
{
"resourceAppId": "00000003-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "5b567255-7703-4780-807c-7be8301ae99b",
"type": "Role"
}
]
},
{
"resourceAppId": "00000002-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "311a71cc-e848-46a1-bdf8-97ff7156d8e6",
"type": "Scope"
},
{
"id": "6234d376-f627-4f0f-90e0-dff25c5211a3",
"type": "Scope"
}
]
}
],
For actually setting the permissions, you probably already have the code. I will just include it for completeness' sake.
How to configure a new Azure AD application through Powershell?
$req = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess"
$acc1 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "e1fe6dd8-ba31-4d61-89e7-88639da4683d","Scope"
$acc2 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "798ee544-9d2d-430c-a058-570e29e34338","Role"
$req.ResourceAccess = $acc1,$acc2
$req.ResourceAppId = "00000003-0000-0000-c000-000000000000"
Set-AzureADApplication -ObjectId 1048db5f-f5ff-419b-8103-1ce26f15db31 -RequiredResourceAccess $req
Related
I need to add the custom claim "samAccountName" to be shown in a token (using jwt)
First, I created the powershellscript
New-AzureADPolicy -Definition #('{
"ClaimsMappingPolicy": {
"Version": 1,
"IncludeBasicClaimSet": "true",
"ClaimsSchema":[{
"Source": "user",
"ID": "onpremisessamaccountname",
"SamlClaimType": "samaccountname",
"JwtClaimType": "samAccountName"
},
]
}
}') -DisplayName "att_ext_samaccountname_even2_prod" -Type "ClaimsMappingPolicy"
I assined the new policy to my objectid and its seems to be ok
In azure manifest I put "acceptMappedClaims": true and it looks like this
but in "Token confguration -> Optional claims" it looks like this (warning sign)
And I cannot find the claim to be added when select "add optional claim"
any thoughts of what I'm doing wrong of what is missing?
thanks in advance
I tried to reproduce the same in my environment and got the below results:
I modified acceptedMappedClaims to true and added the extension in app manifest like below:
And got the same error as below:
Alternatively, I used below PowerShell commands to add samaccountname extension in token like below:
$MyApp = (New-AzureADApplication -DisplayName "AppName").ObjectId
New-AzureADServicePrincipal -AppId (Get-AzureADApplication -SearchString "AppName").AppId
New-AzureADApplicationExtensionProperty -ObjectId $MyApp -Name "samaccountname" -DataType "String" -TargetObjects "User"
Set-AzureADUserExtension -ObjectId ServicePrincipalObjectId -ExtensionName "extension_XXXX_samaccountname" -ExtensionValue "Value"
After executing the above commands, I got the response like below:
I was able to add the samaccountname as an optional claim in the Azure Portal like below:
After decoding the token (generated using auth code) flow got samaccountname successfully like below:
For more in detail, please refer below links:
Azure AD cmdlets to work with extension attributes | Microsoft Docs
Inlcude onpemise samaccount in azure ad claims by soumi-MSFT
I'm trying to upload some api permission to my app registration in Azure, but I don't get why for some the process work and for others no.
$svcGraph = Get-AzureADServicePrincipal -All $true | ? { $_.DisplayName -eq "Microsoft Graph" }
$Graph = New-Object -TypeName "Microsoft.Open.AzureAD.Model.RequiredResourceAccess"
$Graph.ResourceAppId = $svcGraph.AppId
$delPermission1 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "df021288-bdef-4463-88db-98f22de89214","Scope"
$delPermission2 = New-Object -TypeName "Microsoft.Open.AzureAD.Model.ResourceAccess" -ArgumentList "e1fe6dd8-ba31-4d61-89e7-88639da4683d","Scope"
$Graph.ResourceAccess = $delPermission1, $delPermission2
Set-AzureADApplication -ObjectId $MyAppObjectId -RequiredResourceAccess $Graph
User.read (delPermission2) work, but User.Read.All (delPermission1) don't, and I don't understand why.
I tried multiple permission, but just User.read worked, here are the id and value:
741f803b-c850-494e-b5df-cde7c675a1ca User.ReadWrite.All
83cded22-8297-4ff6-a7fa-e97e9545a259 Presence.ReadWrite.All
810c84a8-4a9e-49e6-bf7d-12d183f40d01 Mail.Read
As far as I know, the ID's you are using for User.Read.All, User.ReadWrite.All, Presence.ReadWrite.All and Mail.Read permissions are incorrect.
To find the correct ID's of those delegated permissions, make use of below cmdlet:
$svcGraph.Oauth2Permissions | FT ID, Value, UserConsentDisplayName
From that, note down the correct ID's of all those permissions:
User.Read.All - a154be20-db9c-4678-8ab7-66f6cc099a59
User.ReadWrite.All - 204e0828-b5ca-4ad8-b9f3-f32a958e7cc4
Presence.Read.All - 9c7a330d-35b3-4aa1-963d-cb2b9f927841
Presence.ReadWrite - 8d3c54a7-cf58-4773-bf81-c0cd6ad522bb
Mail.Read - 570282fd-fa5c-430d-a7fd-fc8dc98a9dca
The ID that you are using for User.Read is correct. That's why it worked.
User.Read - e1fe6dd8-ba31-4d61-89e7-88639da4683d
Make sure you have the role of Administrator and use the correct ID's by modifying the values.
For more reference, please find below reference if it is helpful.
How to assign Permissions to Azure AD App by using PowerShell? – Beyond the Horizon… (rajanieshkaushikk.com)
I'm working on a B2B service that required an Azure AD connection to setup user accounts for all members of the Azure AD domain. I need first name, last name and email for this.
At first I just used the Users.Read.All permission to read all user objects, but some of our clients use AD to store different information aswel.
I'm looking for a solution where I can only access user and groups assigned to the enterprise application by the client.
I've found the servicePrincipal api, but this service doesn't return the user's email.
When calling this api through: https://graph.microsoft.com/v1.0/servicePrincipals/{applicationId}/appRoleAssignedTo
The response looks something like this:
{
"id": "41W1zT6z1U-kJxf62svfp1HFE8pMZhxDun-ThPczmJE",
"deletedDateTime": null,
"appRoleId": "00000000-0000-0000-0000-000000000000",
"createdDateTime": "2021-02-02T04:22:45.9480566Z",
"principalDisplayName": "Alex Wilber",
"principalId": "cdb555e3-b33e-4fd5-a427-17fadacbdfa7",
"principalType": "User",
"resourceDisplayName": "dxprovisioning-graphapi-client",
"resourceId": "8e881353-1735-45af-af21-ee1344582a4d"
}
I've read here that I can use the principalId to request the user object with like so:
https://graph.microsoft.com/v1.0/users/{prinicipalId} . But this results in an error explaining I don't have permission.
After countless hours of googling I cannot find a solution to this problem. Is this just not possible?
To get all the user account (User display name, principle display name and email address) for an Azure enterprise app through PowerShell
$app_name = "[app display name]"
$sp = Get-AzureADServicePrincipal -Filter "displayName eq '$app_name'"
$assignments = Get-AzureADServiceAppRoleAssignment -ObjectId $sp.ObjectId -All $true
$assignments # this will show all the users associated to the principal
Reference So Thread: Azure: Get users assigned to enterprise application in Node JS/Power shell script?
Unable to add Teams App for Bulk of users for Office group or to a Security group (groups created via Azure AD Connect)
I have used the below API in order to add Teams app (side loading teams app) to set of a user in an Office group/Security group.
Working fine with the specific user. Also please let me whether this api will work with AD group ?
Used graph explorer.
POST https://graph.microsoft.com/beta/users/{id}/teamwork/installedApps
Content-type: application/json
{
"teamsApp#odata.bind":"https://graph.microsoft.com/beta/appCatalogs/teamsApps/12345678-9abc-def0-123456789a"
}
Error:
"error": {
"code": "NotFound",
"message": "Unable to fetch license for user 'some GUID'.",
"innerError": {
"request-id": "some GUID",
"date": "2020-04-28T15:00:00"
Assigning a custom app setup policy to users in a group
1.Install-Module -Name AzureAD
/*Skype for Business Online, Windows PowerShell Module can be downloaded and installed */
Import-Module SkypeOnlineConnector
$userCredential = Get-Credential
$sfbSession = New-CsOnlineSession -Credential $userCredential
Import-PSSession $sfbSession
connect-AzureAD -Credential $userCredential
$group = Get-AzureADGroup -SearchString "TeamsApp"
$members = Get-AzureADGroupMember -ObjectId $group.ObjectId -All $true | Where-Object {$_.ObjectType -eq "User"}
$members | ForEach-Object { Grant-CsTeamsAppSetupPolicy -PolicyName "Teams App Policy Test" -Identity $_.UserPrincipalName}
Installation file for Skype for Business Online, Windows PowerShell Module
https://www.microsoft.com/en-us/download/details.aspx?id=39366
Reference
https://learn.microsoft.com/en-us/microsoftteams/teams-app-setup-policies
https://learn.microsoft.com/en-us/microsoftteams/teams-powershell-overview
https://learn.microsoft.com/en-us/office365/enterprise/powershell/connect-to-all-office-365-services-in-a-single-windows-powershell-window
https://learn.microsoft.com/en-us/skypeforbusiness/set-up-your-computer-for-windows-powershell/set-up-your-computer-for-windows-powershell
https://learn.microsoft.com/en-us/office365/enterprise/powershell/manage-skype-for-business-online-with-office-365-powershell
For reporting and monitoring purpose do I like to retrieve the information shown in the Azure portal for an application (App Registration) for "API permissions".
I have tried the following code
$app = Get-AzureADApplication -ObjectId 'aa7e174d-2639-4ac7-9b11-6799466c3c9b'
$app.Oauth2Permissions
But this yields only the following information:
AdminConsentDescription : Allow the application to access foobar_HVV on behalf of the signed-in user.
AdminConsentDisplayName : Access foobar_HVV
Id : h1285f9d5-b00d-4bdb-979d-c4d6487fa000
IsEnabled : True
Type : User
UserConsentDescription : Allow the application to access foobar_HVV on your behalf.
UserConsentDisplayName : Access foobar_HVV
Value : user_impersonation
But "API Permissions" for the application "foobar_HVV" shows totally different permissions. Especially the "Typ" (Delegate, Application) and the "Status" per permission are needed for my report.
If you want to get the API permissions, you need to use the command below.
$app = Get-AzureADApplication -ObjectId '<object-id of the App Registration>'
$app.requiredResourceAccess | ConvertTo-Json -Depth 3
The ResourceAppId is the Application ID of the service principal of the API e.g. Microsoft Graph, the ResourceAccess includes the permissions you added to the app, the Scope means the Delegated permission, Role means the Application permission.
My API permissions:
To check the details of the API permissions , you need to use the command below. For example, we want to know the details of the permission whose Id is 5b567255-7703-4780-807c-7be8301ae99b in the screenshot, its Type is Role, so we need to use $sp.AppRoles.
$sp = Get-AzureADServicePrincipal -All $true | Where-Object {$_.AppId -eq '00000003-0000-0000-c000-000000000000'}
$sp.AppRoles | Where-Object {$_.Id -eq '5b567255-7703-4780-807c-7be8301ae99b'}
If you want to get the Delegated permission(Type is Scope), we need to use:
$sp = Get-AzureADServicePrincipal -All $true | Where-Object {$_.AppId -eq '00000003-0000-0000-c000-000000000000'}
$sp.Oauth2Permissions | Where-Object {$_.Id -eq 'e1fe6dd8-ba31-4d61-89e7-88639da4683d'}
To check Status, there is no direct way, you need to check the permissions granted by the admin of the service principal corresponds to the AD App in your AAD tenant.
First, get the service principal $appsp:
$app = Get-AzureADApplication -ObjectId '<object-id of the App Registration>'
$appsp = Get-AzureADServicePrincipal -All $true | Where-Object {$_.AppId -eq $app.AppId}
Get the Delegated permissions which has been granted(Status is Granted):
Get-AzureADServicePrincipalOAuth2PermissionGrant -ObjectId $appsp.ObjectId -All $true | ConvertTo-Json
The ResourceId is the Object Id of the service principal of the API:
Get the Application permissions which has been granted(Status is Granted):
Get-AzureADServiceAppRoleAssignedTo -ObjectId $appsp.ObjectId | ConvertTo-Json
The Id is the Id in the ResourceAccess in the first screenshot.
If the permission has not been granted(Status is Not Granted), you will not get the permission with the command above.
For example, I add a new Application permission in the portal, then run the command again, we can still get the permission which has been granted.
Looking after a new Solution using the 7.1 PowerShell and Az Client I've wrote follwing Script to solve this Issue:
# loop in all Applications then every Application Loop this one to
$sp = $sp = az ad app list --display-name "yourapplication"
$spIdList = ($sp |ConvertFrom-Json -AsHashtable).requiredResourceAccess.resourceAccess
# retreive the ID from Bucket
$RoleAppID = ($sp| ConvertFrom-Json ).requiredResourceAccess.resourceAppId
## receive all Roles and lookup inside
$appRolesArray = (az ad sp show --id $RoleAppID | ConvertFrom-Json -AsHashtable ).appRoles
$listRoles = #()
foreach ($itemSpId in $spIdList) {
$itemSpId.id
foreach($item in $appRolesArray ) {
if ( $item.id -eq $itemSpId.id ){
$listRoles += $item
$item
}
}
}
$listRoles.count
now you can do whatever you want with the List of those objects.
The Goal was to use the "az client"