I have a scenario, I need to write functional tests for my API(s). API uses Azure AD authentication. There are multiple roles in system and role of a user is decided on the basis of membership of different AD groups.
so for functional test I need different users with in different groups.
I created a service principals with contributor rights in subscription and added them in groups and granted following Microsoft graph Application type API permissions.
- Application.Read.All
- Directory.Read.All
Now I used these apis to complete my use case.
1- https://login.microsoftonline.com/{tenant-Id}/oauth2/token
to get the access token against service principal.
2- GET https://graph.microsoft.com/v1.0/me/memberOf
to get the list of user's groups. but i got following response with authentication token of service principal.
{
"error": {
"code": "Request_ResourceNotFound",
"message": "Resource 'xxxx471-bxxxa-45a2-b61b-18xxxxx42af88' does not exist or one of its queried reference-property objects are not present.",
"innerError": {
"request-id": "fxxxxc41-319e-xxxx-xxxx-360xxxx58077",
"date": "2020-04-13T11:41:01"
}
}
}
I also have tried this
3- https://graph.microsoft.com/v1.0/users/{princialId}/memberOf
and get the following response
"error": {
"code": "Request_ResourceNotFound",
"message": "Resource 'xxxxx-xxxx-xxxx-b61b-18421142af88' does not exist or one of its queried reference-property objects are not present.",
"innerError": {
"request-id": "fxxxxc41-319e-xxxx-xxxx-360xxxx58077",
"date": "2020-04-14T05:59:03"
}
}
}
I have used object id of app registered in azure AD. when i searched service principal using power shell using following command I found different Object_Id than which is written on AD app on azure portal
command : get-AzureADServicePrincipal
with this Object_Id I was able to get service principal's groups using beta services.
https://graph.microsoft.com/beta/servicePrincipals/{object ID}/memberOf
anybody can explain why i was not able to get the groups of service principal using v1.0 service.
Thanks
anybody can explain why i was not able to get the groups of service principal using v1.0 service.
Because the v1.0 version does not support this API GET /servicePrincipals/{id}/memberOf , it just could be availale in the Beta version currently.
You could check this doc - List servicePrincipal memberOf, select the Version with 1.0, then it will give a prompt message like below.
I have used object id of app registered in azure AD. when i searched service principal using power shell using following command I found different Object_Id than which is written on AD app on azure portal
The Object Id of the service principal is not the same with that of the App Registration, the one you got from the powershell is correct, also, you can find it in the portal in the Enterprise applications like below.
I agree that beta service was not part of V1.0 but according to V1 documentation
https://graph.microsoft.com/v1.0/users/{id | userPrincipalName}/memberOf
should work.
please visit
https://learn.microsoft.com/en-us/graph/api/user-list-memberof?view=graph-rest-1.0&tabs=http
Please find documetation image here
Related
I've got an app registration in Azure with the required permission - Directory.AccessAsUser.All (delegated) and that registration has Security Reader over all of my subscriptions.
When I GET https://graph.microsoft.com/beta/privilegedRoles/{id}/assignments with my access token (bearer auth), I get the following response:
{
error: {
code: 'UnknownError',
message: '',
innerError: {
'request-id': 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx',
date: '2020-03-13T11:53:41'
}
}
}
The {id} in this case is the ID of the permission I want check the assignments of.
I'm using this as a reference: https://learn.microsoft.com/en-us/graph/api/privilegedrole-list-assignments?view=graph-rest-beta&tabs=http
This is a beta version API, the current endpoints of AAD roles have been disabled for your tenant for migration purpose, see this link.
When customers have the updated version rolled out to their Azure AD organization, the existing graph API will stop working. You must transition to use the Graph API for Azure resource roles. To manage Azure AD roles using that API, swap /azureResources with /aadroles in the signature and use the Directory ID for the resourceId.
So you need to use this API currently, swap /azureResources with /aadroles, test it in the Graph Explorer.
GET https://graph.microsoft.com/beta/privilegedAccess/aadRoles/resources/<tenant-id>/roleAssignments?$filter=RoleDefinitionId+eq+'RoleDefinitionId'
I'm using Azure Graph API with Azure AD B2C and I'm trying to add a Group as a member of a Group
I have successfully preformed a range of other calls against Azure Graph API including adding a User as a Member of a Group.
This is the call I'm making
URL:
POST https://graph.windows.net/{tenant}/groups/{groupId}/$links/members?api-version=1.6
Body:
{
"url": "https://graph.windows.net/{tenant}/directoryObjects/{groupToAdd}"
}
I get the following error:
{
"odata.error": {
"code": "Request_BadRequest",
"message": {
"lang": "en",
"value": "An invalid operation was included in the following modified references: 'members'."
},
"requestId": "2545d9bf-68c9-44bf-a9ba-1a2976e0c055",
"date": "2019-09-11T03:11:37"
}
}
The exact same call worked when using a User's ObjectId but using a Groups throws the error.
Maybe related, the "Group Memberships" is missing in Azure when viewing a Group
Update:
When I first posted this question I was missing an important piece of information. This is Graph API calls against Azure Active Directory B2C
You cannot have nested Groups within Azure Active Directory B2C Instances
See: AAD B2C Limitations and restrictions
Nested group memberships aren't supported in Azure AD B2C tenants. There are no plans to add this capability.
the "Group Memberships" is missing in Azure when viewing a Group
In my site, the group Memberships still in Azure AD Group tab, I use the following code and it add Group as a member of a Group successfully.
https://graph.windows.net/tenantId/groups/securityGroupObjectId/$links/members
{
"url": "https://graph.windows.net/tenantId/groups/securityGroupObjectIdToAdd"
}
Note: Make sure securityGroupObjectIdToAdd is the correct objectId. Should be the objectId that is returned by az ad group list, which is different to the object ID that in the portal! Refer to this issue.
I am trying to create role assignments for an enterprise application using Graph api beta version .
I am following Microsoft document to do the same
https://learn.microsoft.com/en-us/graph/api/serviceprincipal-post-approleassignments?view=graph-rest-beta&tabs=http
Error:
This is the error I am getting while checking :
Write requests are only supported on contained entities
I tried the same using the Azure AD Graph also(graph.windows.net) and I am able to achieve the following.
{
"error": {
"code": "BadRequest",
"message": "Write requests are only supported on contained entities",
"innerError": {
"request-id": "f8b80735-c516-4a65-9f42-2b3088f2951a",
"date": "2019-07-30T09:23:13"
}
}
}
I can reproduce your issue via Microsoft Graph API, not sure what causes the issue. Also, it is a Beta version, I don't recommend you to use it in your production environment.
The Azure AD Graph API works for me, you could refer to the request sample as below.
Note: The id is the role id which was declared by the target resource application resourceId in its appRoles property. My sample application does not declare any permissions, so I specify a default id (zero GUID 00000000-0000-0000-0000-000000000000).
POST https://graph.windows.net/myorganization/servicePrincipals/<objetc id of the service principal>/appRoleAssignments?api-version=1.6
{
"id":"00000000-0000-0000-0000-000000000000",
"principalId":"<object id of the user/group/service principal being granted the access>",
"resourceId":"<objetc id of the service principal which the assignment was made>"
}
I want to learn Azure directory services, so I created a free Microsoft Azure account to play around with Azure, and then I created a new App registration at portal.azure.com. So I have this registered application in Azure with a Client ID, Tenant ID, and even a Client Secret, because I want to learn API permissions with this app.
Now in the Microsoft Graph Explorer, I want to try using API methods like Get Application and List Applications.
However, if I log in and run the API to list my applications (GET https://graph.microsoft.com/beta/applications), the response has an empty array of applications.
Also if I try to GET the specific app that I registered in AD, I get a 404: Resource Not Found found error.
What am I doing wrong? How can I use the Graph Explorer with my test Azure account so my registered application can be retrieved and edited with Microsoft Graph APIs?
More Details Below
When I run GET https://graph.microsoft.com/beta/applications in Microsoft Graph Explorer, I expect a list of my applications, including the one app I registered in Azure. Instead, here is the response:
{
"#odata.context": "https://graph.microsoft.com/beta/$metadata#applications",
"value": []
}
When I run GET https://graph.microsoft.com/beta/applications/{client-id}, with my registered app's client-id, I expect all the details of my registered app, but instead, the response is error 404:
{
"error": {
"code": "ResourceNotFound",
"message": "Resource not found.",
"innerError": {
"request-id": "*****",<--I commented this out
"date": "2019-05-28T20:17:11"
}
}
}
If this were a permissions issue, I would expect unauthorized errors instead of "resource not found". I've tried adding Microsoft Graph permissions to my registered App (Directory.Read.All, Directory.ReadWrite.All), but this hasn't helped.
This is nothing to do with Azure free account. If you login in Graph Explorer using outlook account, it will identify this account as a personal account(with tenant outlook.com). That's why you can not find the applications you created in your tenant.
It is recommended to create a new user in your tenant to do the tests.
Here are the steps.
1.Click Azure Active Directory->Users->New User. The username should be something like username#{your tenant name}(XXX.onmicrosoft.com)
2.After the creation, add the roles for this user.
I'm trying to login to an Azure AD B2C app using the example here: https://github.com/nordvall/TokenClient/wiki/OAuth-2-Resource-Owner-Password-Credentials-grant-in-AzureAd
Configured like so:
url: https://login.microsoftonline.com/[myapp].onmicrosoft.com/oauth2/token?api-version=1.6
Passing in the Azure AD B2C applications application id for client_id but I'm actually not sure what to pass in for the resource. I'm trying to get an access token for some azure functions but the azure functions app doesn't seem to have any specific 'resource id' I can define anywhere..
When I make the post request I get the following:
{
"error": "invalid_request",
"error_description": "AADSTS90002: Tenant not found. This may happen if there are no active subscriptions for the tenant. Check with your subscription administrator.\r\nTrace ID: x\r\nCorrelation ID: x\r\nTimestamp: 2018-02-19 10:54:20Z",
"error_codes": [
90002
],
"timestamp": "2018-02-19 10:54:20Z",
"trace_id": "x",
"correlation_id": "x"
}
The guide you referenced is for Azure AD, not B2C, unfortunately.
Azure AD B2C doesn't currently support Resource Owner Grant Flow, see this SO post. UserVoice request for this.
This documentation might help: Azure Active Directory B2C: Types of applications. More specifically: Daemons/server-side apps.
These apps can get tokens only after an interactive user flow has occurred.