I have added an app registration with custom user roles through the manifest
I have successfully protected an API endpoint by way of the [authorize] atribute and roles.
I have now changed the names of the roles in AD but when I try to access the API endpoint I can see in the access token that the roles have not changed.
How long does it take for roles to change for a user? Do I need to do something else other than just change the names of the roles? Force a cache refresh somewhere? What am I missing?
I am using a private browser window to eliminate any stale cookie noise
I can see in the access token that the roles have not changed.
Shouldn't the user role be reflected in Id token?
The decoded Id token.
How long does it take for roles to change for a user? Do I need to do
something else other than just change the names of the roles?
We should change the value of the role, not the displayName. And it will take effect immediately.
"allowedMemberTypes": [
"User"
],
"description": "Creators can create Surveys",
"displayName": "SurveyCreator2",
"id": "1b4f816e-5eaf-48b9-8613-7923830595ad",
"isEnabled": true,
"lang": null,
"origin": "Application",
"value": "SurveyCreatorValue3"
}
I changed the role value from SurveyCreatorValue3 to SurveyCreatorValue4. We can see the update in the Id token.
Related
I have an Azure Function with Azure Active Directory authentication enabled (including "Action to take when request is not authenticated" = "Log in with Azure Active Directory"). Additionally the option "User assignment required?" of the Azure Function related service principal (sp_func) is set to "Yes" to avoid everybody in the tenant being able to in the end run the function.
The goal is to have a single security group (that can include users as well as service principals) that is added to "Users and groups" of sp_func so that the assignment to the group decides if the function can be accessed or not. With users this works fine but not with service principals (sp_nonfunc). For them (sp_nonfunc) to work I have to set the permissions for them (sp_nonfunc) what in the end allows them to interact with the Azure Function no matter if they (sp_nonfunc) are assigned to the group or not.
Is it possible that I can just add a service principal (sp_nonfunc) to a group with the group being added to sp_func and then be able to execute the Function by using sp_nonfunc (without giving explicit permissions to sp_nonfunc)?
EDIT: it also does not seem to be possible to add sp_nonfunc to sp_func directly even if I defined an own appRole in the Manifest. The only way currently seems to be to add permissions on sp_nonfunc for sp_func - but that is what I want to avoid.
EDIT2: here how I have defined the role in the sp_func manifest
"appRoles": [
{
"allowedMemberTypes": [
"Application"
],
"displayName": "AzureFunctionAccess",
"id": "xxx-xxx-xxx-xxx-xxx",
"isEnabled": true,
"description": "Access Azure Function.",
"value": "AzureFunctionAccess"
}
]
EDIT3: when I don't assign a role directly to sp_nonfunc but just add sp_nonfunc to the security group I get, when making a request to https://login.microsoftonline.com/<tenant id>/oauth2/token with resource = Application ID URI of the registered app of sp_func:
{
"error": "invalid_grant",
"error_description": "AADSTS501051: Application 'xxx-xxx-xx-xx-xx'(xxx) is not assigned to a role for the application 'https://xxx'(xxx).\r\nTrace ID: xxx-xxx-xx-xx-xx\r\nCorrelation ID: xxx-xxx-xx-xx-xx\r\nTimestamp: xx-xx-xx xx:xx:xxZ",
"error_codes": [
501051
],
"timestamp": "xx-xx-xx xx:xx:xxZ",
"trace_id": "5xxx-xxx-xx-xx-xx",
"correlation_id": "xxx-xxx-xx-xx-xx",
"error_uri": "https://login.microsoftonline.com/error?code=501051"
}
This way will not work, to use a service principal(in your case, the sp_nonfunc) get the token for the function app(sp_func), you need to give the API permission for the sp_nonfunc.
Navigate to the App Registration related to the sp_nonfunc in the portal -> API permissions -> add the AzureFunctionAccess you defined, at last click the Grant admin consent for xxx button.
Then get the token with the client credential flow, it will work fine. (I use the v2.0 endpoint, if you use the v1.0, it will also work.)
For more details about the steps, I wrote in this post before, you could refer to it.
We have ADB2C tenant with a Identity Provider setup to an Okta setup in another Organization via Open ID Connect.
We have a Admin UI to add users. I see that GraphAPI has a createUser which takes a json with Password and changePwdOnFirstUse setting. This is fine to add a direct member to ADB2C.
The problem I have is that, how can I add the User from the other Okta
Organization so that when this user logs in to my App (and is authenticated by Okta), can login to my App.
At present, after authentication from Okta, we see User not found Error.
I suppose, I cannot add this user via Graph API using same createUser method as this user password is not something we are supposed to manage.
How do I add this other Organization user to ADB2C, so that I do not see this "User not found" issue?
Thanks.
Using Azure AD Graph API, you can create an external account user, with the userIdentities property of the user object being set to the sub (subject) claim of Okta's ID token:
{
"accountEnabled": false,
"displayName": "John Smith",
"mailNickname": "john.smith",
"otherMails": [
"john.smith#company.com"
],
"userIdentities": [
{
"issuer": "{okta-id-token-iss-claim-value}",
"issuerUserId": "{okta-id-token-sub-claim-value}"
}
],
"userPrincipalName": "{guid}#{your-tenant-name}.onmicrosoft.com"
}
where issuerUserId must be set to the base64 encoding for the sub claim of Okta's ID token.
I have a few users added to my Azure AD account, I would like to get the roles and user information on these users by calling an Azure API from Postman in the form of claims. I tried calling the following URL with the parameters as :
https://login.microsoftonline.com/myTenantId/oauth2/token
Body:
grant_type : password,
client_id : client id,
client secret : client secret
I receive the access_token in the encoded format in the response, When I decode it on https://jwt.io/ I see the decoded data, but there's no user roles in the access_token.
I would like to get the user information and the roles in the form of claims in same response.
What approach would I need to take on this ?
If the role you mentioned refers to directory role, the answer is no, it won't be returned in the token. Just like juunas said, you can call graph api to get directory role information.
If the role you mentioned refers to application role, the answer is yes, you can get the role information in id_token. The prerequisite is that you have assigned some roles to the user.
Here are the detailed steps. You can also refer to this article.
edit the manifest to add some custom roles.
Something like this.
{
"allowedMemberTypes": [
"User"
],
"displayName": "Test",
"id": "c200e304-fff3-49f1-a4df-e406741ea680",
"isEnabled": true,
"description": "Bla bla",
"value": "test"
}
2.assign users to roles.
Click Enterprise applications->All applications->
Click your application->click Users and groups->click Add user
role assign.
Here is the request to get id_token.
You will find the roles in id_token.
I have a single page application (SPA) and an API. Both are secured using Azure Active Directory using role based access control (RBAC). I can login and viewview my SPA using ADAL. I can also login, call my API and see the role claims I have given myeself.
I want to call the API from the SPA. I have added the API delegated permissions to the SPA. I have also hit the 'Grant Permissions' button so I don't see a consent screen.
The problem is when the SPA calls the API, no role claims appear, so the API always returns a 403 Forbidden response. How can I solve this?
Update
This is the manifest for my API:
{
"appId": "[API Client ID]",
"appRoles": [
{
"allowedMemberTypes": [
"User"
],
"displayName": "Read Device",
"id": "b2e6f6c2-c3d5-4721-ad49-0eea255ccf45",
"isEnabled": true,
"description": "Can read a device.",
"value": "Device.Read.All"
}
],
...
}
In my SPA, I'm using ADAL and adal-angular like so:
var azureActiveDirectory = {
'instance': 'https://login.microsoftonline.com/',
'tenant': '[My Tenant ID]',
'clientId': '[SPA Client ID]',
'redirectUri': 'http://localhost:8080/',
'endpoints': {
'http://localhost:5000': '[API Client ID]'
}
adalAuthenticationServiceProvider.init(azureActiveDirectory, $httpProvider);
Apparently, roles in nested groups are not transitive i.e. If I am a member of Group 2, I do not have the Role granted to Group 1, even though Group 2 is a member of Group 2:
Group 1
Has a Role from Application 1
Has a Member called Group 2
This is absolutely unbelievable that such a feature has not been implemented. I've raised a suggestion on UserVoice. Please upvote the suggestion.
you should create the appRole in your API app, when your spa call API, it will get access token with the role in api app that the login user belongs to. so to make sure you create role and verify role in api app, not spa app.
I was following this article and created a sample which works perfectly well. I can sign up, sign out and edit my profile with it but can't find out how to add a user in AAD B2C and assign it some role, so that I can differentiate them on the basis of roles, i.e. when I get to the Claims Page and get a user object, I can check the user by writing something like this:
User.IsInRole("client")
I added a custom attribute in "User Attributes" with the name of "Role" but that didn't solve my problem. I can only see that when I write:
foreach (Claim claim in ClaimsPrincipal.Current.Claims)
...claim.Type .... claim.Value
But I want it as I explained above
Thanks in advance.
Ok by now, I have found out the roles by clicking on the directory name -- users, but the available roles are User, Global Admin, Billing Admin, Service Admin, User Admin and Password Admin, but User.IsInRole("User") didn't work for me. So,
1. can I add any customized roles
2. how can I check if my user belongs to a particular role programmatically?
Thanks.
You can add custom roles by modifying application manifest file (application configured in Azure Active Directory). You just have to download manifest json file, add your custom roles and upload file again. You can do it here:
Then open the file and add custom role like that:
"appRoles": [
{
"allowedMemberTypes": [
"User"
],
"description": "some text",
"displayName": "Super role",
"id": "c530a40b-a47c-42b7-ba9a-f34d8ca7e443",
"isEnabled": true,
"origin": "Application",
"value": "Super role"
}
],
User attributes in Azure B2C are prefixed with "Extension_", so a user attribute "Role" will be called "extension_role" in your claims.
This is the reason the UserIsInRole doesn't work
Something that works for Azure AD, maybe for B2C also(not tried by me):
Try to use Groups (create a new group), add the user to the group.
Group membership isn't added to your claims by default:
http://justazure.com/azure-active-directory-part-4-group-claims/