My Azure AD application expose scope Roles.ReadWrite.All(Delegated permission). Now I want to use machine to machine communication, So I need to expose Application Permission. From the official documentation How to: Add app roles in your application and receive them in the token, I have created a AppRoles. Now I can give another application Application permission to the application.
But the issue is, I want to use the same value for Application Permission and Delegated Permission, As Microsoft is already doing this with their Microsoft Graph application's AccessReview.Read.All permission. But when I want to create appRoles, it shows an error -
Failed to update Backend API application. Error detail: It contains duplicate value. Please Provide unique value. []
I can only create same permission value if I keep the id, description and display name same for both appRoles and oauth2Permissions. But Microsoft Graph is using two different ID but the same value!
...
"requiredResourceAccess": [
{
"resourceAppId": "00000003-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "ebfcd32b-babb-40f4-a14b-42706e83bd28", // AccessReview.Read.All
"type": "Scope"
},
{
"id": "d07a8cc0-3d51-4b77-b3b0-32704d1f69fa", // AccessReview.Read.All
"type": "Role"
}
]
},
{
"resourceAppId": "96954c3d-fbb4-4899-be79-582b810acb7b",
"resourceAccess": [
{
"id": "fbeb72c6-dfcb-45b6-b83a-db2929314e70",
"type": "Scope"
},
{
"id": "42b90870-bbe2-46c6-a221-4f8981c559ae", // Roles.ReadWrite.All
"type": "Scope"
},
{
"id": "42b90870-bbe2-46c6-a221-4f8981c559ae", // Roles.ReadWrite.All
"type": "Role"
}
]
}
],
...
As it is shown in the above Manifest snippet, Graph API's AccessReview.Read.All has two different id for Delegated and Application permission, Where my Roles.ReadWrite.All has same ID as a result same Display Name and Description
I'm afraid that what you need is not supported currently.
As you have tested, if we use the same value for "AppRoles" and "OAuth2Permission", it will show this error: It contains duplicate value. Please Provide unique value.
When we set the same ID for "AppRoles" and "OAuth2Permission", we will be required to set the same value for (description, adminConsentDescription),(displayName, adminConsentDisplayName),(isEnabled, isEnabled),(origin, origin),(value, value).
In this case, we can say that we get the same object for "AppRoles" and "OAuth2Permission". But it will not affect your use. The access token can return the correct Delegated permission or Application permission.
Related
I created conditional access policy using this from my previous question reply here. It's working as expected.
POST https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies
Content-type: application/json
{
"displayName": "Block access to Application Admins.",
"state": "enabled",
"conditions": {
"clientAppTypes": [
"all"
],
"applications": {
"includeApplications": [
"appID"
]
},
"users": {
"includeRoles": [
"9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3"//ID of Application Admin role
]
}
},
"grantControls": {
"operator": "OR",
"builtInControls": [
"block"
]
}
}
I want to change few properties like roles to User administrator and grantControls to allow access with mfa in this existing policy from Graph.
In Portal, we have edit option but is this possible from Graph? How to achieve that?
TIA
I tried to reproduce the same in my environment via Graph Explorer and got below results:
I have one existing conditional access policy with below properties:
To update this policy via Graph API, make use of below query based on your requirement:
PATCH https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies/<id>
Content-type: application/json
{
"displayName": "Require MFA to User Administrators.",
"state": "enabled",
"conditions": {
"users": {
"includeRoles": [
"fe930be7-5e62-47db-91af-98c3a49a38b1" //ID of User Administrator role
]
}
},
"grantControls": {
"operator": "OR",
"builtInControls": [
"mfa"
]
}
}
Response:
When I checked the same in Portal, properties updated successfully like below:
You can get the id of User Administrator role like below:
Go to Azure Portal -> Azure AD -> Roles and administrators -> All roles -> User Administrator
UPDATE:
You can get the id of policy using below query:
GET https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies?$filter=displayName eq 'policyName' &$select=id,displayName
Response:
I'm trying to check that users consent to apps accessing company data on their behalf is not allowed using Powershell. Originally, this is done using MSOL-CompanyInformation with UsersPermissionToUserConsentToAppEnabled. However, as deprecation gets closer for MSOL, I can not find any comparable (MgOrganization does not have the same functionality) or work around for the situation.
Any help would be appreciated. Thanks.
User consent settings are now more fine-grained than just on/off. Instead, a customer can choose whether user have the permission to consent for themselves, and if so, which permission grant policy (aka "app consent policy") describes when the user will be allowed to consent (e.g. for which apps, for which permissions, etc.)
Using Microsoft Graph v1.0, this setting is stored in the permissionGrantPoliciesAssigned collection under the defaultUserRolePermissions property of the authorizationPolicy singleton.
Using Microsoft Graph PowerShell, you can retrieve the authorization policy with Get-MgPolicyAuthorizationPolicy, and update it with Update-MgPolicyAuthorizationPolicy. Both cmdlets are included in the Microsoft.Graph.Identity.SignIns module.
If the collection includes at least one value that begins with "managePermissionGrantsForSelf.", then user consent for self is enabled, subject to the permission grant policy identified by whatever follows the ".".
Examples
In this first example, *permissionGrantPoliciesAssigned is empty, indicating user consent is disabled entirely:
GET https://graph.micrsooft.com/v1.0/policies/authorizationPolicy
{
/* ... */
"defaultUserRolePermissions": {
"allowedToCreateApps": true,
"allowedToCreateSecurityGroups": true,
"allowedToReadOtherUsers": true,
"permissionGrantPoliciesAssigned": [] // <- User consent disabled entirely
}
}
In this second example, user consent is enabled, subject to the permission grant policy with ID "microsoft-user-default-low" (also note that here we're querying defaultUserRolePermissions directly):
GET https://graph.microsoft.com/v1.0/policies/authorizationPolicy/defaultUserRolePermissions
{
/* ... */
"allowedToCreateApps": true,
"allowedToCreateSecurityGroups": true,
"allowedToReadOtherUsers": true,
"permissionGrantPoliciesAssigned": [
"ManagePermissionGrantsForSelf.microsoft-user-default-low" // <- User consent enabled
]
}
We can get more details about that built-in policy (we know it's built-in because it starts with "microsoft-") by retrieving it:
GET https://graph.microsoft.com/v1.0/policies/permissionGrantPolicies/microsoft-user-default-low
{
"id": "microsoft-user-default-low",
/* ... */
"includes": [
{
"id": "9c72ced4-50c7-4486-933e-6756d554b199",
"permissionClassification": "low",
"permissionType": "delegated",
"resourceApplication": "any",
"permissions": [ "all" ],
"clientApplicationIds": [ "all" ],
"clientApplicationTenantIds": [ "b6e5dea0-ef49-4100-9191-1bb9c16c40b0" ],
"clientApplicationPublisherIds": [ "all" ],
"clientApplicationsFromVerifiedPublisherOnly": false
},
{
"id": "8ce99f96-730c-4ebd-8397-07ee65942b97",
"permissionClassification": "low",
"permissionType": "delegated",
"resourceApplication": "any",
"permissions": [ "all" ],
"clientApplicationIds": [ "all" ],
"clientApplicationTenantIds": [ "all" ],
"clientApplicationPublisherIds": [ "all" ],
"clientApplicationsFromVerifiedPublisherOnly": true
}
],
"excludes": []
}
We can see this policy includes two condition sets:
All delegated permissions classified "low", for apps registered in the same tenant*
All delegated permissions classified "low", for apps with a verified publisher
*In this special built-in permission grant policy, clientApplicationTenantIds will always be the tenant ID of the tenant where the policy is being read from.
You can use permissionGrantPolicyIdsAssignedToDefaultUserRole property to update authorizationPolicy,
PATCH https://graph.microsoft.com/beta/policies/authorizationPolicy/authorizationPolicy
for more please check doc - https://learn.microsoft.com/en-us/graph/api/authorizationpolicy-update?view=graph-rest-beta&tabs=http
Note: Use of these APIs in production applications is not supported
Hope this helps
Thanks
I am trying to create a schema extension but I get the following error message every time I make a request:
code: 400, error_message: ErrorMessage { error: Some(ErrorStatus { code: Some("Request_BadRequest"), message: Some("Object of class ComplexExtensionDefinition is not valid for Megatenant with ContextId: 11753285-9b24-41e2-bef1-********. Update to segmentation metadata failed.")
According to the error message seems like I cant extend azure AD with schema extension. Any help ?
Thanks
Here's the code for reference:
use graph_rs_sdk::oauth::OAuth;
use reqwest::StatusCode;
use graph_rs_sdk::prelude::*;
use graph_rs_sdk::error::GraphFailure;
pub async fn account_ext(client: OAuth) -> Result<StatusCode, GraphFailure> {
let graph_client = Graph::new_async(client.get_access_token().unwrap().bearer_token());
let properties = serde_json::json!({
"id": "tenantaccountExt",
"description": "Tenant account extension properties",
"targetTypes": [
"Group"
],
"owner": "90fd44ac-18d2-4920-909b-********",
"properties": [
{
"name": "region",
"type": "String"
},
{
"name": "contact",
"type": "String"
},
]
});
match graph_client.v1()
.schema_extensions()
.create_schema_extension(&properties)
.send()
.await {
Ok(response) => Ok(response.status()),
Err(GraphFailure::GraphError(err)) => {
println!("{:?}", err);
Ok(err.code)
},
Err(err) => Err(err)
}
}
I faced similar sort of error towards application :
"code": "Authorization_RequestDenied",
"message": "Attempt to update complex extension definition on application: xxxxxx belonging to different context",
with below query
POST https://graph.microsoft.com/v1.0/schemaExtensions
{
"id": "tenantcountext",
"description": "Graph Learn training courses extensions",
"targetTypes": [
"group"
],
"owner": "dexxxxxxxxxxx64",
"properties": [
{
"name": "region",
"type": "String"
},
{
"name": "contact",
"type": "String"
}
]
}
The id property must be unique string of the schema extension
definition. {domainName}_{schemaName} or echemaName only.
When I tried to check for available extension schema definitions for
id : tenantaccountExt :Add custom data to groups using schema
extensions - Microsoft Graph | Microsoft Docs.
I could not find any available status for that id which may mean that tenant has one or more applications that doesn’t have the owner permissions to add or update extensions or any changes or even the tenant doen not have proper permissions .( For me when I checked the appId in the error in azureAd apps , it is the Microsoft graph explorer)
which means the tenant or apps do not have proper permissions to access graph explorer or do any creation or updates .
So please check if that app or tenant in your case has proper
permissions to add any changes or extensions like
Applications.ReadWrite.All, User.Read.All, User.ReadWrite.All,Group.ReadWrite.All microsoft graph permissions.Please try to get permissions given by admin and
check to try again.
Also check to have ,Any of the following permissions: for
Delegated (work or school account) check Directory.Read.All, Directory.ReadWrite.All, Directory.AccessAsUser.All
Application: Directory.Read.All, Directory.ReadWrite.All
Importantly please make sure , the owner property must be having the value of the application Id where you are the owner i.e; you must be the owner of the app for which extension is done and request for creation must also be coming from that application.
If everything is correct, then then the schema extension is executed and we can get its available status like InDevelopment or available.
Reference: exercise-schema-extensions | microsoftDocs
I want to build a SAAS Service for Azure marketplace using single-sign-on.
I have read this document Microsoft identity platform access tokens, but can not find anything relate to User's Organization.
Is there any way to get user's Organization name?
For now I only can parser from email.
You can call MS Graph API to get the user's organization details: https://learn.microsoft.com/en-us/graph/api/organization-get?view=graph-rest-1.0&tabs=http.
The endpoint is at https://graph.microsoft.com/v1.0/organization
Sample response:
{
"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#organization",
"value": [
{
"assignedPlans": [
{
"assignedDateTime": "datetime-value",
"capabilityStatus": "capabilityStatus-value",
"service": "service-value",
"servicePlanId": "servicePlanId-value"
}
],
"businessPhones": [
"businessPhones-value"
],
"city": "city-value",
"country": "country-value",
"countryLetterCode": "countryLetterCode-value",
"displayName": "displayName-value"
}
]
}
You can call this endpoint even with the basic User.Read permission.
In an application in my trial Azure AD tenant, I want to modify my API permissions via the Graph API. I am able to GET the application's requiredResourceAccess in the Graph Explorer (https://developer.microsoft.com/en-us/graph/graph-explorer#) via https://graph.microsoft.com/beta/applications/{app object ID}/requiredResourceAccess, but I am not able to modify or delete these values, or even GET specific resources. Here's my GET result:
{
"#odata.context": "https://graph.microsoft.com/beta/$metadata#applications('{app object id}')/requiredResourceAccess(resourceAccess)",
"value": [
{
"resourceAppId": "00000003-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "{id}",
"type": "Scope"
},
{
"id": "{id}",
"type": "Scope"
}
]
}
]
}
When trying to specify the resourceAppId above, I get an error about how segment 'requiredResourceAccess' refers to a segment, so this must be the last part of the request URI besides filters.
And when I try to delete, I get the error 'Specified HTTP method is not allowed for the request target.'
I can modify the API permissions via the Microsoft Azure Portal of course, but can you please let me know if there is a way to add or remove API permissions via the Microsoft Graph API?
You could use this API Update application, refer to my request sample as below.
Sample:
Request URL:
PATCH https://graph.microsoft.com/beta/applications/{App Object ID}
Request body:
{
"requiredResourceAccess": [
{
"resourceAppId": "00000002-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "311a71cc-e848-46a1-bdf8-97ff7156d8e6",
"type": "Scope"
}
]
},
{
"resourceAppId": "00000003-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "863451e7-0667-486c-a5d6-d135439485f0",
"type": "Scope"
}
]
}
]
}
If you want to delete the API permissions, just specify the requiredResourceAccess as below.
{
"requiredResourceAccess": []
}
Note: This API is a Beta version, I don't recommend you to use it in the production environment. Also, when we update the API permissions via this API, it just adds the permissions to this application, it will not consent the permissions for the application.