How to get Organization name from Azure openid? - azure

I want to build a SAAS Service for Azure marketplace using single-sign-on.
I have read this document Microsoft identity platform access tokens, but can not find anything relate to User's Organization.
Is there any way to get user's Organization name?
For now I only can parser from email.

You can call MS Graph API to get the user's organization details: https://learn.microsoft.com/en-us/graph/api/organization-get?view=graph-rest-1.0&tabs=http.
The endpoint is at https://graph.microsoft.com/v1.0/organization
Sample response:
{
"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#organization",
"value": [
{
"assignedPlans": [
{
"assignedDateTime": "datetime-value",
"capabilityStatus": "capabilityStatus-value",
"service": "service-value",
"servicePlanId": "servicePlanId-value"
}
],
"businessPhones": [
"businessPhones-value"
],
"city": "city-value",
"country": "country-value",
"countryLetterCode": "countryLetterCode-value",
"displayName": "displayName-value"
}
]
}
You can call this endpoint even with the basic User.Read permission.

Related

Edit existing conditional access policy from Graph

I created conditional access policy using this from my previous question reply here. It's working as expected.
POST https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies
Content-type: application/json
{
"displayName": "Block access to Application Admins.",
"state": "enabled",
"conditions": {
"clientAppTypes": [
"all"
],
"applications": {
"includeApplications": [
"appID"
]
},
"users": {
"includeRoles": [
"9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3"//ID of Application Admin role
]
}
},
"grantControls": {
"operator": "OR",
"builtInControls": [
"block"
]
}
}
I want to change few properties like roles to User administrator and grantControls to allow access with mfa in this existing policy from Graph.
In Portal, we have edit option but is this possible from Graph? How to achieve that?
TIA
I tried to reproduce the same in my environment via Graph Explorer and got below results:
I have one existing conditional access policy with below properties:
To update this policy via Graph API, make use of below query based on your requirement:
PATCH https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies/<id>
Content-type: application/json
{
"displayName": "Require MFA to User Administrators.",
"state": "enabled",
"conditions": {
"users": {
"includeRoles": [
"fe930be7-5e62-47db-91af-98c3a49a38b1" //ID of User Administrator role
]
}
},
"grantControls": {
"operator": "OR",
"builtInControls": [
"mfa"
]
}
}
Response:
When I checked the same in Portal, properties updated successfully like below:
You can get the id of User Administrator role like below:
Go to Azure Portal -> Azure AD -> Roles and administrators -> All roles -> User Administrator
UPDATE:
You can get the id of policy using below query:
GET https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies?$filter=displayName eq 'policyName' &$select=id,displayName
Response:

API Integration across multiple accounts within same organization

I have had my API Integration promoted to my Production environment for a few weeks now and all is well but I ran into a new issue that I need help understanding. The process is setting up impersonation. The hierarchy of the organization is relatively simple:
My Integration was built under Company A and so far 100% of Company A accounts are able to be impersonated as expected. The issue came up when Company B was added to the Organization and one of the existing accounts was included in the list to be impersonated. The following message is what I am getting back from my API call.
I have Organization Admin permissions as well as Admin permissions on all of the Company Accounts too and this message appears even for me. My feeling is this is a simple administrative function to grant the User in Company A the permissions to access either a User in Company B or all of Company B. I am just not seeing where this gets setup. I hope anyone can point me in the right direction on this one.
=== 07/06/2022 - Adding additional details ===
/oauth/userinfo respose...
{
"sub": "xxxxx-xx-xx-xx-xxxxx",
"name": "Greg Miller",
"given_name": "Greg",
"family_name": "Miller",
"created": "2017-11-10T18:26:23.583",
"email": "greg.miller#companyA.com",
"accounts": [
{
"account_id": "xxxxx-xx-xx-xx-xxxxx",
"is_default": true,
"account_name": "CompanyA",
"base_uri": "https://###.docusign.net",
"organization": {
"organization_id": "xxxxx-xx-xx-xx-xxxxx",
"links": [
{
"rel": "self",
"href": "https://account.docusign.com/organizations/xxxxx-xx-xx-xx-xxxxx"
}
]
}
},
{
"account_id": "zzzzz-zz-zz-zz-zzzzz",
"is_default": false,
"account_name": "CompanyB",
"base_uri": "https://###.docusign.net",
"organization": {
"organization_id": "zzzzz-zz-zz-zz-zzzzz",
"links": [
{
"rel": "self",
"href": "https://account.docusign.com/organizations/zzzzz-zz-zz-zz-zzzzz"
}
]
}
}
]
}
Additional Info Added 07/07/22
Both Company A and Company B base_uri designation is the same "https://na2.docusign.net"
This is the /oauth/userinfo data returned using the JWT created for the Company B user account I am trying to impersonate.
{
"sub": "xxxxx-xx-xx-xx-xxxxx",
"name": "Company B",
"given_name": "CompanyB",
"family_name": "XYZ TEAM",
"created": "2021-03-31T18:20:05.23",
"email": "xyzteam#companyb.com",
"accounts": [
{
"account_id": "xxxxx-xx-xx-xx-xxxxx",
"is_default": true,
"account_name": "Compan B",
"base_uri": "https://na2.docusign.net",
"organization": {
"organization_id": "xxxxx-xx-xx-xx-xxxxx",
"links": [
{
"rel": "self",
"href": "https://account.docusign.com/organizations/xxxxx-xx-xx-xx-xxxxx"
}
]
}
}
]
}
The steps I take are basically the same as you outline:
Generate JWT Access Token
I am manually storing the required userinfo data userID(sub) and base_uri in a local db table.
I am using CURL to make my API calls " $base_uri.'/restapi/v2.1/accounts/'.$AccountID.'/views/console'"
You have two choices for accessing data in Company B (Account B):
Add the user in Company A (Account A) to also be a user in Account B. (Users can have memberships in more than one account.)
To access the data in Account B (Company B), impersonate a (different) user who is in account B. This is done via the eSign Admin app or via the Org Admin app.
By design, a user who is not in Account B cannot access any data in Account B. (This is the error message you're receiving.)
Note: you do not need to make any changes to your app's integration key (client ID)--all client IDs in production can be used with any user, with any account the user has access to.
To see which accounts the current user has access to, use the /oauth/userinfo API method.
Added
When you get the message User does not have a valid membership in this account check:
What account is the request using? (What is the URL of the request?)
Was the request sent to the right base url for the account?
What result does the current access token provide when calling the /oauth/userinfo API method.
Your test API calls should be:
Get an access token
Call /oauth/userinfo
Call the eSign API (eg list envelopes or somesuch) for each of the accounts listed in /oauth/userinfo

Add or Delete an app's API permissions (requiredResourceAccess) via Microsoft Graph

In an application in my trial Azure AD tenant, I want to modify my API permissions via the Graph API. I am able to GET the application's requiredResourceAccess in the Graph Explorer (https://developer.microsoft.com/en-us/graph/graph-explorer#) via https://graph.microsoft.com/beta/applications/{app object ID}/requiredResourceAccess, but I am not able to modify or delete these values, or even GET specific resources. Here's my GET result:
{
"#odata.context": "https://graph.microsoft.com/beta/$metadata#applications('{app object id}')/requiredResourceAccess(resourceAccess)",
"value": [
{
"resourceAppId": "00000003-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "{id}",
"type": "Scope"
},
{
"id": "{id}",
"type": "Scope"
}
]
}
]
}
When trying to specify the resourceAppId above, I get an error about how segment 'requiredResourceAccess' refers to a segment, so this must be the last part of the request URI besides filters.
And when I try to delete, I get the error 'Specified HTTP method is not allowed for the request target.'
I can modify the API permissions via the Microsoft Azure Portal of course, but can you please let me know if there is a way to add or remove API permissions via the Microsoft Graph API?
You could use this API Update application, refer to my request sample as below.
Sample:
Request URL:
PATCH https://graph.microsoft.com/beta/applications/{App Object ID}
Request body:
{
"requiredResourceAccess": [
{
"resourceAppId": "00000002-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "311a71cc-e848-46a1-bdf8-97ff7156d8e6",
"type": "Scope"
}
]
},
{
"resourceAppId": "00000003-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "863451e7-0667-486c-a5d6-d135439485f0",
"type": "Scope"
}
]
}
]
}
If you want to delete the API permissions, just specify the requiredResourceAccess as below.
{
"requiredResourceAccess": []
}
Note: This API is a Beta version, I don't recommend you to use it in the production environment. Also, when we update the API permissions via this API, it just adds the permissions to this application, it will not consent the permissions for the application.

Programmatically obtaining Azure Active Directory tenant name from ID

How can I get an AAD tenant name (not necessarily mine), from a GUID? This would be via the REST API ideally, but the Azure CLI/Powershell works too.
I found an answer here, but it requires going to the Azure Portal.
There are also plenty of links here and elsewhere on obtaining the tenant ID from the name, but I'm going in the opposite direction.
You can get the tenant name (and some other details) for the signed-in user by calling the /organization endpoint in MS Graph API: https://learn.microsoft.com/en-us/graph/api/organization-get?view=graph-rest-1.0.
Request: GET https://graph.microsoft.com/v1.0/organization
Response:
HTTP/1.1 200 OK
Content-type: application/json
Content-length: 411
{
"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#organization",
"value": [
{
"assignedPlans": [
{
"assignedDateTime": "datetime-value",
"capabilityStatus": "capabilityStatus-value",
"service": "service-value",
"servicePlanId": "servicePlanId-value"
}
],
"businessPhones": [
"businessPhones-value"
],
"city": "city-value",
"country": "country-value",
"countryLetterCode": "countryLetterCode-value",
"displayName": "displayName-value"
}
]
}

How to get permissions for SharePoint files on Office 365

In Office365, we are uploading a file “File1” to OneDrive using the user “UserA”. We then are getting the permissions of that file using the graph api (https://graph.microsoft.com/me/drives/[DriveId]/items/[itemId]/permissions) and get back permissions as we would expect:
"permissions": [
{
"grantedTo": {
"user": {
"email": "UserA#wherever.com",
"id": "ef7bd4af-3f36-4e81-9f76-296f4956b807",
"displayName": "User A"
}
},
"id": "aTowIy5mfG1lbWJlcnNoaXB8ZGRyYXBlckBmaXJlbGF5ZXJzLm9ubWljcm9zb2Z0LmNvbQ",
"roles": [
"owner"
]
}
]
However, we are then uploading the same file (using the same user) to a newly created SharePoint site named “Site1” and getting the permissions for that file (again using the graph api). Unlike with the OneDrive file permissions, the permissions returned for this SharePoint file do NOT contain “UserA” but include only 3 site-specific groups (which seem to be created automatically when creating a new SharePoint site)
"permissions": [
{
"grantedTo": {
"user": {
"displayName": "Site1 Owners"
}
},
"id": "QXRoYXlUZXN0IE93bmVycw",
"roles": [
"owner"
]
},
{
"grantedTo": {
"user": {
"displayName": " Site1 Visitors"
}
},
"id": "QXRoYXlUZXN0IFZpc2l0b3Jz",
"roles": [
"read"
]
},
{
"grantedTo": {
"user": {
"displayName": " Site1 Members"
}
},
"id": "QXRoYXlUZXN0IE1lbWJlcnM",
"roles": [
"write"
]
}
]
When listing all groups for the SharePoint site, none of these 3 groups are listed. A group named “Site1” does however but doesn’t contain any users added to any of these 3 groups.
How do we get additional information for these groups (i.e. the users who are a part of a given group) using the graph API / is that even possible?
I am not sure that it is possible via the Graph API but SharePoint does have a RESTful API that focuses on users and groups and that should be helpful. It does include extensive examples here:
https://msdn.microsoft.com/en-us/library/office/dn531432.aspx

Resources