I would like to assign the rights for mid-level admins to revoke 365 sessions for users in Office 365 (perhaps after accounts become compromised). What are the minimum rights necessary to allow an admin to revoke sessions.
One way is to grant the user User administrator role.
Can manage all aspects of users and groups, including resetting
passwords for limited admins.
You can run Revoke-AzureADUserAllRefreshToken command in powershell or call Azure AD graph api directly by using Azure AD Graph Explorer.
The other one is to create an application and grant it 'Directory.ReadWrite.All' permission.
This will allows the app to read and write data in your organization's
directory, such as users, and groups, without a signed-in user. Does
not allow user or group deletion.
Both of them include other permissions, not only 'Revoke-AzureADUserAllRefreshToken' permission. It depends on you which one include the least permissions for you.
Related
We are trying to get list of users from a particular group in Azure Active Directory.
Steps tried:
Created new app registration
Created client secrets
Gave permissions for Graph API (application permissions) with admin consent.
Then we are getting all the users from all the groups.
Is there any way to restrict the app to only be able to return a specific group's users?
For application permissions, the effective permissions of your app are the full level of privileges implied by the permission. For example, an app that has the User.ReadWrite.All application permission can update the profile of every user in the organization, see here.
You could get the users in particular group with List members API, but the application still has the permissions for all groups.
GET https://graph.microsoft.com/v1.0/groups/{group-id}/members
So far, it's only supported to control mailbox access of an app with ApplicationAccessPolicy.
Are Azure's RBAC tools and capabilities appropriate for delineating and enforcing app-specific user permissions?
What I've been seeing is that Azure's RBAC capabilities seem to involve managing Azure resources: BLOB services, storage accounts, app services, etc.
But what I don't see are examples of Azure RBAC being used to manage app- (or domain-) specific permissions, like "Allow the user to approve purchasing this widget" or "Allow user to categorize these items as Foo, Bar, or Baz", or "Allow the user to view financial data only from these company divisions".
Am I fundamentally misunderstanding how Azure RBAC works, or what it's used to manage? Can anyone point out examples of Azure role definitions that include permissions like the ones above, or point to documentation of how I might set those up?
I believe you are looking for application specific permissions which can be achieved, by configuring API permissions in apps, registered in AD. Please correct me if my understanding is wrong.
So the difference between API Permissions and Role Assignments is as below:
API Permissions: 2 types.
Delegated permissions are appropriate for client apps that access a web API as the signed-in user, and whose access should be restricted to the permissions you select in the next step.
Delegated permissions are used when authentication is done under user's context and are returned in scope claim of the token.
Application permissions are for service or daemon-type applications that need to access a web API as themselves, without user interaction for sign-in or consent. Unless you've defined application roles for your web API, this option is disabled.
App permissions are used when authentication is done under application (service principal) context and are returned in roles claim. For example, if you have a web application, you can configure it to allow access to the user, if the scope claim contains read, otherwise deny access. Or grant write access to application only when roles claim contains write.
You should configure API Permissions when you would like to return the permissions in the Access token. When application consumes the token, it makes authorization decision on the basis of permissions present in the token.
Role Assignments:
RBAC is the authorization system you use to manage access to Azure resources. When using RBAC, an administrator grants permissions to roles, and not to individual users or groups. The administrator can then assign roles to different users and groups to control who has access to what content and functionality.
Role assignments are used to assign permission to users/service principals on Azure Resources. In this case authorization is done by Azure and not by the end application which happens in case of API permissions.
Please ref the below articles for detailed explanation with examples.
https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps
https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-how-applications-are-added
Previously, I was able to reset a user's password by using the following steps:
Get an access token with an administrator's credentials and setting the scope to Directory.AccessAsUser.All from https://login.microsoftonline.com/{{tenant_id}}/oauth2/v2.0/token
Pass the new password in a passwordProfile object and hit the https://graph.microsoft.com/v1.0/users/{{oid}} using the access token retrieved from the first step.
But now, I cannot find Directory.AccessAsUser.All under Delegated API Permissions.
How can I change a user's password without it?
If your application or script needs to update users' passwords, you need to assign the User administrator role to your application. The User administrator role has a fixed set of permissions you grant to your application.
See Documentation
To add the User administrator role, follow these steps:
Sign in to the Azure portal and use the Directory + Subscription filter to switch to your Azure AD B2C tenant.
Search for and select Azure AD B2C.
Under Manage, select Roles and administrators.
Select the User administrator role.
Select Add assignments.
In the Select text box, enter the name or the ID of the application you registered earlier, for example, managementapp1. When it appears in the search results, select your application.
Select Add. It might take a few minutes to for the permissions to fully propagate.
When you create the application registration, choose the first option - accounts in this organisational directory. You won’t use this app for B2C user flows, only for your admin AAD account, hence you choose the first option.
Just search "Directory.AccessAsUser.All" for it.
Our use case is this: our application needs to access the Azure AD of customer organizations to:
Authenticate users
Sync users' profile data to our app when it changes on AD
Read and subscribe to booking changes in meeting rooms
Our app therefore needs the User.Read.All permission to read profiles of users, but also Calendar.Read.All but the latter must be scoped to a specific group (so as the protect the privacy of actual users). According to this article, a tenant administrator can restrict access of an application to a specific group, but I don't see any way to do this for a single permission, so it would restrict all permissions of an enterprise app to this group. Am I missing something or is this simply impossible and I would need to use multiple service accounts for this purpose?
Currently we can not restric the specific application permission to access a specific group. But we can scope application permissions to specific Exchange Online mailboxes.
Administrators can use ApplicationAccessPolicy cmdlets to control mailbox access of an app that has been granted any of the following application permissions:
Mail.Read
Mail.ReadBasic
Mail.ReadBasic.All
Mail.ReadWrite
Mail.Send
MailboxSettings.Read
MailboxSettings.ReadWrite
Calendars.Read
Calendars.ReadWrite
Contacts.Read
Contacts.ReadWrite
So if you have both User.Read.All and Calendar.Read, the ApplicationAccessPolicy will only work for Calendar.Read permission. The ApplicationAccessPolicy are specific to Exchange Online resources and do not apply to other Microsoft Graph workloads.
I am trying to use our multi tenant AD application to access the user's Onedrive for Business. But I keep getting an error when consenting regarding some permissions when the user belongs from a different Tenant. I am not sure which permissions i need to set so that any 365 users can.
I am using the graph API permissions and AD that read the directory. This is what the permissions look like.
Application permissions
Read files in all site collection
Read and write files in all site collections
Read and write devices
Read and Write directory data
-Read directory data
Delegated permissions
Have full access to all files user can access
Read all files that user can access
Have full access to user files
Read user files Access directory as the signed in user
Read and write directory data
Read directory data Sign in and read user profile
Read and write files that the user selects (preview)
Read files that the user selects (preview)
An administrator in the other tenant must consent for the app for the first time.
This is because you are using some scopes that require administrative consent. If you restrict yourself to only scopes that do not require admin consent, then regular users should normally be able to consent directly to your app.
One thing to note, an administrator in the other tenant can always disable end-user consent in which case they would always require admin consent for every app.