I need to give permission for one application to access some data from another account. I do OAuth2 authentication, but in the v2.0 we need to pass not resources, but scopes. For example I want to start/stop VirtualMachines, or just List them, what would be the proper scope for this?
I have found just this reference but I guess it is not valid for new flow https://learn.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftaad
If you are signing in as yourself (i.e. with a signed-in user), then the scope value you want to request is https://management.azure.com/user_impersonation. After signing in (and granting consent, if needed), access to Azure resources will be dependent on the permissions the signed-in user.
If instead this is a secure server doing unattended access, then you simply use the "place-holder" scope parameter value https://management.azure.com/.default (as a way of indicating that you want an access token to https://management.azure.com).
Related
From the documentation it seems that using an application that is in the B2C tenant and thus hosts user accounts that there is no way to directly access Microsoft Graph API via a logged in user per their own context.
I want to establish the use case properly so that the solution is that which makes the most sense.
The use case is that if a user wants to edit claims for example such as permissions they would be able to do so while logged in through Azure B2C.
The flow would be. Logged in user -> can change certain claims information such as address, surname, and other custom policy fields (SEO contact permissions.)
Is the proper way to do this is to build a proxy that will take the application's AD application permissions which are allowed to call out to Microsoft Graph and pass along user context so that the scope will be limited to that user only?
For example. User logs into the app.
The app has AD permissions that are granted admin consent
Create a client secret to prove application identity upon request of a token
Now can access Microsoft Graph api
Ref of Registering an app with Microsoft Graph api
What's not clear here exactly is the next part. My user is logged in with Azure B2C. Should I just pass along their id token which has their claims to the application? How do I put in scope/context of the logged in user of the app permissioned access to Microsoft Graph?
This part is not clear in any documentation.
I don't want a logged in user to have access to everything.
Is a proxy the only way to do this?
If a proxy is the only way to do this what identifier or id is what should be used to pass along to the query to assure only that user is in context?
Am I thinking of this incorrectly and or is there a better way to do this other than a proxy?
The documentation says this.
Apps that have a signed-in user but also call Microsoft Graph with their own identity. For example, to use functionality that requires more elevated privileges than the user has.
That doesn't fit exactly into my use case above or address it really but I think it is related. The functionality should be considered to be an elevated permission but to the scope of the user. This user can change this claim via their own logged in entity. What do you call that and what is the best way to solution this?
Lastly, is there anything that should be known in the MSAL library including Angular and React that would be useful in this process? It seems like I will have to converge the 2 to obtain the access token of the app and of the person and proxy those out to a backend service (the proxy) to then do a body of work.
Am I thinking of this correctly?
This Stack is the closest to relevance but doesn't ask or solution the entire use case as I have here. But is useful for illustrating the confusion.
"Logged in user -> can change certain claims information such as address, surname, and other custom policy fields (SEO contact permissions.)"
Why can't you use the Profile Edit user flow? You can configure what attributes the user can change.
I have a SPA React application which use MSAL for logging users in and acquiring tokens for querying MS Graph. Currently, when the user is created he/she can have two different roles, namely:
Administrator
Viewer
As is, every user is allowed to get the same scopes from AAD - Regardless of whether they are one or the other role.
This presents a problem - Because any of the users potentially have the same permissions when calling MS Graph, i.e. they could acquire the token themselves and request graph with full scopes.
The viewer role should only be able to have the [User.Read] scope, while the administrator should be able to alter every aspect of Azure AD.
Additionally, the administrator should be able to perform actions in MS graph that isn't supported by delegated permissions, i.e. creating new users.
The following makes me think that I may need to rethink the way that users are requesting resources from MS graph - which lead me to thinking that the on-behalf-of flow would be an interesting option.
As I imagine, the flow would work as follows (from when a user logs in, and requests to create a new user in my SPA)
User logs in with MSAL in my SPA
User gets the least privileged scope, i.e. [user.Read]
User creates a new user
SPA sends a request to my Web API with the users' token as bearer
Web API validates the user token with AAD
Web API validates that the user has a role of "Administrator"
Web API gets a token with ["User.ReadWrite.All", "Directory.ReadWrite.All"] scopes
Web API calls graph with the fetched application scopes on behalf of the user
Web API returns the data to my SPA
Since I'm fairly new to this world - I'm wondering if my way of thinking makes sense. In particular, I'm curious if it's really possible to request elevated permissions ["User.ReadWrite.All", "Directory.ReadWrite.All"] on behalf of a user with only the [user.Read] scope from my Web API.
Additionally, I'm of cause open for any suggestions for alternative ways to solve the above issue.
Scopes (delegated permissions) apply to an application, not a user.
Fundamentally, no matter what scopes the user gets in their token, they cannot do anything they were not already able to do.
Microsoft Graph API checks the scopes to check the application's permissions, and then checks the user's permissions to see if they are also able to do the operation.
Thus a user can never elevate their permissions through scopes.
If you have any of your own APIs, you should also handle authorization in a similar way.
If scopes are used, also check the user's permissions.
In case of application permissions (app roles with member type application), there isn't a user so your API would only check these permissions.
This is why you need to be extra careful with authorization if your back-end uses application permissions instead of on-behalf-of flow; since they don't include the user, it could allow them to elevate their privileges through your application.
I have a problem regarding the permission granted to my app by the user showing up as a scope in my JWT.
I want to allow the user to see a list of his tenants (Office 365) on my page. For this I need a token with the https://management.azure.com/user_impersonation scope. I added the permission to the Azure API Permissions. When the user first logs in he sees this:
From this screen I assume my setup works, since the user gets asked to grant my app permission for what I need (Access Azure Service Management as you). But when I paste the JWT on the JWT Debugger I don't see the scope user_impersonation among the scopes.
I get this:
I already tried to remove the app from the test-user's applications (in their Azure Portal) to get it to ask again for consent but it's still the same. Other test users have also the same result.
What I'd need is simply to see user_impersonation among the scopes. That would allow me to call the API endpoint that returns a list of my user's tenants.
You need to acquire the access token for the https://management.azure.com resource.
Or if using v2, request it for the https://management.azure.com/user_impersonation scope.
That looks like an MS Graph API token.
An access token is always only valid for one API, so you need to ask for a token for the Azure Management API.
It works now!
So, I tried to get scopes for both https://management.azure.com/ and https://graph.microsoft.com/ in one single token. As Juunas explained, you have to get a separate token for each API. But can ask consent for both at the same time though.
My flow is this now:
I log the user in while asking him to consent to some permissions (for both API's and on first login only)
I request a token in the background for the Graph API scopes
I request a second token for the Azure Management API scopes
I need to write a backend app to read & write one company emailbox.
I have registered Active Directory Application and granted Delegated permissions (read and write to user mailbox).
Question is how to get the token needed for authenticate the graph api calls(for example ListMessages).
From the document I coundn't find any working example for backend app aquiring token and make api calls.
There are two endpoint versions:
Azure AD and Azure AD v2.0 endpoints;
And two authentication method:
1. Get access on behalf of a user
https://developer.microsoft.com/en-us/graph/docs/concepts/auth_v2_user
2. Get access without a user
https://developer.microsoft.com/en-us/graph/docs/concepts/auth_v2_service
What shoud I use ? Really confused.
Thanks all.
According to your description, I assume you want to get an access token without user login page.
Based on my test, we can get an access token that run as a background services or daemons.
It requires administrator to grant the access permission once, then user will not see login popup window anymore.
For more detail, we can refer to this official document.
Sounds like you are looking for Resource Owner Password Credentials grant flow.
However its usage is not recommended.
It does not work in these scenarios:
User has MFA
User password has expired
User is federated (MS account/Google/on-prem AD)
The only scenario that I can think of where this flow is okay is integration tests of APIs where you need to test scenarios where you call your API on behalf of a user.
Here is a better way to do what you want:
Require an application permission to access user emails and have the admin grant it. Now you can use client credentials grant flow to get a token anytime you need one.
Use delegated permissions, have the user sign in once with Authorization Code grant flow. Then exchange the code for an access token and a refresh token. Store at least the refresh token somewhere secure. Use refresh token whenever you need a new token.
The first approach is more reliable but requires broader permissions.
The second has tighter security (only users who have authorized access can have their email read), but has slightly less reliability.
Refresh tokens can be invalidated, in which case you'll need the user to login again.
I am using Azure v2.0 for user authentication. The access token that I receive is used to fetch onenote content using microsoft graph api. And I do store refresh token at my end to access content on behalf of user at any time. Now user opt's out of my system I want to revoke the permissions given by user to my app.
How I can revoke the access without depending on user for that. User may not manually go and revoke the permissions. Is there any api provided for same purpose.
Is there any api provided by Azurev2.0 for the same
Sorry for the delayed response here. Unfortunately we don't have a specific revocation API. And while this is theoretically possible through existing APIs, where the oauth2Permission resource type holds the consent grant (see https://developer.microsoft.com/en-us/graph/docs/api-reference/beta/api/oauth2permissiongrant_delete), your app will need to be granted a privileged permission to perform this action. Contrary to the linked topic, I don't believe that the Directory.ReadWrite.All application permissions actually allows this operation.
Please create a UserVoice request to ask for this API.
Hope this helps,