I am working with an organization that has disabled user consent for azure apps.
"Users can consent to apps accessing company data on their behalf" is set to No in the Azure Portal.
I would like developers to be able to give consent to they own apps in azure without setting the above setting to yes. (the apps needs the "Sign in and read user profile" delegated permissions Azure AD).
1: Is it correct that the only other way is the assign the developers to one of the Azure AD roles that has one of these permissions: Application Developer, Application Administrator or Cloud Application Administrator?
2: I would also like to automate this process during a AzureDevOps release pineline. Currently the release pipeline creates all needed Azure resources via ARM Templates.
But how do I automate the App Registration without going to the Portal?
And how do I ensure that the release pipeline has the correct Azure AD permission to give consent?
Can I force the Pipeline to run as an "Azure AD Service User that I give the above role?
Update 1
It seems that its possible to do Azure AD Registration with powershell. http://blog.octavie.nl/index.php/2017/09/13/creating-azure-ad-app-registration-with-powershell-part-1
Since the AzureAD is using MFA, the script will display an interactive credential dialog when running. Not sure if we can suppress that.
Update 2
And give app consent with powershell. https://www.mavention.nl/blogs-cat/create-azure-ad-app-registration-with-powershell-part-2/?cn-reloaded=1
Update 3
So to automate the whole process, I was thinking if we could use a Azure DevOps Service Connection to execute these powershell scripts during the release pipeline?
Not sure what permission is needed for the Azure DevOps Service Connection?
It should also suppress the MFA credential dialog.
Is it correct that the only other way is the assign the developers to one of the Azure AD roles that has this permission: Application Developer, Application Administrator or Cloud Application Administrator?
It depends on the permissions the app is requesting, and who you would like the developers to be consenting for (themselves, or the entire organization):
Members of the Application Developer directory role can consent only to delegated permissions (not application permissions), and only on behalf of themselves (not on behalf of the entire tenant). Only other members of this role would be able to use the app (they would each consent on behalf of themselves), and only if the permissions requested are user-consentable delegated permissions. If your only requirement is for developers to be able to get delegated User.Read permission to Microsoft Graph, then this would work.
Members of the Application Administrator and Cloud Application Administrator directory roles can consent on behalf of all users for both delegated permissions and app-only permissions, except for app-only permissions to Azure AD or Microsoft Graph. These roles are both very privileged, and it is unlikely you would want the average developer to posses this--certainly not if the only permission needed is delegated User.Read.
But how do I automate the App Registration without going to the Portal?
With the Microsoft Graph API, you can register an app by creating an Application object. As of 2018-12-05, this is still in beta in Microsoft Graph.
If you require a production-ready endpoint, the Azure AD Graph API supports this, which is what's used by the various command-line and PowerShell options: New-AzureADApplication, az ad app create, and New-AzureRmADApplication.
To do this without a user involved, the client application (the one creating the app registration) requires the Application.ReadWrite.OwnedBy application permission, at minimum.
And how do I ensure that the release pipeline has the correct Azure AD permission to give consent?
This is where things get complicated. While it is possible to create the app registration (the Application object) as described above, these is currently no application permission that would allow an app to grant consent for another app. Though there is work underway to allow for "normal" application permissions to allow one app to grant other apps some permissions, currently only members of the directory roles authorized to consent to these permissions are able to perform this action.
Related
I've registered a single application in Azure AD for the following reasons.
Azure AD SSO (From Any Azure AD directory)
Read users, groups, and their members
Provided following permissions and granted admin consent.
NOTE: We still depend on some of the Azure AD Graph API. So, we have added the legacy API permissions.
I can able to contact the Azure AD using REST API and get the user, groups and other information.
When I try to sign in to the application from any other directory, I'm getting the following consent screen. I can able to provide the consent and proceed to log in.
But, when I try to login into the same directory, I'm not getting the consent screen even when I logged in with the Azure AD admin. Stuck in the following screen.
When I register separate applications for SSO and REST APIs, this issue doesn't occur.
I would like to know why I'm stuck in the above screen when combining both SSO and REST API permissions.
• Please check whether the correct Azure AD roles have been assigned to your account ID, i.e., Global Administrator, Cloud Application Administrator, Application Administrator, or owner of the app object through the as one of these is needed for you to access the application. Also, ensure that you have assigned your account ID the correct app role assignment for the admin consent to be allowed during the SSO signup process as below: -
You can check the app role assignments for your account ID through the Enterprise application blade and searching your application there, then opening it and selecting the users and groups blade, check the app role assignment that your account ID has to that application while also, giving ‘Azure Service Management’ api permissions for user_impersonification as below, thus ensuring that you account ID will be having correct API permissions.
Once, the above settings are configured correctly, you should be able to access the application through your admin credentials.
I am developing a web application that allow users from any azure organization to give my application reading rights on their OneDrive using windows Graph-Api (scope: File.Read.All)
I registered a multi-tenants application in the azure portal and i configured the application like it is explained in the documentation
I need to Allow a user from other azure organisations to make a consentment for my application to read files content, but in my case i get a "Need admin aproval" after sending Authentication Code URL (tested with a user from another azure organization)
AuthenticationCode:https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=XXX&response_type=code&redirect_uri=YYY&scope=user.read files.read.all offline_access&state=ZZZ
What a user get after authetification to his Office-365 account
I know that there is other applications who do not have this issue, for exemple the application app.diagrams.net need only user consentment and not admin consentment even if it ask for read write scopes
diagrams.net AuthenticationCode:https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=b5ff67d6-3155-4fca-965a-59a3655c4476&response_type=code&redirect_uri=https%3A%2F%2Fapp.diagrams.net%2Fmicrosoft&scope=user.read files.readwrite.all offline_access&state=cId%3Db5ff67d6-3155-4fca-965a-59a3655c4476
What a user get with diagram application
This is not because of any particular scope. The answer to your question is discussed under "application provisioning" in Azure AD (AAD) terms. Put simply, an AAD application needs to be "provisioned" into an AAD tenant, and a tenant admin can choose whether users can initiate this by themselves or not. Here, it seems this is not allowed.
In more detail, when you create an AAD application, you create 2 objects: a representation of the application, and a "Service Principal" that handles access to that application. When you offer your AAD app to other tenants/organizations, they need their own service principal object to be able to access your application, and this happens through admin consent i.e. provisioning.
In general, there are 2 articles that you should take a look:
How and why applications are added to Azure AD
How to: Sign in any Azure Active Directory user using the multi-tenant application pattern
And these code samples should clarify the process:
Developing a Multi-tenant (SaaS) application with the Microsoft Identity Platform
Protect a multi-tenant SaaS web application that calls Microsoft Graph using Azure AD & OpenID Connect
EDIT: Correction: tenant admins can choose or not whether users are allowed to initiate app provisioning. Credits: #jasonJohnston.
I need to register an application in Azure AD using PowerShell. I plan to use the New-AzADApplication cmdlet. The cmdlet documentation states the following:
Below are the permissions needed to create an application:
Azure Active Directory Graph
Application.ReadWrite.OwnedBy
Microsoft Graph
Directory.AccessAsUser.All
Directory.ReadWrite.All
I've learned that these permissions are scopes, which is a new concept to me and something I don't know how to deal with in Azure. I found this short demo, which shows these scopes can be managed as API permissions from the Azure App registration context. However, that demo shows the scopes being managed after the application has already been created. How can I establish the proper scopes before the application is created?
Or, more generally, how can I ensure that I have the appropriate permissions to execute the New-AzADApplication cmdlet?
The application that needs those permissions is Azure AD PowerShell in this case. If it didn't have a service principal in your AAD tenant yet, you would be asked for consent to those scopes on first login when using the Connect-AzureAD cmdlet.
In my experience, the service principal that it uses already exists in your tenant. So it already has the needed permissions. But what will also matter is your user permissions. Since it uses delegated permissions, it is acting on behalf of your user. In order for it to be able to create the app, it needs to have the necessary scope/delegated permission and your user must be able to create applications.
The cmdlets do also support acting as a service principal/app, in which case application permissions given to the app used to authenticate would apply, not delegated permissions. But that's another case that I don't think you are asking about.
Applications are able to note which permissions they require (both delegated and application) in the app registration portal. This allows use of the /.default scope and the Azure portal's "Grant admin consent" option.
You can follow this process:
1.Go to your application in the Azure portal – App registrations experience, or create an app if you haven't already.
2.Locate the API Permissions section, and within the API permissions
click Add a permission.
3.Select Microsoft Graph from the list of available APIs and then add
the permissions that your app requires.
4.Save the app registration.
General Overview of what I am trying to achieve
I am trying to build an Azure AD Multitenant Web application which allows me to manage resources in customer subscriptions/tenants using the Azure Resource Manager (ARM) APIs. I am pretty new to Azure AD Multitenancy.
The Ideal control flow
1. A customer browses the Applications (ideal an admin of the customer tenant)
2. Will be granted with Azure AD authorize flow
3. Accepts everything and grants admin consent for the AD App in their tenant
4. Unclear: The AD App will be granted contributer access on a subscription or resource
5. My Web App will be able to use the AD App credentials to manage the customer resources using the ARM APIs
Problem
Steps 1-3, 5: Are clear and I know how to build that.
Step 4: I am not sure how to build that so that step happens automatically.
Solutions I have considered
The worst case would be the customer AD Admin must manually grant the AD App access to a subscription or resource using the Azure Portal.
One idea that came to my mind is that you require the user_impersonation permission on Azure Service Management API.
After the user logs in, you could list out the subscriptions available, allowing the user to select one.
Then list out the resource groups if needed.
Once the user confirms a selection, your app could add itself as a Contributor on the targeted resource through the Management API, on behalf of the currently signed-in user.
To do this, you will need the object id of the service principal for your app created in the target tenant.
You can get it by acquiring an app-only token for e.g. the Azure Management API from that tenant's token endpoint after the user has logged in.
The token will contain an oid claim, which is the object id for the service principal.
Of course the user who signs in would have to have the ability to modify access to the target resource.
I would say the downside of this approach is that the organization must trust your app to only do the thing it claims to do.
The approach where they grant the access manually allows them to be in control fully.
I have created a Web application in my local Azure AD which I can successfully use to authenticate members of my AD tenant with (using oAuth2 flow). Now I need to extend my supported scenarios to allow a global admin from an external Azure AD tenant to sign-up their company to use this application as well.
Based on the Microsoft Docs this scenario, Multi-Tenant, is supported...
Authentication Scenarios for Azure AD
Multi-Tenant: If you are building an application that can be used by users outside your organization, it must be registered in your company’s directory, but also must be registered in each organization’s directory that will be using the application. To make your application available in their directory, you can include a sign-up process for your customers that enables them to consent to your application. When they sign up for your application, they will be presented with a dialog that shows the permissions the application requires, and then the option to consent. Depending on the required permissions, an administrator in the other organization may be required to give consent. When the user or administrator consents, the application is registered in their directory. For more information, see Integrating Applications with Azure Active Directory.
From my reading it appears that at some point a global admin for the foreign tenant should be presented with a URL which they can follow ( login.microsoftonline.com/common/??? ) which will somehow cause the external application to precipitate like a morning dew into their Azure AD. However, if this is the correct approach I would appreciate a tokenized example of how one correctly builds the login URL for a multi-tenant external Azure AD application which a group admin can follow to allow access in their AzureAD.
Ok, through trial and failure I have found the solution. The group admin for the remote tenant needs to be provided with the following URL which will allow them to register your Azure AD application as an Enterprise Application in their tenant.
https://login.microsoftonline.com/{remoteTenantUrl.com}/adminconsent?client_id={YourAppsClientID}&redirect_uri={YourAppsCallbackPage}