I have azure AD with 3 groups
I execute api call for retrieve it
Login : https://login.microsoftonline.com/${tenantID}/oauth2/token
Get groups : https://graph.microsoft.com/v1.0/groups
Get users : https://graph.microsoft.com/v1.0/groups/${groupID}/members
Thats OK, i receive 3 groups and users inside
But for now i need only groups that assigned to applications
Like this
I cant find any methods in graph api for filter it .
If somebody know how to do it , help please
Resolve this problem in such way:
Get all groups as before
Get groups and users assigned to application graph.microsoft.com/beta/servicePrincipals/${applicationId}/appRoleAssignments
Response :
{
"#odata.context": "https://graph.microsoft.com/beta/$metadata#appRoleAssignments",
"value": [
{
"id": "tV-E7eUeFkmIemkoWcUgTkrT54btaddPtiLX96wVx0g",
"creationTimestamp": "2018-07-06T10:43:32.548348Z",
"principalDisplayName": "Pasha Kostohrys",
"principalId": "${userID}",
"principalType": "User",
"resourceDisplayName": "azure-group-sync",
"resourceId": "${applicationId}"
},
{
"id": "ZRCxfjNVlUqrjp9Y3wuLJz6beU58dtNOvr41VsKwADo",
"creationTimestamp": null,
"principalDisplayName": "ops",
"principalId": "${groupID}",
"principalType": "Group",
"resourceDisplayName": "azure-group-sync",
"resourceId": "${applicationId}"
}
] }
Just filter groups that are not in assignments list
Related
I created conditional access policy using this from my previous question reply here. It's working as expected.
POST https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies
Content-type: application/json
{
"displayName": "Block access to Application Admins.",
"state": "enabled",
"conditions": {
"clientAppTypes": [
"all"
],
"applications": {
"includeApplications": [
"appID"
]
},
"users": {
"includeRoles": [
"9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3"//ID of Application Admin role
]
}
},
"grantControls": {
"operator": "OR",
"builtInControls": [
"block"
]
}
}
I want to change few properties like roles to User administrator and grantControls to allow access with mfa in this existing policy from Graph.
In Portal, we have edit option but is this possible from Graph? How to achieve that?
TIA
I tried to reproduce the same in my environment via Graph Explorer and got below results:
I have one existing conditional access policy with below properties:
To update this policy via Graph API, make use of below query based on your requirement:
PATCH https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies/<id>
Content-type: application/json
{
"displayName": "Require MFA to User Administrators.",
"state": "enabled",
"conditions": {
"users": {
"includeRoles": [
"fe930be7-5e62-47db-91af-98c3a49a38b1" //ID of User Administrator role
]
}
},
"grantControls": {
"operator": "OR",
"builtInControls": [
"mfa"
]
}
}
Response:
When I checked the same in Portal, properties updated successfully like below:
You can get the id of User Administrator role like below:
Go to Azure Portal -> Azure AD -> Roles and administrators -> All roles -> User Administrator
UPDATE:
You can get the id of policy using below query:
GET https://graph.microsoft.com/v1.0/identity/conditionalAccess/policies?$filter=displayName eq 'policyName' &$select=id,displayName
Response:
I'm a newbie with Azure DevOps API, and for a future migration case, I want to create new users on my Azure DevOps organization. The users is Azure Active Directory users.
So I tried to do it with that documentation : https://learn.microsoft.com/en-us/rest/api/azure/devops/graph/users/create?view=azure-devops-rest-6.0
The body of my API request look like this:
{
"principalName": "test_user#company.com"
}
It return a status 201 (created) with this informations (for security reason i've put '.' on some lines):
{
"subjectKind": "user",
"metaType": "member",
"directoryAlias": "test_user",
"domain": "....",
"principalName": "test_user#company.com",
"mailAddress": "test_user#company.com",
"origin": "aad",
"originId": "....",
"displayName": "test user",
"_links": {
"self": {
"href": "....."
},
"memberships": {
"href": "....."
},
"membershipState": {
"href": "...."
},
"storageKey": {
"href": "...."
},
"avatar": {
"href": "...."
}
},
"url": "....",
"descriptor": "....."
}
But when I look on the organization users, I don't see any users who was created.
Did I miss something ? When I list users thourgh API it don't appear either...
Thanks in advance for your help.
P.S: It work well in the graphic UI.
Ok, I've finaly solve my own problem...
The parameter groupDescriptors is mandatory in the HTTP request in order to activate the account.
The command should look like that:
https://vssps.dev.azure.com/{{COMPANY}}/_apis/graph/users?groupDescriptors=vssgp.{{GROUPDESCRIPTORS}}&api-version=6.0-preview.1
If you don't add the user to a group when you do the creation, he will not be able to connect.
Get the group descriptor:
https://vssps.dev.azure.com/{{COMPANY}}/_apis/graph/groups?api-version=5.1-preview.1
Hope this will help someone else in the internet.
When I use az login using service principal
e.g az login --service-principal -u “12121” -p “1212” --tenant “12121”
It will show the all the list of subscriptions which it has access like
[
{
"cloudName": "AzureCloud",
"homeTenantId": "123",
"id": "215645",
"isDefault": true,
"managedByTenants": [],
"name": "Sub1",
"state": "Enabled",
"tenantId": "123",
"user": {
"name": "123456",
"type": "servicePrincipal"
}
},
{
"cloudName": "AzureCloud",
"homeTenantId": "123",
"id": "rr",
"isDefault": false,
"managedByTenants": [
{
"tenantId": "123"
}
],
"name": "Sub2",
"state": "Enabled",
"tenantId": "123",
"user": {
"name": "123456",
"type": "servicePrincipal"
}
},
...
...
]
Among the list for some sub the SPN have direct reader access(RBAC) to the subscription. But for the other sub (lets say sub2) the access is not directly given to the subscription level, instead the access has been given to resource(s) level.
Question: How to get all the list of resources within sub2 that have access provided to the service principal ?in other words, I have to find(list) what kind of access the service principal assigned to any/all the resources within sub2.
I know azure cli doing this behind the scene to retrieve this information.That why it can show all the list of subscription after the successful login. But i don't know what that is
Is there any cli command or graph API to retrieve that information ?
P.S:I don't know the scope or resource where the SPN is assigned too
If you want to list the role assignments for a specific user, you can use the az role assignment list command.
az role assignment list --assignee {assignee}
Note: To view role assignments for the current subscription and below, add the --all parameter:
az role assignment list --assignee {assignee} --all
If you are already logged in with the service principal, you can omit the --assignee parameter
I want to build a SAAS Service for Azure marketplace using single-sign-on.
I have read this document Microsoft identity platform access tokens, but can not find anything relate to User's Organization.
Is there any way to get user's Organization name?
For now I only can parser from email.
You can call MS Graph API to get the user's organization details: https://learn.microsoft.com/en-us/graph/api/organization-get?view=graph-rest-1.0&tabs=http.
The endpoint is at https://graph.microsoft.com/v1.0/organization
Sample response:
{
"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#organization",
"value": [
{
"assignedPlans": [
{
"assignedDateTime": "datetime-value",
"capabilityStatus": "capabilityStatus-value",
"service": "service-value",
"servicePlanId": "servicePlanId-value"
}
],
"businessPhones": [
"businessPhones-value"
],
"city": "city-value",
"country": "country-value",
"countryLetterCode": "countryLetterCode-value",
"displayName": "displayName-value"
}
]
}
You can call this endpoint even with the basic User.Read permission.
In an application in my trial Azure AD tenant, I want to modify my API permissions via the Graph API. I am able to GET the application's requiredResourceAccess in the Graph Explorer (https://developer.microsoft.com/en-us/graph/graph-explorer#) via https://graph.microsoft.com/beta/applications/{app object ID}/requiredResourceAccess, but I am not able to modify or delete these values, or even GET specific resources. Here's my GET result:
{
"#odata.context": "https://graph.microsoft.com/beta/$metadata#applications('{app object id}')/requiredResourceAccess(resourceAccess)",
"value": [
{
"resourceAppId": "00000003-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "{id}",
"type": "Scope"
},
{
"id": "{id}",
"type": "Scope"
}
]
}
]
}
When trying to specify the resourceAppId above, I get an error about how segment 'requiredResourceAccess' refers to a segment, so this must be the last part of the request URI besides filters.
And when I try to delete, I get the error 'Specified HTTP method is not allowed for the request target.'
I can modify the API permissions via the Microsoft Azure Portal of course, but can you please let me know if there is a way to add or remove API permissions via the Microsoft Graph API?
You could use this API Update application, refer to my request sample as below.
Sample:
Request URL:
PATCH https://graph.microsoft.com/beta/applications/{App Object ID}
Request body:
{
"requiredResourceAccess": [
{
"resourceAppId": "00000002-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "311a71cc-e848-46a1-bdf8-97ff7156d8e6",
"type": "Scope"
}
]
},
{
"resourceAppId": "00000003-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "863451e7-0667-486c-a5d6-d135439485f0",
"type": "Scope"
}
]
}
]
}
If you want to delete the API permissions, just specify the requiredResourceAccess as below.
{
"requiredResourceAccess": []
}
Note: This API is a Beta version, I don't recommend you to use it in the production environment. Also, when we update the API permissions via this API, it just adds the permissions to this application, it will not consent the permissions for the application.