I am searching for feature like AAD User wise roles/policies for specific APIs in API Management Service.
AWS is offering rule based access control. For example, we can assign specific api (of API Gateway) access to specific IAM user using Role/Policies.
Does Azure is offering service like this ?
For example, i have added 20 api's (5 GET + 5 POST + 5 PUT + 5 DELETE) in Azure API management service.
Can i assign specific method (ex. GET) api access to specific user?
One option to achieve this (without code, just configuration) is to use Azure Active Directory (AAD) Application Roles.
First, you need to create an AAD application representing your Web API. Go to AAD > App Registrations and register there a Web App / Web API. Then edit its manifest to add a role, i.e.:
"appRoles": [
{
"allowedMemberTypes": [
"Application",
"User"
],
"displayName": "Allow HTTP GET",
"id": "9cc5ee71-3d7d-4060-8b7f-e734f3917e71",
"isEnabled": true,
"description": "Allow HTTP GET requests",
"value": "AllowGET"
}
],
You can add different roles for the different methods your API has.
Then go to AAD > Enterprise Applications, find the application you just created, and:
In Properties, select "User assignment required" > Yes
In Users and Groups, add the users you want to allow access to the role you created before ("Allow HTTP Get").
Now go to the API Management service > APIs > find your API / Method and edit Inbound processing. Under Code View, add a ValidateJWT policy to validate the AAD tokens (make sure to configure your AAD tenant name and to configure the audience GUID which is the application ID of your Web API (the one that you registered in AAD at the beginning):
<validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized. Access token is missing or invalid.">
<openid-config url="https://login.microsoftonline.com/TENANT.onmicrosoft.com/.well-known/openid-configuration" />
<audiences>
<audience>53a81160-e4c9-40ba-aeef-6bb99ad6b4b3</audience>
</audiences>
<required-claims>
<claim name="roles" match="all">
<value>AllowGET</value>
</claim>
</required-claims>
</validate-jwt>
Notice that under required-claims is the role claim (AllowGET) you configured before, in the application manifest.
Now you can test. If you want to test through the APIM Developer Console you should follow the instructions here Protect an API by using OAuth 2.0 with Azure Active Directory and API Management.
Or you can also test by just using a simple PowerShell script like the below. If you use this script, first you need to register another AAD application, this time representing the script (a "native client"). Go to AAD > App Registrations and register a Native Client. Under Settings > Permissions, add a delegated permission so this application can call the Web API:
PowerShell script: (review the code and make sure to replace the parameters and the URL of your API, and to add the path to the ADAL library "Microsoft.IdentityModel.Clients.ActiveDirectory.dll" which is used to simplify the token adquisition)
add-type -path "Microsoft.IdentityModel.Clients.ActiveDirectory.dll"
$clientId = "NATIVE APPLICATION AAD AAP ID"
$redirectUri = "http://NATIVE APPLICATION AAD REDIRECT URI"
$resourceAppIdURI = "WEB API APP ID"
$authority = "https://login.windows.net/TENANT.onmicrosoft.com"
$authContext = New-Object "Microsoft.IdentityModel.Clients.ActiveDirectory.AuthenticationContext" -ArgumentList $authority,$false
$promptBehavior=new-object Microsoft.IdentityModel.Clients.ActiveDirectory.PlatformParameters([Microsoft.IdentityModel.Clients.ActiveDirectory.PromptBehavior]::Always)
$userId = [Microsoft.IdentityModel.Clients.ActiveDirectory.UserIdentifier]::AnyUser
$authResult = $authContext.AcquireTokenAsync($resourceAppIdURI, $clientId, $redirectUri, $promptBehavior, $userId, $extraQueryParameters)
$authHeader = #{
'Accept'='application/json'
'Content-Type'='application/json'
'Authorization'=$authResult.result.CreateAuthorizationHeader()
'Ocp-Apim-Subscription-Key'='APIM SUBSCRIPTION KEY'
'Ocp-Apim-Trace'='true'
}
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-RestMethod -Uri "https://yourapimanager.azure-api.net/posts" -Headers $authHeader -Method Get -Verbose
Related
I have a App service deployed with MSI enabled (with system assigned identity). This App service will use MSI to retrieve access token to an AAD protected web API. The web API will retrieve the appid from the token and check the appid against a pre-configured white list, if the appid is not in white list, the access is denied.
So to allow the MSI enabled app service to access the Web API, I need to know the application id of MSI app service and add it to the white list.
I know I can run following powershell script in my app service debug console to retrieve the token and get the appid by decoding the token.
$apiVersion = "2017-09-01"
$resourceURI = "<resource uri of AAD protected Web API>"
$tokenAuthURI = $env:MSI_ENDPOINT + "?resource=$resourceURI&api-version=$apiVersion"
$tokenResponse = Invoke-RestMethod -Method Get -Headers #{"Secret"="$env:MSI_SECRET"} -Uri $tokenAuthURI
$accessToken = $tokenResponse.access_token
But I am wondering if there is easier way to get the appid of MSI app service without retrieving a token.
You could use (Get-AzADServicePrincipal -ObjectId xxxx).ApplicationId, the object ID is easy to find when you check it on the web app portal.
You also could search the application in the Enterprise applications by the application ID.
I'm trying to enable service to service auth using AAD tokens. My plan is to validate "groups" claim in the token to make sure the caller is a member of a security group that we created.
For example, we will create group1 for readers and group2 for writers. Then based on "groups" claim, I will figure out the right access level.
I use AAD app to issue the tokens (not a user), so I need that app to be a member of the security group. Azure AD powershell doesn't seem to accept application ids as group members. How to solve this? are there any other recommended patterns when the caller is another AAD app?
Command used:
https://learn.microsoft.com/en-us/powershell/module/azuread/Add-AzureADGroupMember?view=azureadps-2.0
Error:
Add-AzureADGroupMember : Error occurred while executing AddGroupMember
Code: Request_BadRequest
Message: An invalid operation was included in the following modified references: 'members'.
RequestId: 0441a156-3a34-484b-83d7-a7863d14654e
DateTimeStamp: Mon, 11 Dec 2017 21:50:41 GMT
HttpStatusCode: BadRequest
HttpStatusDescription: Bad Request
HttpResponseStatus: Completed
At line:1 char:1
+ Add-AzureADGroupMember -ObjectId "9c2cdf89-b8d6-4fb9-9116-7749adec85c ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Add-AzureADGroupMember], ApiException
+ FullyQualifiedErrorId : Microsoft.Open.AzureAD16.Client.ApiException,Microsoft.Open.AzureAD16.PowerShell.AddGroupMember
Unfortunately, you cannot add an application as a member of Azure AD group.
Though the official document for the Powershell cmdlet Add-AzureADGroupMember doesn't make clear you cannot use Application's ObjectId as the RefObjectId, absolutely you cannot use it.
You cannot add an application as a member of Azure AD group neither.
For example, we will create group1 for readers and group2 for writers.
Then based on "groups" claim, I will figure out the right access
level.
For your scenario, I'm afraid that you couldn't achieve this for now. I understand why you need this. According to your request, my thought is assigning your application from Enterprise Application to Groups or users and manger users with different access rights. However, you cannot choose more roles for the selected group. The only one role is default access If want to define more roles for the app, you can refer to this documentation.
I also tried to use Azure AD RBAC and create new conditional access for my test app,but all don't have read only this choice.
You can also put your idea in Azure Feedback Forum, azure team will see it. Also, I will upvote your idea.
Update:
Currently, you can add a service principal to an AAD Group:
Example:
$spn = Get-AzureADServicePrincipal -SearchString "yourSpName"
$group = Get-AzureADGroup -SearchString "yourGroupName"
Add-AzureADGroupMember -ObjectId $($group.ObjectId) -RefObjectId $($spn.ObjectId)
Updated 2:
Recently, I also see lots of users want to assign roles to a service principal to let the service principal have some permissions to access to the app with a role.
I want to make clear here. Role-based authorized should be used for users, NOT applications. And it's not designed for applications. If you want to give some different permissions you may consider to assign application permissions to your service principal instead.
You can expose your Web App/API with application permissions by editing the Manifest in app registrations.
You can go to Azure portal > Azure Active Directory > App registrations > Select your App > Manifest.
In appRoles, you can insert content like this:
{
"allowedMemberTypes": [
"Application"
],
"displayName": "Access to the settings data",
"id": "c20e145e-5459-4a6c-a074-b942bbd4cfe1",
"isEnabled": true,
"description": "Administrators can access to the settings data in their tenant",
"value": "Settingsdata.ReadWrite.All"
},
Then, you can go another app registration you want to give permission > Settings > require permissions > Add > Search the application name you want to access > Choose the application permission you created before.
Therefore, your sp can obtain a token with that application permissions in token claims.
Also, for authorization from the resource, you need to add code logic to give control policy for that token with Settingsdata.ReadWrite.All claim.
Update 3
Currently, you can add the service principal to one AAD Group directly in Azure portal:
Following Update 3 in the answer of #Wayne Yang, I've successfully implemented this using C# and the MS Graph SDK.
But I think the same should be possible using Powershell and simple REST API calls.
// create new application registration
var app = new Application
{
DisplayName = principal.DisplayName,
Description = principal.Description,
};
app = await _graphClient.Applications.Request().AddAsync(app);
// create new service Principal based on newly created application
var servicePrincipal = new ServicePrincipal
{
AppId = app.AppId
};
// add service principal
servicePrincipal = await _graphClient.ServicePrincipals.Request().AddAsync(servicePrincipal);
// add service principal to existing security group
await _graphClient.Groups[groupId].Members.References.Request().AddAsync(servicePrincipal);
It seems I'm on a journey to first programmatically create an Azure application and then use Azure Management APIs to do create some resource. There's a new snag I'd like to ask from the community, how to do basically the PowerShell command New-AzureRmRoleAssignment -RoleDefinitionName Owner -ServicePrincipalName $adApp.ApplicationId.Guid using HttpClient (or some smarter method with the exact needed permissions using Microsoft Graph API libraries).
Trying to be a better person this time (being more around, providing code), I prepared a repo in GH, but the issue basically boils down to what kind of a URI should be used (here). The code is
var roleAssignment = $"{{something here}}";
var roleAssignementContent = new StringContent(roleAssignment, Encoding.UTF8, "application/json");
var roleAssignmentResponse = await client.PostAsync($"https://graph.windows.net/{tenants.value[0].tenantId}/applications/{createdApplication.appId}?api-version=1.6", roleAssignementContent).ConfigureAwait(false);
var roleAssignement = await roleAssignmentResponse.Content.ReadAsStringAsync().ConfigureAwait(false);
I fiddled with Graph API Explorer too if things were easier using it (or the libraries) but with less luck. Indeed, the ultimate goal is to create application programmatically so that it becomes possible to use Azure Management Libraries to make a deployment. That is, all in code from the beginning to an end.
(Also, the code is of throwaway quality, to provide a more functioning example only.)
New-AzureRmRoleAssignment is used to assign the specified RBAC role to the specified service principal , you could achieve that by using the Resource Manager create role assignment API:
Get ObjectId of application service principal.
if you have got the objectId of application service principal before , you could skip this step .If not , you could use Azure ad graph api to request an application's service principal by application id :
GET https://graph.windows.net/<TenantID>/servicePrincipals?$filter=servicePrincipalNames/any(c:%20c%20eq%20'applicationID')&api-version=1.6
Authorization: Bearer eyJ0eXAiOiJK*****-kKorR-pg
Get Azure RBAC role identifier
To assign the appropriate RBAC role to your service principal, you must know the identifier of the Azure RBAC role(Owner in your scenario), you could call the Resource Manager role definition API to list all Azure RBAC roles and search then iterate over the result to find the desired role definition by name.:
GET https://management.azure.com/subscriptions/ed0caab7-c6d4-45e9-9289-c7e5997c9241/providers/Microsoft.Authorization/roleDefinitions?$filter=roleName%20eq%20'Owner'&api-version=2015-07-01
Authorization: Bearer
Assign the appropriate RBAC role to service principal:
PUT https://management.azure.com/subscriptions/ed0caab7-c6d4-45e9-9289-c7e5997c9241/providers/Microsoft.Authorization/roleAssignments/16fca587-013e-45f2-a03c-cfc9899a6ced?api-version=2015-07-01
Authorization: Bearer eyJ0eXAiOiJKV1QiL*****FlwO1mM7Cw6JWtfY2lGc5
Content-Type: application/json
{
"properties": {
"roleDefinitionId": "/subscriptions/XXXXXXXXXXXXXXX/providers/Microsoft.Authorization/roleDefinitions/XXXXXXXXXXXXXXXXX",
"principalId": "XXXXXXXXXXXXXXXXXXXXX"
}
}
roleDefinitionId is the id you get in step 2 ,principalId is the objectId you get in step 1 . ed0caab7-c6d4-45e9-9289-c7e5997c9241 is the subscription id ,16fca587-013e-45f2-a03c-cfc9899a6ced is a new guid created for the new role assignment .
Please refer to below document for more details :
Use Resource Manager authentication API to access subscriptions
I'm using the Azure AD Basic tier with an ASP.NET Core API, I've followed the RBAC sample. I've set up an application with roles in my manifest like so:
appRoles": [
{
"allowedMemberTypes": [ "User" ],
"displayName": "Read Device",
"id": "b2e6f6c2-c3d5-4721-ad49-0eea255ccf45",
"isEnabled": true,
"description": "Can read a device.",
"value": "read_device"
},
...
]
I've setup my API to use the UseJwtBearerAuthentication middleware like so:
application.UseJwtBearerAuthentication(
new JwtBearerOptions()
{
AuthenticationScheme = "Azure Active Directory",
Authority = options.Authority,
Audience = options.ClientId,
TokenValidationParameters = new TokenValidationParameters()
{
RoleClaimType = "roles",
ValidateIssuer = false
}
})
I've given my user the above 'Read Device' role:
I'm using Swagger UI to make the call to get the auth token. It calls the following URL:
https://login.microsoftonline.com/[Tenant].onmicrosoft.com/oauth2/authorize?
response_type=token
&redirect_uri=http%3A%2F%2Flocalhost%3A5100%2Fswagger%2Fo2c.html
&realm=-
&client_id=[Client ID]
&scope=http%3A%2F%2Fschemas.microsoft.com%2Fws%2F2008%2F06%2Fidentity%2Fclaims%2Frole
&state=oauth2
&resource=[Client ID]
I suspected that I am not passing the correct values to the scope parameter, so I have tried asking for every scope I can think of:
&scope=openid
%20email
%20profile
%20offline_access
%20user_impersonation
%20roles
%20http%3A%2F%2Fschemas.microsoft.com%2Fws%2F2008%2F06%2Fidentity%2Fclaims%2Frole
%20read_device
If I set "groupMembershipClaims": "All" in my manifest I can see group claims but I want roles instead. I'm able to login to call my API, however I never get any roles back in my JWT token, so I'm unable check the users role. What am I doing wrong?
It turns out I needed to request an id_token instead of a token. An id_token contains extra claims/scopes/resources about the user. I also needed to provide a nonce parameter containing a new random GUID on every request. Thus, I ended up with the following URL:
https://login.microsoftonline.com/[Tenant].onmicrosoft.com/oauth2/authorize?
response_type=id_token
&client_id=[Client ID]
&redirect_uri=http%3A%2F%2Flocalhost%3A5000%2F
&nonce=9ac5ad8d-df44-48e6-9bd6-e72743b3625c
If you are want to enable the role be assigned to users or groups(allowedMemberTypes=User) :
If you want to perform authorization using role claims , you could
follow the steps in this code sample , you could find the roles
claim is in the id_token .
If you want to make a client app to call your web api , when user
sign in ,app could check the access rules based on the role
claim,
you could use delegate flow(OAuth Authorization Code Grant,Implicit
Grant Flow..),roles claim is in the access_token ;
If you want to specify the role be assigned to client applications(allowedMemberTypes=Application), you could use OAuth Client Credential Flow ,appRoles of resource app/api that are assigned to the client app, and you will find the roles claim in the access_token ,check the detail steps from here.
Please click here for more details .
In my case I had mistakenly configured the App Registration to emit Security Groups as roles claims, thus overwriting the App Roles from the manifest. Removing the optional groups claim and logging back in correctly emitted the App Roles names in the roles claim of the id_token.
I'm trying to update appRoles for an Azure AD application using GraphApi but get an error stating Authorization_RequestDenied with Insufficient privileges to complete the operation error.
I'm using PostMan to call Rest endpoint https://graph.windows.net//applications/d66c96ea-56fd-41c8-884b-fc0664792f7d?api-version=1.6
This is Body for may PATCH request:
{
"appRoles": [
{
"allowedMemberTypes": [
"User"
],
"description": "Writer has the ability to create tasks",
"displayName": "Writer",
"id": "66ea9f02-31b0-40b2-94fb-67a408bc10e3",
"isEnabled": true,
"value": "Writer"
}
]
}
I have added all permissions to Microsoft Graph and Windows Azure Active Directory from my AAD application.
I have 2 applications in AAD. One is called "PostMan" for PostMan OAuth2.0 so that I can get a bearer token. Another on is called "TaskTrackerApp" on which I'm trying to set appRoles via GraphApi.
Thanks for your help!
You can try to upgrade the role of the AD application you use to a administrator permission. Run the following commands in PowerShell:
Connect-MsolService
$ClientIdWebApp = '{your_AD_application_client_id}'
$webApp = Get-MsolServicePrincipal –AppPrincipalId $ClientIdWebApp
#use Add-MsolRoleMember to add it to "Company Administrator" role).
Add-MsolRoleMember -RoleName "Company Administrator" -RoleMemberType ServicePrincipal -RoleMemberObjectId $webApp.ObjectId
What RequiredResourceAccess list you have configured on application "PostMan" and also the one who is making changes is he/she the owner of this application "TaskTrackerApp" or a global admin in the directory?
I hit this too this week. In my case trying to update the reply URLs. I cut down my request to eventually just trying to update the name of the app. Same thing, Insufficient privileges.
Eventually tracked it down to the fact that an application cannot update another app IF it is not an owner of the app. e.g. Azure Portal->App Registrations->(Select App to Update)->Settings->Owners.
In my case, in the "real world" case, the app I was trying to use to update was supposed to be the owner (because it was the app that created the updating app)
So in the OPs case the "PostMan" app would need to be listed as an owner of the "TaskTrackerApp"