When I register an application of type Web App/API in Azure Active Directory (Azure AD), I can add Users and Groups and assign pre-defined application roles to the application in the tenant's Enterprise Applications. However, there is no provision to add Users and Groups for an application of type Native.
Is it possible to add Users and Groups to a native application, and set them with application specific roles via PowerShell or Azure CLI?
As you noticed Users and Groups is hidden in the Enterprise Applications blade in the case of native applications and I believe that the reason is that you don't usually configure role assignments in the native application but instead you do it in the WebApp/WebAPI (that the native application is consuming).
Anyway yes you can configure application roles for a native application. You can do it but editing the manifest and adding the appRole there (the value property will appear in the role claim). Example:
"appRoles": [
{
"allowedMemberTypes": [
"Application",
"User"
],
"displayName": "ReadOnly",
"id": "9cc5ee76-3d7d-4060-8b7f-e734f3917e71",
"isEnabled": true,
"description": "ReadOnly roles have limited query access",
"value": "ReadOnlyUser"
}
]
Then you can add an user to that role by using Powershell:
New-AzureADUserAppRoleAssignment -ObjectId <user's object ID> -PrincipalId <user's object ID> -ResourceId <native app service principal ID> -Id <role ID as it is in the manifest>
Then if you get a token for this application and for that user, you should see the role claim:
"roles": [
"ReadOnlyUser"
]
Related
I am using the following Az Cli command to create an Azure AD B2C application:
az ad app create --display-name 'mytestapplication'
What I'd then also like to do in the process is grant some permissions, as per the Azure AD Microsoft Graph API permissions list. Below are two such examples of the permissions I'd like to grant. I'm however struggling to find any Az Cli examples or references that can enable me achieve this. Any suggestions?
User.ReadWrite.All
Application.ReadWrite.All
In order to grant a specific permission for an app registration , you need to pass those permissions in manifest.json file with a particular scope.
You can use the below cmdlet to create a app registration & to assign the specific azure-ad-microsoft-graph-api-permissions for that app registration.
az login -tenant [myb2ctenant.onmicrosoft.com](http://myb2ctenant.onmicrosoft.com/) --allow-no-subscriptions (this cmd helped me to login to B2C without subscription)
az ad app create --display-name 'mytestapplication' --required-resource-accesses #manifest.json
manifest.json file:
{
"requiredResourceAccess": [
{
"resourceAppId": "00000003-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "204e0828-b5ca-4ad8-b9f3-f32a958e7cc4"(# for Application.ReadWrite.All),
"type": "Scope"
},
{
"id": "1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9(# for User.ReadWrite.All)",
"type": "Role"
}
]
}
]
}
Here is the output screenshot for reference:
For more information about app registration creation & Assigning permissions for a native app registration cmdlets you can refer this documentation.
I have created an App Registration that exposes an API and a scope.
I then create a frontend app/client with another App Registration and I can add my own API as delegated permission and ask Azure AD for a token to the API on behalf of me using normal OAuth flows.
Let's say a 3 client needs access to the API but not as a given user but as the application itself. In the UI of Azure AD, there are no "Application Permissions" for my own API when adding this 3rd API and try to give it access to an API. What is the equivalent of this and how do I set it up?
I have an older article that shows you how to do it through the manifest.
https://joonasw.net/view/defining-permissions-and-roles-in-aad
Currently there is no UI for defining app permissions, so you'll have to do it through the manifest or with PowerShell.
Essentially you need to define an appRole with an allowed member type of Application.
That is an app permission that can then be assigned to apps.
It will appear in the roles claim in the token.
{
"appRoles": [
{
"allowedMemberTypes": [
"Application"
],
"displayName": "Read all todo items",
"id": "f8d39977-e31e-460b-b92c-9bef51d14f98",
"isEnabled": true,
"description": "Allow the application to read all todo items as itself.",
"value": "Todo.Read.All"
}
]
}
I created admin console in the User interface where admin can perform all the operations such create, delete the user, assign applications to user and remove application access to users from the user interface
I tired to remove application access to the users from the User Interface by using Microsoft graph API and Azure AD graph api
i used following azure AD graph api
https://graph.windows.net/tenantid/users/{userId}/appRoleAssignments/{appId}?api-version=1.6
but it is showing the error when i tested in the postman "Invalid resource identifier for EntitlementGrant."
Idont know what to do can anyone help me about these error and how to resolve these problem.
You may be getting this error because you are trying to delete the application access using AppId of the application. Please make sure to use "AssignmentID" from Azure Portal which is unique ID of the specific role assignment and links the user/group and the service principal object.
Go to Azure Active Directory > Users > Select specific User > Applications > Select any application to navigate to "Assignment Details" blade.
See screenshot below -
This unique id is also available as "ObjectID" if querying application role assignments through Graph API -
https://graph.windows.net/{TenantID}/users/{UserID}/appRoleAssignments
Here is the sample output of the above API call.
"odata.metadata": "https://graph.windows.net/sasharms.onmicrosoft.com/$metadata#directoryObjects/Microsoft.DirectoryServices.AppRoleAssignment",
"value": [
{
"odata.type": "Microsoft.DirectoryServices.AppRoleAssignment",
"objectType": "AppRoleAssignment",
"objectId": "r7rDMrnDo0uCuwnosRwwzuziiF5B8s9FnsotYya5DMU",
"deletionTimestamp": null,
"creationTimestamp": "2018-05-10T14:10:49.8197813Z",
"id": "00000000-0000-0000-0000-000000000000",
"principalDisplayName": "SaurabhSharma",
"principalId": "32c3baaf-c3b9-4ba3-82bb-09e8b11c30ce",
"principalType": "User",
"resourceDisplayName": "WebAppOpenIdGraphApi",
"resourceId": "90658e39-2559-48fb-a27a-5e50cca94288"
}
This Id is ideally used for performing various operations against the application using any programmatic interfaces like PowerShell and Graph APIs.
I'm trying to update appRoles for an Azure AD application using GraphApi but get an error stating Authorization_RequestDenied with Insufficient privileges to complete the operation error.
I'm using PostMan to call Rest endpoint https://graph.windows.net//applications/d66c96ea-56fd-41c8-884b-fc0664792f7d?api-version=1.6
This is Body for may PATCH request:
{
"appRoles": [
{
"allowedMemberTypes": [
"User"
],
"description": "Writer has the ability to create tasks",
"displayName": "Writer",
"id": "66ea9f02-31b0-40b2-94fb-67a408bc10e3",
"isEnabled": true,
"value": "Writer"
}
]
}
I have added all permissions to Microsoft Graph and Windows Azure Active Directory from my AAD application.
I have 2 applications in AAD. One is called "PostMan" for PostMan OAuth2.0 so that I can get a bearer token. Another on is called "TaskTrackerApp" on which I'm trying to set appRoles via GraphApi.
Thanks for your help!
You can try to upgrade the role of the AD application you use to a administrator permission. Run the following commands in PowerShell:
Connect-MsolService
$ClientIdWebApp = '{your_AD_application_client_id}'
$webApp = Get-MsolServicePrincipal –AppPrincipalId $ClientIdWebApp
#use Add-MsolRoleMember to add it to "Company Administrator" role).
Add-MsolRoleMember -RoleName "Company Administrator" -RoleMemberType ServicePrincipal -RoleMemberObjectId $webApp.ObjectId
What RequiredResourceAccess list you have configured on application "PostMan" and also the one who is making changes is he/she the owner of this application "TaskTrackerApp" or a global admin in the directory?
I hit this too this week. In my case trying to update the reply URLs. I cut down my request to eventually just trying to update the name of the app. Same thing, Insufficient privileges.
Eventually tracked it down to the fact that an application cannot update another app IF it is not an owner of the app. e.g. Azure Portal->App Registrations->(Select App to Update)->Settings->Owners.
In my case, in the "real world" case, the app I was trying to use to update was supposed to be the owner (because it was the app that created the updating app)
So in the OPs case the "PostMan" app would need to be listed as an owner of the "TaskTrackerApp"
When I add an appRoles section to my application manifest in Azure AD, I can assign users and groups to roles in the management portal.
"appRoles": [
{
"allowedMemberTypes": [
"User"
],
"description": "Can read data.",
"displayName": "Data Reader",
"id": "67fba7fa-e54e-4258-b95d-32b082eb771d",
"isEnabled": true,
"value": "reader"
},
{
"allowedMemberTypes": [
"User"
],
"description": "Can create and edit data.",
"displayName": "Data Writer",
"id": "e36736c5-e923-435e-8e44-6cae90792931",
"isEnabled": true,
"value": "writer"
}
],
However, the UI only allows me to assign a single role to a user or group.
I can't find how to assign multiple roles to a user or group. I can add the user to multiple groups and assign roles to members of that group, which will result in multiple role claims in the token for that user, but this seems awkward.
Am I missing something? Is there a way to assign multiple roles to a user or group?
You can assign multiple roles to the same user in the same app, but it is very limited. Basically add the same user again and select a different role:
The mechanism is very cumbersome and will not scale. If you have AAD Premium Lvl 2, you can associate application roles with groups and a when you assign a user to that group, they will gain the roles automatically. The automatic assignment only works for Premium Lvl 2 though.
This turns out to be a limitation of the Azure management portal. In this blog comment, the AAD PM explains it is possible to assign multiple roles to a user or group through the GraphAPI.
For more info, see section 'Assigning application roles' in this MSDN blog article.
Had the same problem and with the current version of the azure portal the workaround was
Create two groups (group_for_perm1, group_for_perm2)
Add the same user to both groups (myuser#domain.com)
Go into Azure AD->Enterprise applications
Change the "Application type" filter to "All applications"
Search for your app
Select "Users and Groups"
Hit "+ Add user/group" at the top, and assign group_for_perm1 permission1
Hit "+ Add user/group" at the top, Assign group_for_perm2 permission2
Note if the "+ Add user/group" button is greyed out, you either didn't add App Roles to the App registration, or aren't in the owner group for the "Enterprise application". It appears you can be the owner of the App Registration and not be the owner of the Enterprise Application.
The token should now have a roles section with your two permissions. Take the JWT to jwt.io and you should see something like
"rh": "I",
"roles": [
"permission1",
"permission2"
],