Since we have Azure AD's B2B feature in GA, I am curious how to make use of B2B in multi-tenant applications. More specifically, how to get a list of directories which the user is member of? For example, the Azure Portal does this by calling https://portal.azure.com/AzureHubs/api/tenants/List, Microsoft's My Apps calls https://account.activedirectory.windowsazure.com/responsive/multidirectoryinfo to get the information - is there a public endpoint for this?
The use case is to enable B2B cooperation across a multi-tenant application which is provisioned in each user's directory so they have their own instances, but there is no way to centrally pull the information about user's directories.
A simple workaround would be to query all tenants which have the application provisioned for the user's UPN and if found, display it in the list, but imagine if there were hundreds of tenants... I believe that this is quite crucial for app developers who want to leverage the B2B functions in multi-tenant applications.
Update: It seems like there is a way to do this by accessing the Azure Service Management API, however this API and method is undocumented and I suppose that if any issues would occur, Microsoft would say that it is not a supported scenario.
Update 2: I wrote an article about the whole setup, including a sample project of how to make use of this in a scenario, it can be found here https://hajekj.net/2017/07/24/creating-a-multi-tenant-application-which-supports-b2b-users/
There is a publicly documented Azure Management API that allows you to do this: https://learn.microsoft.com/en-us/rest/api/resources/tenants
GET https://management.azure.com/tenants?api-version=2016-06-01 HTTP/1.1
Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUz...
...
The response body looks something like this:
{
"value" : [{
"id" : "/tenants/d765d508-7139-4851-b9c5-74d6dbb1edf0",
"tenantId" : "d765d508-7139-4851-b9c5-74d6dbb1edf0"
}, {
"id" : "/tenants/845415f3-7a05-45c2-8376-ee67080661e2",
"tenantId" : "845415f3-7a05-45c2-8376-ee67080661e2"
}, {
"id" : "/tenants/97bcb93f-8dee-48ed-afa3-356ba40f3a61",
"tenantId" : "97bcb93f-8dee-48ed-afa3-356ba40f3a61"
}
]
}
The resource for which you need to acquire an access token is https://management.azure.com/ (with the trailing slash!).
Related
I have an Azure Static Web App and App Insights running using the standard set of telemetry code found here: https://github.com/Microsoft/ApplicationInsights-JS#snippet-setup-ignore-if-using-npm-setup
I am wondering how I can get the user details using my AAD-protected website? My website generates authentication information that an individual can access by tacking on /.auth/me to the end of the website URL, which looks like, and I am wondering if this is possibly a way to do it.
{
"clientPrincipal": {
"identityProvider": "aad",
"userId": "xxxx",
"userDetails": "xxxx",
"userRoles": [
"authenticated",
"anonymous"
]
}
}
In related posts, this thread seems fairly related to my interests but I cannot make much of anything from the discussion: Azure - App Insights - how to track the logged-in Username in Auth Id?
I assume that you want user id details using your AAD-protected website .
Here are the steps to know the user ID and details:
Go to Application insight > View Application Insights data.
Go to users > Click on View more insights
After scroll down to select as below
As Selected Authentication user ID > Click on User Timeline to check the details of USER.
For more information Please refer this similar So thread.
I need a starting point to solve the following problem:
Assume there is a model with different entities (e.g. school classes) and different roles that are connected to entities.
Now I want to check in my Azure Function if Bob has a role on this entity which entitles him to rate a student from the school class.
I think of a claim of the form:
TEACHER : [
"class 2b"
]
before.
Which Azure Resources do I need to map such a thing?
I already use Azure AZ for the ID token and my API is implemented in an Azure Function.
I would like to call Azure AD to get an access token which contains those roles and resources of my domain.
I'm afraid that this form is not supported by Azure AD.
The supported form should be "{claim name}": "{claim value}".
If you accept this form, you can refer to my previous answer.
What you need to modify is:
When you create the extensionProperty, you should name the extensionProperty as "TEACHER".
Post https://graph.microsoft.com/v1.0/applications/{object id of the Azure AD application}/extensionProperties
{"name":"TEACHER","dataType":"string","targetObjects":["User"]}
And update the extension property for your account:
Patch https://graph.microsoft.com/v1.0/me
{"extension_6d8190fbf1fe4bc38a5a145520221989_TEACHER":"class 2b"}
Then you can get the custom claim as "TEACHER": "class 2b".
Could someone provide with the rest api url for finding the tfid for an Azure Devops ad group ?
I am trying to restrict branch permissions for certain AD groups,
"https://dev.azure.com/{organization}/{}/_api/_security/DisplayPermissions?__v=5&tfid={}&permissionSetId={}&permissionSetToken=repoV2%2F{}%2F{}%2Frefs%5Eheads%5E{}%2F".format(projectID, contributorTfid, nameToken, projectID, repoID, permbranchList[k])
only the contributor tfid here is unknown for me.
Using this rest api endpoint, I have to obtain the permissiontoken
later, using permisisontoken using the json
branchPermissionbody = {
"token": "{}".format(permissionToken),
"merge": True,
"accessControlEntries": [
{
"descriptor": "Microsoft.TeamFoundation.Identity;{}".format(descriptorIdentifier),
"deny": 4,
"extendedinfo": {}
}
]
}
I am making a post request to post the restriction on the branches
There are two ways to get the TeamFoundationId.
You can use below REST API to get the groups in your organization.
https://vssps.dev.azure.com/{orgname}/_apis/graph/groups?api-version=5.1-preview.1
Then use Ctrl + F to search the groups in the certain project. The originid is the TeamFoundationId. More details information about this REST API, you can refer to https://learn.microsoft.com/zh-cn/rest/api/azure/devops/graph/groups?view=azure-devops-rest-5.1.
Also you can use F12 to manual catch the TeamFoundationId. Log in to Project settings-> Repositories, then click F12 to open the Network console. Clear sessions then change the group permission. You can get the TeamFoundationId in the Request body or Response body.
How can I update the SignInName of an existing user in Azure AD using Microsoft Graph or Azure AD Graph Client.
Thanks!
Looks like it won't be possible to update SignInName through either Microsoft Graph API or Azure Graph API. It may be worth a try using PowerShell if that fits your use case (again this may or may not work). Details about each one below..
Update User SignInName using Microsoft Graph API
This isn't possible because SignInNames collection isn't even
available as part of the user entity in Microsoft Graph yet.
Here is a GitHub issue thread on this topic, look towards the end.
Add signInNames property to User. #91
Update User SignInName using Azure AD Graph API
You would be able to set the User SignInNames collection only at the time of creation of user. See the documentation mentions only POST and GET (no PATCH)
https://msdn.microsoft.com/en-us/library/azure/ad/graph/api/entity-and-complex-type-reference#user-entity
Update User SignInName using PowerShell
This may work out, but I'm not sure about it. Then again, you asked specifically for Microsoft Graph or Azure AD Graph API so your scenario may not be suited for PowerShell.
Set-AzureADUser
You can PATCH the signInNames using the Azure AD Graph API (graph.windows.net) as an update.
PATCH https://graph.windows.net/{tenantId}/users/{userId}?api-version=1.6
Content-Type: application/json
BODY:
{
"givenName": "James Wood",
"signInNames": [
{
"type": "userName",
"value": "jamesWoodUserName"
}
]
}
Or just use GraphBeta sdk.
https://github.com/microsoftgraph/msgraph-beta-sdk-dotnet
> Install-Package Microsoft.Graph.Beta
var users = await graphClient.Users.Request().GetAsync().ConfigureAwait(false);
The email is then under "Identities"
debug-watch
We are trying to set up an authentication/authorization-process with the following requirements:
Authentication: Done by Azure AD.
Authorization: Only members of a specific security groups should be allowed to access the app.
While the authentication part seems to work without problems, we are stuck at the authorization part. We are using Express and Passport.
Azure AD some tokens to req.headers, e.g.
x-ms-token-aad-access-token
x-ms-token-aad-refresh-token
x-ms-token-aad-id-token
We are currently using the id-token together with the passport-azure-ad BearerStrategy to check the security groups of the user against the allowed security groups.
The problem is: As soon as the id-token expires, the application won't let us access the app. Assuming setting {session: true} in passport could solve this issue, we enabled the session, but no luck.
Doing some more research I found this post: How to refresh an ID Token from Azure AD in a Web App?, which states that only access-tokens can be refreshed, but ID tokens cannot and should not.
Examining the x-ms-token-aad-access-token and the x-ms-token-aad-refresh-token, we found that they don't have the JWT-structure, e.g
eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsIng1dCI6Ik5HVEZ2ZEstZnl0aEV1THdqcHdBSk9NOW4tQSJ9.eyJhdWQiOiJodHRwczovL3NlcnZpY2UuY29udG9zby5jb20vIiwiaXNzIjoiaHR0cHM6Ly9zdHMud2luZG93cy5uZXQvN2ZlODE0NDctZGE1Ny00Mzg1LWJlY2ItNmRlNTdmMjE0NzdlLyIsImlhdCI6MTM4ODQ0MDg2MywibmJmIjoxMzg4NDQwODYzLCJleHAiOjEzODg0NDQ3NjMsInZlciI6IjEuMCIsInRpZCI6IjdmZTgxNDQ3LWRhNTctNDM4NS1iZWNiLTZkZTU3ZjIxNDc3ZSIsIm9pZCI6IjY4Mzg5YWUyLTYyZmEtNGIxOC05MWZlLTUzZGQxMDlkNzRmNSIsInVwbiI6ImZyYW5rbUBjb250b3NvLmNvbSIsInVuaXF1ZV9uYW1lIjoiZnJhbmttQGNvbnRvc28uY29tIiwic3ViIjoiZGVOcUlqOUlPRTlQV0pXYkhzZnRYdDJFYWJQVmwwQ2o4UUFtZWZSTFY5OCIsImZhbWlseV9uYW1lIjoiTWlsbGVyIiwiZ2l2ZW5fbmFtZSI6IkZyYW5rIiwiYXBwaWQiOiIyZDRkMTFhMi1mODE0LTQ2YTctODkwYS0yNzRhNzJhNzMwOWUiLCJhcHBpZGFjciI6IjAiLCJzY3AiOiJ1c2VyX2ltcGVyc29uYXRpb24iLCJhY3IiOiIxIn0.JZw8jC0gptZxVC-7l5sFkdnJgP3_tRjeQEPgUn28XctVe3QqmheLZw7QVZDPCyGycDWBaqy7FLpSekET_BftDkewRhyHk9FW_KeEz0ch2c3i08NGNDbr6XYGVayNuSesYk5Aw_p3ICRlUV1bqEwk-Jkzs9EEkQg4hbefqJS6yS1HoV_2EsEhpd_wCQpxK89WPs3hLYZETRJtG5kvCCEOvSHXmDE6eTHGTnEgsIk--UlPe275Dvou4gEAwLofhLDQbMSjnlV5VLsjimNBVcSRFShoxmQwBJR_b2011Y5IuD6St5zPnzruBbZYkGNurQK63TJPWmRd3mbJsGM0mf3CUQ
They don't contain any dots and thus don't pass the JWT-verification.
Resulting in the following question:
What is the correct way to check security groups of a user against specified allowed security groups?
You can do it through passport in one call, you do not need to do extra calls to other api layers, as seams to be suggested in multiple posts online. Using the v2 endpoint and defining a scope you can choose what you have access to and what you receive back in the token. Some options, including security group do require you to modify the manifest, see below.
In your Azure Active Directory go to the App registration you are using the authenticate users. In the manifest for that app registration change the groupMembershipClaims from null to "SecurityGroup" or "All" if want to include office groups etc.
{
"id": "some-id",
"accessTokenAcceptedVersion": null,
"allowPublicClient": false,
"appId": "some-id",
"appRoles": [],
"oauth2AllowUrlPathMatching": false,
"createdDateTime": "2018-11-15T17:49:23Z",
"groupMembershipClaims": "SecurityGroup",
"identifierUris": [ ...............
It then populates the Groups field with an array of the groups using their Object ID.
So you can get the array at req.user._json.groups
if (req.user._json.groups.indexOf('some-group-Object-ID') > -1) {
//In Group
} else {
//Not in Group
}
Apart from checking group claims in ID token , you could also call microsoft graph api to get the groups that the user is a direct member of :
POST https://graph.microsoft.com/beta/me/getMemberGroups
Content-type: application/json
Content-length: 33
{
"securityEnabledOnly": true
}
Or using Auzre AD Graph api :
POST https://graph.windows.net/myorganization/{resource_collection}/{resource_id}/getMemberGroups?api-version
Content-Type: application/json
{
"securityEnabledOnly": false
}
For how an App Service Web, Mobile, or API app can be configured to call the Azure Active Directory Graph API on behalf of the logged-in user. You could refer to below document which show detail steps:
https://cgillum.tech/2016/03/25/app-service-auth-aad-graph-api/
After authentication, access token can be fetched directly from a built-in request header (x-ms-token-aad-access-token) and you could make a http request to call graph api to get the group information .