i am using nodejs passport-azure-ad for AD authentication with OIDCStrategy. Every thing is working fine but i am not able to fetch correct groups. Although i update responseType: 'code id_token', and getting groups id as well but groups are different from the azure portal showing.
I am not sure about your scenario . If you wan to get group claims by setting groupMembershipClaims property in manifest . Your choices for setting the groupMembershipClaims property are null (the default), All or SecurityGroup. If you choose SecurityGroup you will get group claims in the JWT token for just security groups the user is a member of. If you choose All you will get group claims in the JWT token for security groups and distribution lists the user is a member of. If you want to just get security groups the user is a member of , you should set value to SecurityGroup , then you will find group object IDs now provided in the claims . You could check that value with object id value in group property from azure portal .
If your question is getting group name with group object id in token claims , please provide more details about that, for example , which api you are using .
If i misunderstand your scenario , please feel free to let me know .
Related
Upon successful login with Azure AD (via MSAL 2), I get the following object:
environment:"login.windows.net"
homeAccountId:"ID_1.ID_2"
idTokenClaims:Object
aio:"xxx"
aud:"xxx"
exp:1661778482
iat:1661774582
idp:"https://sts.windows.net/ID_2"
iss:"https://login.microsoftonline.com/TENANT_ID"
name:"xxx"
nbf:1661774582
nonce:"xxx"
oid:"ID_3"
preferred_username:"xxx"
rh:"xxx"
sub:"xxx"
tid:"xxx"
uti:"xxx"
ver:"xxx"
localAccountId:"ID_3"
name:"xxx"
nativeAccountId:undefined
tenantId:"TENANT_ID"
It seems that according to the documentation, if I understand correctly, you need to take idTokenClaims.oid which is equal to localAccountId.
But I thought that if you want real permanent UserId to store in database, then you should look at the properties of the user through the Azure portal, and takes its Object ID field. I am a bit confused that Azure user's Object ID field also existed in the returned object (upon Azure AD login via MSAL). Object ID is in the homeAccountId field, namely ID_1, but for some reason it is followed by a dot and some other incomprehensible ID_2, which is present in idTokenClaims.idp.
Please tell me what is correct to store in the database as UserId in the CreatedBy field for an Azure AD user when authorizing through MSAL 2:
idTokenClaims.oid, aka localAccountId?
or ID_1 from homeAccountId (which equals to the user's Object ID) ?
Object ID i.e. oid is the primary claim that you should use as part of a system of records (plus tenant ID i.e. tid if you are serving multiple tenants).
homeAccountId and localAccountId are MSAL SDK specific terms, but they map to claims in the ID token eventually -homeAccountId is "oid.tid", while localAccountId is simply "oid" as it's only used with ADFS which doesn't have tenancy.
The idTokenClaims in the response payload is the actual decoded ID token from Azure AD, and then MSAL adds further useful metadata to the response.
See also:
Microsoft identity platform ID tokens.
Data access sample
I need to add the employeeid as claim notification in token, I used the tutorial of this link:
https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-claims-mapping#include-the-employeeid-and-tenantcountry-as-claims-in-tokens
I did all steps, but my token is not returning the employeeid:
I did this configuration with graph api, where I create the policy and bind it with the service principal:
If I check this configuration, it seems to be correct:
I have followed all the steps correctly, and I can't include the employeeid in the token, what is happening? thanks.
Assuming this is an access token you are requesting, you could check two things:1.The claims mapping policy should be attached to the resource (api) service principal/application id for which you are requesting the access token 2. You need to update the application manifest as mentioned towards the end of the document you shared.
I tried to reproduce in my environment getting the employeeid successfully
Make sure you have choose your Application object ID
For your Reference :
https://s4erka.wordpress.com/2020/08/06/azuread-claim-mapping-policy/
hi I created the custom claim for that so please check the below claim which is created by me:
c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/windowsaccountname", Issuer == "AD AUTHORITY"] =] issue(store = "Active Directory", types = ("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname"), query = "(&(objectClass=user)(objectCategory=person));mail,givenName;{0}", param = c.Value);
But in this case, I got all emails in an outgoing claim (http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress ), Also get all the givenname in another outgoing claim (http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname).
Please check the below Screenshot of how I got the values of email and name right now from the adfs using code of C#.
https://learn.microsoft.com/en-us/answers/storage/attachments/137282-image.png
But I need in a single outgoing claim like email= abc#gmail.com, Givenname=abc (with any comma separate or any separator), I need both email and given name in one single outgoing claim.
I already generate this same in the Microsoft Ignite forum: https://learn.microsoft.com/en-us/answers/questions/566015/how-to-get-all-users-of-adfs-with-all-attributes-e.html
Can you please help me to get all user's details from adfs using windows account login and get all user's details?
Thanks
You can't out of the box.
That's not how claims work.
You could use a custom attribute store.
You could also combine the claims into a single type.
See this under "Combining Claim Values".
Context
I am willing to get a resource details with the Azure REST API. And more particularly, I want to get the IAM associated with a resource.
Problem
So, I searched in the doc reference and found that endpoint: https://learn.microsoft.com/en-us/rest/api/resources/resources/get which provides an identity response attribute that meets my needs.
However, I can't find any information about the required path parameter parentResourcePath. What does that parameter mean and how can I get its value for a specific resource ?
Also, when I tried going through the resources group path, I can get a path to the resource details but without the parentResourcePath parameter, and the response doesn't include the identity attribute.
Finally, am I going the right way (using GET resource API) ? And if so, where can I find that parentResourcePath value ?
Actually, you have a better choice - Resources - Get By Id.
The /subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{parentResourcePath}/{resourceType}/{resourceName} in the api Resources - Get named resourceId which used in the Resources - Get By Id.
But if you combinate the properties manually, it is not easy, Azure has many different resource providers, resourcetype.
Generally, you could find the resourceId in your resource in the portal -> Properties. Also, the response of this API will include the identity which you need.
Sample:
Get a web app resource.
The resourceId is like /subscriptions/xxxxxxx/resourceGroups/joywebapp/providers/Microsoft.Web/sites/joywebapp2.
You can click Try it in the doc to try the api.
Response:
Well I made it throught the Role assignment list for scope endpoint, giving the subscription/resourcegroup/resource in the scope. And the output contains a principalId attribute that seems to point to a user or group or service principal.
Ref: https://learn.microsoft.com/en-us/rest/api/authorization/roleassignments/listforscope
If i have a tenant name such as "contoso.onmicrosoft.com" can i get the tenantID using an API call?
I have already checked the API for Microsoft.Azure.Management.ResourceGroup
You can simply call https://login.microsoftonline.com/tenantDomain/.well-known/openid-configuration and get the tenant id from there. Just parse the JSON it returns and get the tenant id from it - for example from issuer.
Full info can be found here.
The call doesn't have to be authenticated so it is very simple to call.
You can get the name of the tenant you are logged into by calling
https://management.azure.com/tenants?$skiptoken={skiptoken}&api-version={api-version}
see here for details
This will give you a list of all tenants that you authorized for.
This is actually listed under 'Tenants' rather than resource groups.
Te easiest way to get tenantID is to find it in Azure portal. Please click -> APPLICATION -> VIEW ENDPOINT. like the following screenshot:
If you want to use C# to get the tenant ID from the name. Please try to get the JWT token first (use the user under the "contoso.onmicrosoft.com" to sign in). The JWT token will contain tid. "tid" means tenant id. Refer to this article for more details.
Then we can use the following code to get the tenant id:
var token = new JwtSecurityToken(jwtToken);
var oid = token.Claims.FirstOrDefault(m=>m.Type == "tid").Value;