So I am trying to set up an application on azure AD that can, among other things delete users.
I have the application registered and use the client id and secert to gain teh access token.
I was able to give the application permissions to create users and that works fine, but when i go to delete over the graph API i get a 403 Insufficient privileges to complete the operation.
I am trying this over the graph rest API. The user that i am attempting to delete was made through the rest call as well. The user is in the same tenant as the application , so i am not trying to delete users from multiple tenants.
It seems what i need to do is give the application either Global admin or Company admin rights, but i am spinning wheels on where and or how to do this.
Any help would be appreciated.
Take a look at my answer here.
You can elevate the level of access an Application has in your tenant
by adding the service principal of that application to the Company Administrator Directory Role. This will give the Application the same
level of permissions as the Company Administrator, who can do
anything. You can follow these same instructions for any type of
Directory Role depending on the level of access you want to give to
this application.
Note that this will only affect the access your app has in your tenant.
Also you must already be a Company Administrator of the tenant to follow these instructions.
In order to make the change, you will need to install the Azure
Active Directory PowerShell
Module.
Once you have the module installed, authenticate to your tenant with
your Administrator Account:
Connect-MSOLService
Then we need to get the Object ID of both the Service Principal we
want to elevate, and the Company Administrator Role for your tenant.
Search for Service Principal by App ID GUID:
$sp = Get-MsolServicePrincipal -AppPrincipalId <App ID GUID>
Search for Directory Role by Name
$role = Get-MsolRole -RoleName "Company Administrator"
Now we can use the Add-MsolRoleMember command to add this role to
the service principal.
Add-MsolRoleMember -RoleObjectId $role.ObjectId -RoleMemberType ServicePrincipal -RoleMemberObjectId $sp.ObjectId
To check everything is working, lets get back all the members of the
Company Administrator role:
Get-MsolRoleMember -RoleObjectId $role.ObjectId
You should see your application in that list, where RoleMemberType
is ServicePrincipal and DisplayName is the name of your
application.
Now your application should be able to perform any Graph API calls
that the Company Administrator could do, all without a user signed-in,
using the Client Credential Flow.
Let me know if this helps!
UPDATE:
The answer above has been updated to use Azure Active Directory V2 PowerShell
If you don't have the AzureAD module already installed you will need to install it. See Azure Active Directory PowerShell Module Version for Graph for Azure AD administrative tasks for more info about the module or simply run:
Install-Module AzureAD
Once you have the module installed, authenticate to your tenant with your Administrator Account:
Connect-AzureAD
Then we need to get the Service Principal we want to elevate, and the Company Administrator Role for your tenant.
$sp = Get-AzureRmADServicePrincipal | Where DisplayName -eq '<service-principal-name>'
Search for Directory Role by Name
$role = Get-AzureADDirectoryRole | Where DisplayName -eq 'Company Administrator'
Now we can use the Add-AzureADDirectoryRoleMember command to add this role to the service principal.
Add-AzureADDirectoryRoleMember -ObjectId $role.ObjectId -RefObjectId $sp.Id
To check everything is working, lets get back all the members of the Company Administrator role:
Get-AzureADDirectoryRoleMember -ObjectId $role.ObjectId
You should see your application in that list, where DisplayName is the name of your application.
Now your application should be able to perform any Graph API calls that the Company Administrator could do, all without a user signed-in, using the Client Credential Flow.
Related
Need to enable MFA on Azure AD to the users accounts which iam creating using powershell through Automation account which will runs on Hybrid Worker, so when the user is created will set the timer for few seconds **Start-Sleep -Seconds ** to perform MFA action, please assist me to understand kind of permissions, modules and connections to Azure Ad to enable MFA using automation account using powershell script on Azure AD for the same, i have found some useful documents but there are portal based policies. Thanks in Advance
To enable MFA on Azure AD, you need to have roles like Global Administrator or Security Administrator or Conditional Access Administrator on your Azure AD tenant.
Make sure to acquire Azure AD Premium P1 license if you want to use conditional access policies for enabling MFA.
Get yourself assigned with Contributor role under subscription where your automation account exists.
I tried to reproduce the same in my local environment and got results like below:
I ran the below script by connecting with user having Global Administrator role that created new user with MFA enabled like below:
Connect-MsolService
$user=New-MsolUser -DisplayName "Demo User" -UserPrincipalName "demouser#xxxxxxxxxx.onmicrosoft.com" -Password "xxxxxxxxxxxx1234#"
# Wait for the user account to be created
Start-Sleep -Seconds 30
$strongAuth = #()
$strongAuth += New-Object -TypeName Microsoft.Online.Administration.StrongAuthenticationRequirement
$strongAuth[0].RelyingParty = "*"
$strongAuth[0].State = "Enabled"
Set-MsolUser -UserPrincipalName "demouser#xxxxxxxxxxx.onmicrosoft.com" -StrongAuthenticationRequirements $strongAuth
Response:
When I checked the same in Portal, new user named Demo User created successfully like below:
To check whether MFA is enabled or not, I tried to sign in with above newly created user credentials that asked for MFA like below:
If you want to use same script, make sure to install MSOnline module before running script like this:
Install-Module -Name MSOnline
Import-Module -Name MSOnline
Connect-MsolService
If you are performing these operations via service principal, you need to assign roles or permissions for service principal too.
Reference:
Enable Azure AD Multi-Factor Authentication | Microsoft Learn
I have created PowerShell 7 Azure Function (AF) and a managed service identity (MSI) with reader role across the entire subscription.
Using this code here:
Connect-AzAccount -Identity
$token = Get-AzAccessToken -ResourceUrl "https://graph.microsoft.com"
Connect-MgGraph -AccessToken $token.Token
The connection, via Graph works as I receive the 'Hello to Graph' in the (AF) log window.
However, when searching for a user;
get-mgUser -userID 'objectID of the user'
I receive permission denied.
Using:
connect-mgGraph -Scopes
Prompts for an interactive login...
Looking at the Enterprise application registration for the MSI, I'm unable to grant any permissions (logged in as GA).
Can someone point me in the right direction please?
The error "permission denied" usually occurs if there are no required permissions to perform the action.
I agree with Cpt.Whale that at least User.Read.All is required.
To grant the API permissions to an Enterprise Application, make sure that the application is present in Azure AD.
Locate your Enterprise application in Azure Ad like below:
Go to Azure Portal -> App Registrations -> Select App with your Enterprise Application name -> API permissions
After adding the permissions and granting admin consent, the API permissions will be successfully added in your Enterprise application like below:
To know more in detail, please refer below links:
Give permissions to graph api in enterprise application Azure AD by Hury Shen
Configure required Azure AD Graph permissions for an app registration - Microsoft Graph | Microsoft Docs
I am updating a Powershell script to replace use of Azure CLI calls with PowerShell commands. The Powershell script creates a number of App Registrations in an Azure tenant, adds permissions to them, and then grants access to those permissions.
I am finding it difficult to replace the CLI calls granting access. Typically these calls grant a service principal access with a scope or scopes, e.g.
az ad app permission grant --id $app.appId --api 00000003-0000-0000-c000-000000000000 --scope "offline_access openid"
I see no way to do this with the Cmdlets in the Azure Resources Module, and have not been to find a direct equivalent in the Azure Graph API. The nearest thing I have found in the Graph API is an endpoint for granting an App Role Assignment (https://learn.microsoft.com/en-us/graph/api/serviceprincipal-post-approleassignedto?view=graph-rest-1.0&tabs=powershell) but that addresses a different problem, assigning roles rather than scopes.
I'm pretty new to Azure development, but I've been knocking my head off this one for a few days now, so any advice would be appreciated!
Edit: Adding an example of a permission I'd like to be able to grant where Admin Consent is not required.
We have tested this in our local environment it is working fine. Below statements are based on our analysis.
You can use the below PowerShell cmdlet to add a permission to the app registration.
Add-AzADAppPermission -ObjectId "<objectID>" -ApiId "00000003-0000-0000-c000-000000000000" -PermissionId "<PermissionId>" -Type "<role(ApplicationPermissions),Scope(DelagatedPermissions)"
Here is the sample Output screenshot for reference:
As per the Current documentation, User needs to grant consent via Azure Portal if the permission requires admin consent because Azure PowerShell doesn't support it yet.
Note :
Application permissions under the appRoles property correspond to Role in -Type. Delegated permissions under the oauth2Permissions property correspond to Scope in -Type.
We have an Azure PowerShell script to automate the provisioning of resources in our customers' subscription. As part of the process we deploy a VM based off a custom image hosted in our own image gallery. In order to do so we require our customers to grant access (user consent) to our enterprise application in their tenants.
As of now we achieve that through an OAuth2 link that we ask them to edit with their own tenant ID and open in browser:
https://login.microsoftonline.com/<customer-tenant-id>/oauth2/authorize?client_id=cd3df191-153a-4ae1-9766-5fe7a7f3032e&response_type=code&redirect_uri=https%3A%2F%2Fwww.microsoft.com
This link authenticates them and asks for the requested permissions to be accepted:
After that, our enterprise application should be listed in their subscriptions with the following permissions:
We would like for this pre-requisite to be addressed programmatically by our deployment script. Is there any way we can achieve that via Azure PowerShell?
To no avail, I've checked quite a few pages online and several similar questions here on SO. They are different in the sense that they are requesting Admin Consent rather than User Consent (mind that ours only require User Consent, see screenshot below). Also, some questions are specific to Azure CLI or simply Azure Portal (not an option for us as we are working with Azure PowerShell).
PS: Sorry in advance for my lack of knowledge in regards to Azure AD and the Consent Framework in general.
Consent can be used to grant app roles (application permissions) and delegated permissions.
What you're trying to do here is to create a delegated permission grant. Specifically, you're trying to grant a delegated permission on behalf of an individual user (instead of on behalf of all users).
You can't do this with Azure PowerShell.
You can, however, do this with Microsoft Graph PowerShell. The cmdlet you use, will be New-MgOauth2PermissionGrant. This cmdlet calls the Microsoft Graph API to create a delegated permission grant. The PowerShell cmdlet requires the following parameters:
ClientId - The object ID of the client app's service principal. This is the service principal which will be gaining privileges.
ConsentType - In this case, this should be "Principal", indicating you want to grant this delegated permission on behalf of a single principal (a user).
PrincipalId - This is the object ID of the user on behalf of who the client app will be able to act.
ResourceId - The object ID of the API's service principal. This is the service principal representing the API that exposes the delegated permissions you want to grant.
Scope - The space-separated list of permissions to grant.
So, for example, if we wanted to grant the Microsoft Graph delegated permission User.Read, on behalf of user with user principal name bob#example.com, we could do the following:
$userUpn = "bob#example.com"
$clientAppId = "738a2731-dd81-4263-824b-74cf6dee9da0"
$resourceSpn = "https://graph.microsoft.com"
$scope = "User.Read"
# Retrieve the user, and the client and resource service principals
$user = Get-MgUser -Filter "userPrincipalName eq '$userUpn'"
$client = Get-MgServicePrincipal -Filter "appId eq '$clientAppId'"
$resource = Get-MgServicePrincipal -Filter "servicePrincipalNames/any(n:n eq '$resourceSpn')"
# Grant the delegated permissions for Microsoft Graph to the client, on behalf of the user
$grant = New-MgOAuth2PermissionGrant `
-ClientId $client.Id `
-ConsentType "Principal" `
-PrincipalId $user.Id `
-ResourceId $resource.Id `
-Scope $scope
I am using a script to create Azure AD user, but when user login, it showing there are no any subscription for that users.
Now kindly let me know if you share the script to automate the process for assigning roles to that users automatically when he\she login in azure portal
Hoping for quick response
you cannot assign roles exactly when user logs into the portal, but you can assign roles to the users once you create them:
New-AzRoleAssignment -ObjectId xxx -Scope '/subscriptions/%subscription_guid%' `
-RoleDefinitionName Contributor (or Owner, Reader, etc)
You can use -signInName instead of the ObjectId, but since you just created the user you should have its ObjectId anyway
For CLI you can consult this article: https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-cli
This one for powershell: https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-powershell