I am trying to populate the Claims token with User Group Information that I will fetch from Graph API. This is be specifically useful to port an existing Windows auth application to Azure. All my IsInRole() functions will work as is. I tried following this post
Populate Claims Information from Graph API
but unless I update the app manifest with groupMembershipClaims, I may not be able to populate the groups information. I am trying to avoid this since I am not a Global Admin on my corporate tenant. Is there any more sample codes that I can follow to do the same?
Related
I am using Azure AD role based authentication, I have added 2 roles ( Observer, Reader ) in the Web-application and I have assigned specific users which works fine.
My question is that where should I create these Roles ? As of now, those are created under the Web-application however I feel that it should be created under the API application
If these roles are created under an API application, how can I generate the Access token when the Web application needs to interact with multiple APIs as I am not able to request for multiple scope(s)/resource(s)?
I tried to reproduce the same in my environment and i got below result.
When i tried to get access token with multiple Api in scope, i am getting error like below.
Please note that you cannot generate access token with multiple Api in scope.
To confirm this, please check similar scenario by Juunas in this SO Thread, access token is valid for one API only
When I tried to add single scope, I am getting the access token successfully like below.
when I decoded that token, I got scp claims with role like below.
I've an Azure AD app setup, the Rest api's under scope: user_impersonation works but I also need user profile info from some GET API request (with same scope as I cannot have two scopes under one access token). I could not find a suitable API for it.So, any help in this regards will be highly appreciated.
Thanks in advance!
As you are making requests to different APIs, you will need to request separate access tokens for this information.
In the case of user profile information, you will need to request a token for the Graph API resource with the User.Read scope.
Depending on the type of application, you can either request this information on behalf of a user or as a service. When requesting as a service, you need to grant the User.Read.All permission instead (docs.
You can use Profile API in Microsoft Graph to retrieve yourself and another user profile.
Using Profile API use for retrieve the sing-in user profile information together Azure AD or account information. This information we can use in application as requirements and we can store as requirements.
when you use these API you will need to valid permissions to access profile information.
Example : https://graph.microsoft.com/beta/me/profile/
More information about Use the Profile API read these official document by Microsoft Documents.
I am not sure if the question is descriptive enough for what i am trying to accomplish so let me try to elaborate. Because even i am not sure how to properly set the question. So i will tell more about the big picture of what i am trying to do.
I am building an application that uses AWS Cognito for user authentication and authorization. But authorization part is in a way not directly done via Cognito (more about it a bit later)
In Cognito i added as a third part identity provider Azure AD via OIDC. I also have backend service that will hold user's roles in its own database. Now, for users that are going to be added to user pool via AD i need to replicate their groups in AD as a role in my service database. (So if i have a user in AD that is part of the group ADMIN I need to get that group and put it in my own db as a role for that specific user).
Now the idea is to use MS Graph for syncing groups with roles in my service. But the point is that then i would need credentials of the AD user that has the rights to see that info in AD. Which is not really what i am trying to accomplish.
My guess is that this can be done in all at once scenario (which would require the "GODs" user in AD credentials, which is not an option), or one by one (as they login to Cognito via AD as Idp).
So to sum it up, my question is can i integrate the call to MS Graph when user logs in with its ad (microsoft) credentials, that in a way i get the info about his group when he tries to log in to Cognito userpool?
I understand that this probably is very unclear, but i am not quite sure how to put it in a simple way.
If anyone can help me out, i would appreciate it.
Thanks
You don't need to integrate the call to MS Graph.
Just include Groups claim in your token as instructed here. You just need to modify the "groupMembershipClaims" field in application manifest:
"groupMembershipClaims": "SecurityGroup"
Then the token will contain the Ids of the groups that the use belongs to like below :
{
"groups": ["{group id}"]
}
I'm currently using node.js passport library to authenticate using the OIDC Strategy with an azure registered app using a client ID and secret.
http://login.microsoftonline.com/{org id}/v2.0/.well-known/openid-configuration
I am not having any trouble getting the user profile back of the person who logged in, but I am hitting a wall when trying to get the groups. In my app, I need to authorize the user based on their active directory groups. I am getting back this piece of json:
"_claim_names\":{\"groups\":\"src1\"},\"_claim_sources\":{\"src1\":{\"endpoint\":\"https://graph.windows.net/{org guid}/users/{user guid}/getMemberObjects\"}}
I'm not sure what I need to do using this to get the groups. I tried generating a bearer token, passing that in a header, and getting the groups but it says I am unauthorized using Postman. Do I need certain permissions in the app? Also why is it using graph.windows.net when I'm trying to use graph.microsoft.com?
Is there an easier way to do this once the user has logged in?
Overage indicator claim when user is member of many groups
The claim you're getting back as part of json shared in question is an overage indicator claim.
"_claim_names\":{\"groups\":\"src1\"},\"_claim_sources\":{\"src1\":{\"endpoint\":\"https://graph.windows.net/{org guid}/users/{user guid}/getMemberObjects\"}}
It means that the user is member of many groups and instead of including information about all the groups as part of token (which would make the token too big), you will need to query that information separately.
Read more about it here: Access Tokens Reference
How to get groups information?
Your application needs to make a separate call to Microsoft Graph API to get the groups information for user.
Relevant Microsoft Graph APIs
user: getMemberObjects
user: getMemberGroups
Check member groups
Permissions Required by your application
Each of the API links above mention the required delegated or application permissions that are required as part of documentation.
You will need to update your app registration in Azure AD to require the relevant permissions (and also go through Admin consent, in case the permission required needs admin consent)
Token to call Microsoft Graph API
You mention that you've tried generating a bearer token, passing that in a header, but you got Unauthorized error.
Once you're done with the permission changes for your application, acquire a token specifically for Microsoft Graph API from your application. The bearer token used to access your application may not directly work with Microsoft Graph API.
Also make sure you go through Admin consent in case any of the permissions require Admin consent. If it's a single tenant application, "grant permissions" directly from azure portal by an administrator should work, in case of multi-tenant app you can use the Admin consent endpoint.
Code Sample: Here is a quick tutorial for calling Microsoft Graph using Node.js.. you may find other good ones as well.
Azure AD Graph API (graph.windows.net) vs Microsoft Graph API (graph.microsoft.com)
You have a valid question about the endpoint.. "Also why is it using graph.windows.net when I'm trying to use graph.microsoft.com?"
General recommendation is to use the newer Microsoft Graph API, unless the functionality/information you're looking for isn't available with Microsoft Graph and only Azure AD Graph API can help. Read more about recommendation and comparison here: Microsoft Graph or Azure AD Graph
Since information about groups is available in v1 endpoint for Microsoft Graph already (not beta), you should make use of Microsoft Graph API.
Here are a couple of related SO posts: SO Post 1 and SO Post 2
From the Azure Active Directory v2.0 authentication libraries we can see lots of samples about how to use libraries to connect Active Directory. It seems all of them should create an application at apps.dev.microsoft.com first. Then use the Application ID and a new password to act the clientID and clientSecret in a client or server middleware application.
This way, one user can use the application to login by oauth 2 or openid through the Azure Active Directory API. Also can get the personal information such as user profile correctly.
But, if I want to get all the users information in a tenant one time, is there an API can do?
But, if I want to get all the users information in a tenant one time,
is there an API can do?
You can use Microsoft Graph API - specifically List Users API.
https://graph.microsoft.com/v1.0/users
For a quick test, try using Microsoft Graph Explorer
Similarly you can list users with Azure AD Graph API as well, but it would be recommended to use Microsoft Graph API.
Read Microsoft Graph or Azure AD Graph and this SO Post (Only case to use Azure AD Graph API would be if you need something very specific that you aren't able to achieve with stable version of the newer Microsoft Graph API.)
Azure AD Graph API to list users (not recommended)
https://graph.windows.net/myorganization/users