Is it possible currently to make an application in my Azure AD tenant and allow customers to give it permission to alter their resource groups.
I basically want to create an web application that allows any azure resource owner to allow my application to add something to a resource group of their choosing.
I cant figure out if its required for the customer to have the global administrator role for this to work?
Is it possible to make a flow that lets the customer sign in to my webapp, and give permission for a resource group of this choose, without him being the global administrator.
Is it possible for something in the azure portal to select his resource group add allow my azure ad application to get access to his resource group, or what is needed from the customer for this to be possible?
There are two ways by which a 3rd party application can access a user's subscription:
Delegated Permission (User Impersonation): Azure Portal is a good example of that. Basically in this scenario, a user logs in into your application by authenticating herself/himself against their Azure AD and then your application makes ARM API calls on behalf of the logged in user. If the user has permission to do something, your application will do that otherwise your user will get an error.
Application Permission: This is basically more for running things in the background when the user is not logged in. Essentially this is where the concept of Service Principal comes in. In this scenario, someone with administrative privileges grant certain permissions to your application and then your application will be able to do things it is permitted to do. The user need not be present in this scenario.
Now coming to your questions:
I basically want to create an web application that allows any azure
resource owner to allow my application to add something to a resource
group of their choosing.
I cant figure out if its required for the customer to have the global
administrator role for this to work?
Yes, it is possible for your to create such a web application and the customer need not be a global administrator to use such an application. In fact, this is how we're providing Azure Subscription management in Cloud Portam. Azure Portal works the same way. When you login into Azure Portal, you only do things you have permissions to. To see this in action, just login into Azure Portal using a user who is in Reader role and try to create some resources.
Is it possible to make a flow that lets the customer sign in to my
webapp, and give permission for a resource group of this choose,
without him being the global administrator.
Yes, it is entirely possible however the permission from Azure's perspective will be at Subscription level and not at a resource group level. Again since you would be impersonating the user, the user need not give you explicit permission to access certain resources. Azure RBAC will take care of this for you.
Is it possible for something in the azure portal to select his
resource group add allow my azure ad application to get access to his
resource group, or what is needed from the customer for this to be
possible?
Yes, it is possible to do so. However in this case, the user who's granting the permission to your application should be in a role that allows her/him to perform this operation. They should have write permission on Microsoft.Authorization resource provider. However please do keep in mind that once your application (also known as Service Principal) is granted access to a resource in your user's subscription, there's no need for a user to login. You typically would want to use this approach for background process kind of applications.
Related
Background: I am trying to setup my azure infrastructure to deploy my new web app. I am working with an external contractor cloud engineer and I only want her to be able to setup my cloud infrastructure.
Steps: I have 1 Subscription and 1 Resource Group. I have created a User in my organisation (so not a guest) in Azure AD - I will share these details with her.
I have put this new User inside a User Group and I have permissioned the User Group (as a Contributor) against my Resource Group. I have shared the username and password with her.
Problem: When she logs on to portal.azure.com she gets the message "Your sign-in was successful, but you don't have permission to access this resource."
Clearly I am missing something? I thought this was straightforward... alas
TIA.
Sometimes this may happen due to the internal policy, make sure to recheck them once again.
After this if you create a personal login detail separately then it will work out.
Here is the reference of Your sign-in was successful but you don't have permission to access this resource for the same above.
If the user is a guest user incase, then administrator of guest tenant will delete your account from their tenant.
Here is the Reference given by #Amanpreet Singh.
Common steps to be followed as below,
After login to the Azure portal as a Admin.
Go to Azure Active Directory
Select the All services, then Azure AD Conditional Access.
Here you can select the restriction policy and / or make sure to recheck the Assignments from the Users & Groups of various permissions for your given user.
VPN....
I switched off my VPN and it then worked just fine. No idea why but it works and I can now log straight in to the portal
I am working on an application, and its registration in Azure AD must allow Accounts in any organizational directory to sign-in. We built this with the thought that we could manage the roles for the app within Azure, so we made a few roles. The roles would also be only assignable and used by employees within our organization.
The whole time we thought that these roles can only be assigned within the Azure AD of the organization that owns the app's registration. We now found that when a user from another tenant signs into our app, they can find the app in their Azure's Enterprise Applications and just assign themselves roles. This means that they'd be able to view data that was never meant to be accessible to them. We don't want any other organization to have access to assigning these roles.
So is there any way to disable other tenants' ability to assign themselves a role in their Azure's Enterprise Application? I just want them to be able to log into the app, not give themselves any roles.
Is this even the appropriate way to achieve what we want? If not, what would be the proper way to do this?
At least I am not aware of any mechanism that will prevent admins from other tenants to assign roles to user (it works by design).
If you want to use the application roles only within your tenant, I would suggest that you use the tenantid that is also part of the claims when you doing authorization within your application...
Are Azure's RBAC tools and capabilities appropriate for delineating and enforcing app-specific user permissions?
What I've been seeing is that Azure's RBAC capabilities seem to involve managing Azure resources: BLOB services, storage accounts, app services, etc.
But what I don't see are examples of Azure RBAC being used to manage app- (or domain-) specific permissions, like "Allow the user to approve purchasing this widget" or "Allow user to categorize these items as Foo, Bar, or Baz", or "Allow the user to view financial data only from these company divisions".
Am I fundamentally misunderstanding how Azure RBAC works, or what it's used to manage? Can anyone point out examples of Azure role definitions that include permissions like the ones above, or point to documentation of how I might set those up?
I believe you are looking for application specific permissions which can be achieved, by configuring API permissions in apps, registered in AD. Please correct me if my understanding is wrong.
So the difference between API Permissions and Role Assignments is as below:
API Permissions: 2 types.
Delegated permissions are appropriate for client apps that access a web API as the signed-in user, and whose access should be restricted to the permissions you select in the next step.
Delegated permissions are used when authentication is done under user's context and are returned in scope claim of the token.
Application permissions are for service or daemon-type applications that need to access a web API as themselves, without user interaction for sign-in or consent. Unless you've defined application roles for your web API, this option is disabled.
App permissions are used when authentication is done under application (service principal) context and are returned in roles claim. For example, if you have a web application, you can configure it to allow access to the user, if the scope claim contains read, otherwise deny access. Or grant write access to application only when roles claim contains write.
You should configure API Permissions when you would like to return the permissions in the Access token. When application consumes the token, it makes authorization decision on the basis of permissions present in the token.
Role Assignments:
RBAC is the authorization system you use to manage access to Azure resources. When using RBAC, an administrator grants permissions to roles, and not to individual users or groups. The administrator can then assign roles to different users and groups to control who has access to what content and functionality.
Role assignments are used to assign permission to users/service principals on Azure Resources. In this case authorization is done by Azure and not by the end application which happens in case of API permissions.
Please ref the below articles for detailed explanation with examples.
https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-add-app-roles-in-azure-ad-apps
https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-how-applications-are-added
I just started working with Azure Active directory and i have one simple query.
I have a customer who is the admin of azure subscription and now if he wants to give access to another user who will be tasked to Create and Managing of Azure Active Directory (Like adding/deleting users, providing access to other application) what level of Role/permission needs to be assigned to this user.
Please let me know the steps for doing this from portal or any reference link please share
For just user management an "User Administrator" role would be sufficient. As far as the applications go it may vary depending on the level of access required and so on.
Check out the Azure AD roles here.
But at the subscription level it is better that the user has an "owner" role which provides all the administrative privileges.
Is it possible to assign an application (as an Application or Service Principal) to a group programatically, via the graph client or API? (Including the app user credentials needed to allow access of the members of the group to the app)
I searched everywhere and couldn't find documentation for it.
Thanks
No, 'Applications' in Azure AD are used to segment authorization and settings within Azure AD. It creates a trust between Azure AD and your application. The Application is not a User.
Users are Azure AD entities that have identity and can be authorized to access resources (like an Application). Users can be added to groups. See the below link for the Azure AD graph API documentation:
https://msdn.microsoft.com/Library/Azure/Ad/Graph/api/groups-operations#AddGroupMembers
And the documentation on what a user entity looks like:
https://msdn.microsoft.com/Library/Azure/Ad/Graph/api/entity-and-complex-type-reference#UserEntity
Thanks for the answer emseetea, but we do have a little more than that.
Back to the original question - can you programmatically "assign a group to an application". The answer is yes, using appRoleAssignments on the service principal. The service principal represents an application instance, that typically gets provisioned as part of a consent grant. On this tenant specific app instance (service principal) you can attach tenant specific permissions and policy. Permissions get created as part of consent, but you can also programmatically assign an application role (defined by the application) to a user or group. If no application role is assigned, then you can make a "default" assignment. You can find a little more on this topic here http://blogs.msdn.com/b/aadgraphteam/archive/2014/12/12/announcing-the-new-version-of-graph-api-api-version-1-5.aspx which describes a little about this with some sample REST API calls.
This same operation is also possible through the client library. You can take a look at https://github.com/Azure-Samples/active-directory-dotnet-graphapi-console. Look at the section titled "#region Assign Direct Permission". This shows how to assign an app role to a user. You can do the same thing on a group too. If your app doesn't specify any app roles, set the appRoleAssignment.Id to a zero GUID.
Hope this helps,