I am setting up Azure API Management with 2 different products that offer different access and restrictions to the underlying API.
Ideally I would like subscriptions for each product to have a different length of time that the user can access them for before it needs to be renewed. I am not finding any type of auto-expiration date for subscriptions when I approve them.
Is there a way to do this that I am missing?
You can create product specific policies that check the time since the subscription was created and deny access if necessary. See context.Subscription.StartDate here https://msdn.microsoft.com/en-ca/library/dn910913.aspx
Related
My requirements are to find all the users not logged in via Azure AD since last 45 days and last 90days and take action. That is,
A daily nightly job to run on Azure AD and if it finds users not login since last 45days; it should automatically disable the users.
A daily nightly job to run on Azure AD and if it finds users not login since last 90days or previous inactive users; it should delete the users.
This link looks similar where it’s going via a review process. However, my requirements are bit simple.
Thanks.
There are several options for identifying and removing stale/inactive users:
The access review feature you linked for identifying and removing inactive users is the most seamless, built-in way to achieve this at the moment. You can specify the "days inactive" and then remove the accounts either after the review period passes or after no reviewer has responded. To create access reviews and identify inactive users, you do need to have a Premium P2 license.
Alternatively though, you could use an Azure Automation account or Azure Logic app to achieve the same thing. For instance, you could create an Azure Automation Powershell runbook with a daily schedule that checks the Azure AD sign-in logs and deletes the accounts based on the condition of whether they have recently signed in (i.e. where max_TimeGenerated <= ago(45d)). There is an example blog post here that implements this logic. Note that to update the accountEnabled property of admin users, you need to use delegate permissions which need to run in the context of a user.
Another option is to query based on the lastSignInDateTime property.
The documentation for How To Manage Inactive Users has an example of how to query users who haven't signed in after a certain date using Microsoft Graph API.
Example:
https://graph.microsoft.com/beta/users?filter=signInActivity/lastSignInDateTime le 2019-06-01T00:00:00Z
To test the call, you can Sign in to Graph Explorer using the Global Administrator account of your tenant and execute the GET call.
Permissions Required:
Directory.AccessAsUser.All
Directory.Read.All
The SignInActivity property/endpoint is documented in detail here: https://docs.microsoft.com/en-us/graph/api/user-list?view=graph-rest-beta&tabs=http#example-3--list-users-including-their-last-sign-in-time
If you don't want the full list of users, you can also search for a specific user by name and evaluate the lastSignInDateTime:
https://graph.microsoft.com/beta/users?$filter=startswith(displayName,'marileet')&$select=displayName,signInActivity
Is it possible to have a single API in APIM that either accepts AAD token or subscription, based on what product it belongs to?
Default, this does not work, since unchecking "require subscription" on API-level will override setting product to require subscription.
So, I see two solutions.. create two APIs in APIM and place them in separate products (same backend), or write a custom policy. Is there a way to check context.Subscription.Key and match with the product subscriptions?
Should be possible by adding your API to two products:
One with subscription requirement enabled
Another without subscription requirement enabled, but with validate-jwt policy added at product level to require AAD token
I have a product published that does not requires a subscription. The 4 APIs that compose it also does not. How can I define policies on a product level?
Such policies seem to work only when both the APIs AND the product require subscription AND the request is made using the product subscription key.
Prerequisites:
API subscription switched off:
Product subscription switched off:
Product added to API:
Product has policies defined, example:
If above points are true, just call your API without Ocp-Apim-Subscription-Key header and APIM will automatically execute API and attached product policies. If you provide Ocp-Apim-Subscription-Key with correct value, like for example administrator subscription key, APIM will only execute API policies.
To reduce the frustration it is important to understand policy order execution. Read the whole article here but in short the order is:
Global scope
Product scope
API scope
Operation scope
One last thing, if non subscription product is attached to non subscription API and its policies are executed automatically, you may wonder what happens if we add second open product to the API? Policies from which product will be executed? Turns out, this is not possible (what makes sense). Attempting to add second open product will result in following error:
I am using Azure API Management to proxy requests from Internet to our backend systems. I have a Product entry on Azure Portal and an API entry associated with the product. Generally access to the API must be by subscription, but I would like the method returning OpenAPI specification (as well as probably few other methods) to be accessible without subscription (freely).
I see "Requires subscription" checkbox on the Product level as well as on API level, but not on a method's level. So I need either:
bypass subscription check for certain methods while keeping access by subscription for others, or:
same but vice versa: keep the access free for API, but enforce subscription check for certain methods (not preferable, as this fraction is greater).
I checked the list of policies and did not find anything applicable for my case. Moreover this link states:
Subscriptions can be associated with various scopes: product, all
APIs, or an individual API.
Is there a way I can workaround this limitation?
I mean that, maybe you wanna some of the methods(less amount) in an Api can be called without a subscription while the left need. And I searched the ms document but failed to find such policy.
The link you provided also intended that. From my point of view,
how about trying to add a separated Api containing those methods that
don't need subscription?
As you can see my question above, I was wondering if it is possible to retrieve the assigned groups of an Azure Active Directory (AAD) based user via Microsoft GraphAPI.
My situation is, that I have an ASP.NET MVC project with Microsoft Azure enabled. My goal is, that an Azure user can login on my website with it's Azure account.
The idea is, that an azure user is an admin or an user (depending on the azure groups) and depending of this role group, the user can view more or less of my webpage.
For example:
When Peter logs in with his azure account on my webpage, he should only be able to see:
Add new Document
Edit Document
Remove Document
because he is only assigned as "User" in Azure Active Directory.
But when Sabrina logs in with her azure account on my webpage, then she should be able to do the same as Peter, but she also can see:
Manage Products
Add new customer
etc.
because she is been assigned as an admin in Azure Active Directory.
My problem is, that I did not find out how I retrieve the assigned group of an user with Microsoft GraphAPI. The part, which user can see or not after I got the roles is not a big deal.
I already tried this API call:
https://graph.microsoft.com/v1.0/me/
But it seems, that the response of this call does not include the actual assigned group of that user.
Do you think it is possible to retrieve the assigned group of an azure user? Is this even possible? Or do I have to do something else to retrieve these information?
I hope you understand my point and I am also looking forward for any response. Thanks in advance!
Add /memberOf to the URL to receive the groups a user is member of.
https://graph.microsoft.com/v1.0/me/memberOf
Here's a link to the specific graph api - https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/user_getmembergroups
Take a look at this sample application on Github. It does something very similar with a task tracker application, where different users are able to perform different actions based on the group they belong to -
https://github.com/Azure-Samples/active-directory-dotnet-webapp-groupclaims/blob/master/README.md
Also, in cases where a user is a member of too many groups, you get back an overage indicator and have to make a separate call to get all groups. Read about “hasgroups” and “groups:src1” claims here - https://learn.microsoft.com/en-us/azure/active-directory/develop/v1-id-and-access-tokens
According to your system architecture, if some user has too many joined groups, the API https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/user_getmembergroups will return too many groups.
But if the groups with permissions in your system are not too much, you can use this API: https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/user_checkmembergroups to check if the current user is the member of specified groups.
It is not good idea to use this API: https://graph.microsoft.com/v1.0/me/memberOf. Because it returns only the groups that the user is a direct member of, but security group can be member of security group.