Azure Active Directory Object Permissions - azure

I have an Azure Active Directory Application (and associated Service Principal). That Service Principal needs to be able to add and remove members from an Azure Active Directory Group...so I have added Read and write directory data under Application Permissions:
And I have code that uses the Client ID and Client Secret to get an Authentication Token an perform these operations using the Azure Graph API.
However, this permission is far too broad. I need the Application/Service Principal to only have the ability to add and remove members from specific groups (not all)...and not the ability to perform other types of operations.
Is there a way to do this?
Thank you.

There is a preview feature that partly fits your requirement: "Group.ReadWrite.All". It lets your principal create and update groups and their navigation properties (incl. members). It does not however reduce the permissions to modify only certain groups.
AAD permission scopes are described here: https://msdn.microsoft.com/Library/Azure/Ad/Graph/howto/azure-ad-graph-api-permission-scopes
Preview features may be subject to change and you'll have to agree to reduced service terms etc.: https://azure.microsoft.com/en-us/services/preview/

Related

Query for specific Azure AD permission

Is there a way in Microsoft Graph how to check whether signed-in user (device code auth is used) has a specific AAD permission? In my case that would be Microsoft.Directory/groups/members/update - I'd like to notify a user that he/she is not permitted to add service principal to an AD group.
My initial idea was to find DirectoryRoles a user is member of. Then view related DirectoryRoleTemplates and somehow check permissions attached to the template. It looks like this is not possible.
I'm a program manager at Microsoft working on Azure AD access control. Thanks for your question and feedback. As Allen says, we don't have an API for this today. The best we have is what's called the 'wids' claim in the user's access token. Search this article for 'wids' for more information.
The wids claim contains the list of directory role template object ids the user is a member of. Role template object ids are immutable and consistent across the system, so you can hardcode your check against them. There is a role to template id mapping table here.
We're looking at exposing an API that returns the list of underlying permissions of the signed-in user following the syntax Allen mentions from the documentation. However, I don't have a date yet on when that would be available.
Let me know if you have any questions.
Thanks again,
Vince Smith
Currently Microsoft has not exposed an API for obtaining Role permissions corresponding to DirectoryRole.
Based on the official document, microsoft.directory/groups/members/update permission only exists in the following roles:
Directory Writers
Groups Administrator
User Account Administrator
Intune Service Administrator
Partner Tier1 Support
Partner Tier2 Support
A workaround is to customize a config file in your project to set the fixed values. Read them to see if the user's directory role matches one of them.

Microsoft GraphAPI: How do I retrieve the assigned groups of an azure user?

As you can see my question above, I was wondering if it is possible to retrieve the assigned groups of an Azure Active Directory (AAD) based user via Microsoft GraphAPI.
My situation is, that I have an ASP.NET MVC project with Microsoft Azure enabled. My goal is, that an Azure user can login on my website with it's Azure account.
The idea is, that an azure user is an admin or an user (depending on the azure groups) and depending of this role group, the user can view more or less of my webpage.
For example:
When Peter logs in with his azure account on my webpage, he should only be able to see:
Add new Document
Edit Document
Remove Document
because he is only assigned as "User" in Azure Active Directory.
But when Sabrina logs in with her azure account on my webpage, then she should be able to do the same as Peter, but she also can see:
Manage Products
Add new customer
etc.
because she is been assigned as an admin in Azure Active Directory.
My problem is, that I did not find out how I retrieve the assigned group of an user with Microsoft GraphAPI. The part, which user can see or not after I got the roles is not a big deal.
I already tried this API call:
https://graph.microsoft.com/v1.0/me/
But it seems, that the response of this call does not include the actual assigned group of that user.
Do you think it is possible to retrieve the assigned group of an azure user? Is this even possible? Or do I have to do something else to retrieve these information?
I hope you understand my point and I am also looking forward for any response. Thanks in advance!
Add /memberOf to the URL to receive the groups a user is member of.
https://graph.microsoft.com/v1.0/me/memberOf
Here's a link to the specific graph api - https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/user_getmembergroups
Take a look at this sample application on Github. It does something very similar with a task tracker application, where different users are able to perform different actions based on the group they belong to -
https://github.com/Azure-Samples/active-directory-dotnet-webapp-groupclaims/blob/master/README.md
Also, in cases where a user is a member of too many groups, you get back an overage indicator and have to make a separate call to get all groups. Read about “hasgroups” and “groups:src1” claims here - https://learn.microsoft.com/en-us/azure/active-directory/develop/v1-id-and-access-tokens
According to your system architecture, if some user has too many joined groups, the API https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/user_getmembergroups will return too many groups.
But if the groups with permissions in your system are not too much, you can use this API: https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/user_checkmembergroups to check if the current user is the member of specified groups.
It is not good idea to use this API: https://graph.microsoft.com/v1.0/me/memberOf. Because it returns only the groups that the user is a direct member of, but security group can be member of security group.

Unable to Add, Edit, or Remove users and groups for Enterprise Application

I've created and registered a web application via Azure Active Directory -> App Registrations.
Within my application manifest I've created a role (why there's no UI to do this is beyond me), and for now am planning on adding quite a few more.
However, I'm unable to assign users to the role I created via Azure Active Directory -> Enterprise Applications, as the Add, Edit, and Remove options are greyed out.
According to these docs, I need to be Global Admin to be able to set these. The only way I can do so is to keep pestering my network admin every time I want to assign users/groups to roles. This is obviously not a suitable solution, and as the registered application owner, it should be trivial for me to control the authorization levels of my application.
How is it possible for me to assign users & groups to the roles I create? If it's simply not possible without having to raise the issue with my global admin, what are my options?
Unfortunatelly, as per docs, you already went through, today only administrator can assign roles to an application.
There is a feature request to simplify that and Microsoft is working on a solution. If you give your vote, it will certainly make the request more important.
For time being it is only the Global Admin who can grant permissions to an Application.

Can we Authenticate user of specific group in Active Directory

I can Authenticate user in Active directory but I need to know can we authenticate a specific user in group if we have multiple groups.
Basically I am redirecting to http://[mydirectory].onmicrosoft.com and validating the user but I need to know do we have mechanism to validate a user from specific group so that I can give access according to that.
Assuming this is Azure AD (and not on-premises Windows Server AD), then you have three options to restrict access to an application via groups.
Option 1: Require user/group assignment to application
This is the only option that does not require adding authorization logic in your application.
When configuring your application in the classic Azure portal, you can set the application to require user assignment:
Then, under "Users and Groups" for that application, you can choose which individual users or groups should have access to the application.
The most important thing to consider here is that this will only apply to direct members of the group, not to nested members.
Option 2: Request group claims
This option will allow you to request that the token returned to the application after a user has signed in contain the list of groups that the user is a member of. This includes groups that they are transitive members of (i.e. nested groups).
From your application's configuration page in the classic Azure portal, you can download and upload the app's manifest JSON file. In the manifest, locate the "groupMembershipClaims" attribute, and set it to "All" or "SecurityGroup" (the latter will exclude distribution lists).
Once this is set, after the user signs in, the resulting token will have a groups claim that contains a list of group object IDs that the user is a member of. Your application can then use these claims to decide whether or not the user should have access.
Dushyant Gill goes into group claims in detail in his blog post: http://www.dushyantgill.com/blog/2014/12/10/authorization-cloud-applications-using-ad-groups/ (archive.org link)
The important consideration here is that there is a limit to the number of groups that can be returned. If the user is a member of more groups that this limit, then an "overage" claim is issued, and your application will need to make an Azure AD Graph API call to get the full list. (This is also described in Dushyant's blog post.)
Option 3: Use the the Microsoft Graph API or the Azure AD Graph API directly
The final option is to simply call the Microsoft Graph API (or the Azure AD Graph API, they both act almost identically for this) to establish if the signed in user is a member of a given group. Your application can then make the authorization decision.
There are several approaches you can take (these are all transitive checks, so nested groups are supported):
isMemberOf to check whether a the user is a member of a specified (single) group. This is the simplest if a single group should grant access to your app.
checkMemberGroups to check if the user is a member of any groups in a list of groups. This is useful if different groups grant different roles or permissions in your application.
getMemberGroups to return the full list of groups the user is a member of. This is generally not particularly useful for doing authorization checks.

Interceptor for Weceem Security rules

We managed to install weceem plugin and could map with user roles. But we need more control as follow. There are tenants in the system, users of which have the same roles. But each tenant in the grails app is fully isolated from other tenants. So we plan to create one space for each tenant. Then we want to grant access for users of one tenant to their specific wecem space. This way users of one tenant can't access the content of another SPACE meant for another tenant. We can't isolate based on roles, because users of all tetants will have same role - like 'Tenant Admin'.
Can we write an intercptor in the controller (or somewhere else) which will be invoked by the security framework, and we want to write custom code in that intercptor to determine that the tenant is accessing only his specific SPACE and that allow access, else deny ?
can we create SPACE progamatically from the main application ? like, when a tenant is created in the system, we want to create a SPACE for him.
There is a default weceem-security bridge (weceem-spring-security plugin) that defines user management system between application and weceem. You can implement your own security decision that takes tenants into account and define credentials to the specified Space. Check the weceem-security plugin sources to get the ideas https://github.com/jCatalog/weceem-spring-security/ . According to second question - you can create Space programmatically from the application if you need.

Resources