When I add an appRoles section to my application manifest in Azure AD, I can assign users and groups to roles in the management portal.
"appRoles": [
{
"allowedMemberTypes": [
"User"
],
"description": "Can read data.",
"displayName": "Data Reader",
"id": "67fba7fa-e54e-4258-b95d-32b082eb771d",
"isEnabled": true,
"value": "reader"
},
{
"allowedMemberTypes": [
"User"
],
"description": "Can create and edit data.",
"displayName": "Data Writer",
"id": "e36736c5-e923-435e-8e44-6cae90792931",
"isEnabled": true,
"value": "writer"
}
],
However, the UI only allows me to assign a single role to a user or group.
I can't find how to assign multiple roles to a user or group. I can add the user to multiple groups and assign roles to members of that group, which will result in multiple role claims in the token for that user, but this seems awkward.
Am I missing something? Is there a way to assign multiple roles to a user or group?
You can assign multiple roles to the same user in the same app, but it is very limited. Basically add the same user again and select a different role:
The mechanism is very cumbersome and will not scale. If you have AAD Premium Lvl 2, you can associate application roles with groups and a when you assign a user to that group, they will gain the roles automatically. The automatic assignment only works for Premium Lvl 2 though.
This turns out to be a limitation of the Azure management portal. In this blog comment, the AAD PM explains it is possible to assign multiple roles to a user or group through the GraphAPI.
For more info, see section 'Assigning application roles' in this MSDN blog article.
Had the same problem and with the current version of the azure portal the workaround was
Create two groups (group_for_perm1, group_for_perm2)
Add the same user to both groups (myuser#domain.com)
Go into Azure AD->Enterprise applications
Change the "Application type" filter to "All applications"
Search for your app
Select "Users and Groups"
Hit "+ Add user/group" at the top, and assign group_for_perm1 permission1
Hit "+ Add user/group" at the top, Assign group_for_perm2 permission2
Note if the "+ Add user/group" button is greyed out, you either didn't add App Roles to the App registration, or aren't in the owner group for the "Enterprise application". It appears you can be the owner of the App Registration and not be the owner of the Enterprise Application.
The token should now have a roles section with your two permissions. Take the JWT to jwt.io and you should see something like
"rh": "I",
"roles": [
"permission1",
"permission2"
],
Related
Is there a quick and easy way to find Microsoft Graph API - Delegated / Application Permissions GUID (or even deprecated Azure AD API Permissions).
Tried to follow the official document but find it not very intuitive.
https://learn.microsoft.com/en-us/graph/permissions-reference
Since permissions names are similar, eg: group.readwrite.all between delegated vs application, is there any tool or technique to easily find these IDs.
az ad sp list --query "[?appDisplayName=='Microsoft Graph'].{permissions:oauth2Permissions}[0].permissions[?value=='Group.ReadWrite.All'].{id: id, value: value, adminConsentDisplayName: adminConsentDisplayName, adminConsentDescription: adminConsentDescription}[0]" --all
{
"adminConsentDescription": "Allows the app to create groups and read all group properties and memberships on behalf of the signed-in user. Additionally allows group owners to manage their groups and allows group members to update group content.",
"adminConsentDisplayName": "Read and write all groups",
"id": "4e46008b-f24c-477d-8fff-7bb4ec7aafe0",
"value": "Group.ReadWrite.All"
}
this seems to be incorrect as the ID that is correct is:
Group_ReadWrite_All = {
id = "62a82d76-70ea-41e2-9197-370581804d09"
type = "Role"
}
Am I missing something obvious here? especially the Role/Scope or its Delegated vs Application issue?
Query to list all the Apps
az ad sp list --query '[].{appDisplayName:appDisplayName, appId:appId}'
Query "Microsoft Graph" app, to find "oauth2" scope of "Group.ReadWrite.All" permission
az ad sp list --query "[?appDisplayName=='Microsoft Graph'].{permissions:oauth2Permissions}[0].permissions[?value=='Group.ReadWrite.All'].{id: id, value: value, adminConsentDisplayName: adminConsentDisplayName, adminConsentDescription: adminConsentDescription}[0]" --all
{
"adminConsentDescription": "Allows the app to create groups and read all group properties and memberships on behalf of the signed-in user. Additionally allows group owners to manage their groups and allows group members to update group content.",
"adminConsentDisplayName": "Read and write all groups",
"id": "4e46008b-f24c-477d-8fff-7bb4ec7aafe0",
"value": "Group.ReadWrite.All"
}
Query "Microsoft Graph" app, to find app "Role" of "Group.ReadWrite.All" permission
az ad sp list --query "[?appDisplayName=='Microsoft Graph'].{permissions:appRoles}[0].permissions[?value=='Group.ReadWrite.All'].{id: id, value: value, adminConsentDisplayName: adminConsentDisplayName, adminConsentDescription: adminConsentDescription}[0]" --all
{
"adminConsentDescription": null,
"adminConsentDisplayName": null,
"id": "62a82d76-70ea-41e2-9197-370581804d09",
"value": "Group.ReadWrite.All"
}
In Azure AD, I have tenant-wide groups, but then for applications, I have roles defined in the app's manifest, in the "appRoles" area.
Where do I find or setup the mapping between the application's roles and the tenant's groups?
Is there a call I can make to Microsoft Graph to see the ID for the role, the ID for the group, and the ID for the association between the group and the role?
I thought calling servicePrincipal in Microsoft Graph might provide this association ID for the mapping, but I don't see the association info, maybe because I need to specifically setup the mapping.
My understanding is there can be a mapping between the tenant-wide groups and the application-specific roles, so if the tenant has a hundred groups but only 3 groups relate to an application, those three groups can be in the application as roles under "appRoles", and when a user logs into that app, only those 3 roles/groups would be potentially in the user's JWT token, instead of 100 groups that might not relate to the application.
What you need is Get appRoleAssignment. (Note that use of /beta APIs in production applications is not supported.)
https://graph.microsoft.com/beta/groups/{group id}/appRoleAssignments
Here is an example of the response:
{
"id": "vYC9THsQiUaIO0_OAVavTkhETv6Zy7pKlmGdjahzx6o",
"creationTimestamp": "2019-09-25T03:30:02.739514Z",
"appRoleId": "d1c2ade8-98f8-45fd-aa4a-6d06b947c66f",
"principalDisplayName": "TestAllenG",
"principalId": "4cbd80bd-107b-4689-883b-4fce0156af4e",
"principalType": "Group",
"resourceDisplayName": "AllenTestBot001",
"resourceId": "f958f02e-6d83-43f0-8a86-a08fe42f1aab"
}
"appRoleId" is the id of the appRole. "resourceId" is the id of the servicePrincipal.
When I register an application of type Web App/API in Azure Active Directory (Azure AD), I can add Users and Groups and assign pre-defined application roles to the application in the tenant's Enterprise Applications. However, there is no provision to add Users and Groups for an application of type Native.
Is it possible to add Users and Groups to a native application, and set them with application specific roles via PowerShell or Azure CLI?
As you noticed Users and Groups is hidden in the Enterprise Applications blade in the case of native applications and I believe that the reason is that you don't usually configure role assignments in the native application but instead you do it in the WebApp/WebAPI (that the native application is consuming).
Anyway yes you can configure application roles for a native application. You can do it but editing the manifest and adding the appRole there (the value property will appear in the role claim). Example:
"appRoles": [
{
"allowedMemberTypes": [
"Application",
"User"
],
"displayName": "ReadOnly",
"id": "9cc5ee76-3d7d-4060-8b7f-e734f3917e71",
"isEnabled": true,
"description": "ReadOnly roles have limited query access",
"value": "ReadOnlyUser"
}
]
Then you can add an user to that role by using Powershell:
New-AzureADUserAppRoleAssignment -ObjectId <user's object ID> -PrincipalId <user's object ID> -ResourceId <native app service principal ID> -Id <role ID as it is in the manifest>
Then if you get a token for this application and for that user, you should see the role claim:
"roles": [
"ReadOnlyUser"
]
I am trying to add required permissions to an Azure AD application. I already know how to replicate information from a downloaded manifest through a PATCH REST call, e.g.
"requiredResourceAccess": [
{
"resourceAppId": "00000003-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "7b9103a5-4610-446b-9670-80643382c1fa",
"type": "Scope"
},
{
"id": "5df07973-7d5d-46ed-9847-1271055cbd51",
"type": "Scope"
}
]
}
]
As explained by Christer Ljung on his blog http://www.redbaronofazure.com/?page_id=181.
But the mystery remains how I can "convert" human-readable scopes such as Mail.Read to these obscure guids. I have read the following blog of Sahil Malik's at http://blah.winsmarts.com/2015-1-Programmatically_register_native_apps_in_Azure_AD_or_Office_365.aspx that explains how to get a list of available guids for a particular ServicePrincipal. E.g. through an http get to https://graph.windows.net/<tenant-id>/servicePrincipals()?api-version=1.6&$filter=appId%20eq%20'00000002-0000-0ff1-ce00-000000000000'> (Exchange) but when I try to get the list of available scopes of ServicePrincipal 00000003-0000-0000-c000-000000000000 (I believe the one for Graph API) the return value is just empty.
Interestingly, with Fiddler I was able to capture an http post request which contains all the guids when adding the permissions through Azure Portal.
Anyone any clue how I can do this programmatically?
After investigation, I discover a way to get permission guid using azure-cli. Share here in case anyone is finding this:
get all permisson and their GUID of a certain service principal by display-name, app-id or object-id. (Note that display-name is not unique and can maps multiple service principal)
$ az ad sp list --filter "displayName eq 'Microsoft Graph'" --query '[].oauth2Permissions[].{Value:value, Id:id, UserConsentDisplayName:userConsentDisplayName}' -o table
Value Id UserConsentDisplayName
------------------------------------------------------- ------------------------------------ -----------------------------------------------------------------------------------------
ServiceHealth.Read.All 55896846-df78-47a7-aa94-8d3d4442ca7f Read service health
ServiceMessage.Read.All eda39fa6-f8cf-4c3c-a909-432c683e4c9b Read service messages
TermStore.ReadWrite.All 6c37c71d-f50f-4bff-8fd3-8a41da390140 Read and write term store data
TermStore.Read.All 297f747b-0005-475b-8fef-c890f5152b38 Read term store data
TeamMember.ReadWriteNonOwnerRole.All 2104a4db-3a2f-4ea0-9dba-143d457dc666 Add and remove members with non-owner role for all teams
Team.Create 7825d5d6-6049-4ce7-bdf6-3b8d53f4bcd0 Create teams
TeamsAppInstallation.ReadWriteForUser 093f8818-d05f-49b8-95bc-9d2a73e9a43c Manage your installed Teams apps
TeamsAppInstallation.ReadWriteSelfForUser 207e0cb1-3ce7-4922-b991-5a760c346ebc Allow the Teams app to manage itself for you
...
$ az ad sp list --filter "appId eq '00000003-0000-0000-c000-000000000000'" --query '[].oauth2Permissions[].{Value:value, Id:id, UserConsentDisplayName:userConsentDisplayName}' -o table | head
Value Id UserConsentDisplayName
------------------------------------------------------- ------------------------------------ -----------------------------------------------------------------------------------------
ServiceHealth.Read.All 55896846-df78-47a7-aa94-8d3d4442ca7f Read service health
ServiceMessage.Read.All eda39fa6-f8cf-4c3c-a909-432c683e4c9b Read service messages
TermStore.ReadWrite.All 6c37c71d-f50f-4bff-8fd3-8a41da390140 Read and write term store data
TermStore.Read.All 297f747b-0005-475b-8fef-c890f5152b38 Read term store data
TeamMember.ReadWriteNonOwnerRole.All 2104a4db-3a2f-4ea0-9dba-143d457dc666 Add and remove members with non-owner role for all teams
Team.Create 7825d5d6-6049-4ce7-bdf6-3b8d53f4bcd0 Create teams
TeamsAppInstallation.ReadWriteForUser 093f8818-d05f-49b8-95bc-9d2a73e9a43c Manage your installed Teams apps
TeamsAppInstallation.ReadWriteSelfForUser 207e0cb1-3ce7-4922-b991-5a760c346ebc Allow the Teams app to manage itself for you
...
Run the below command to get full information of certain service principal including its oauth2Permissions and servicePrincipalNames, etc.
az ad sp show --id 00000003-0000-0000-c000-000000000000 >microsoft_graph_permission_list.json
# microsoft_graph_permission_list.json
{
...
"appDisplayName": "Microsoft Graph",
"appId": "00000003-0000-0000-c000-000000000000",
"objectId": "b19d498e-6687-4156-869a-2e8a95a9d659",
"servicePrincipalNames": [
"https://dod-graph.microsoft.us",
"https://graph.microsoft.com/",
"https://graph.microsoft.us",
"00000003-0000-0000-c000-000000000000/ags.windows.net",
"00000003-0000-0000-c000-000000000000",
"https://canary.graph.microsoft.com",
"https://graph.microsoft.com",
"https://ags.windows.net"
],
"appRoles": [...],
"oauth2Permissions": [
{
"adminConsentDescription": "Allows the app to read and write the full set of profile properties, reports, and managers of other users in your organization, on behalf of the signed-in user.",
"adminConsentDisplayName": "Read and write all users' full profiles",
"id": "204e0828-b5ca-4ad8-b9f3-f32a958e7cc4",
"isEnabled": true,
"type": "Admin",
"userConsentDescription": "Allows the app to read and write the full set of profile properties, reports, and managers of other users in your organization, on your behalf.",
"userConsentDisplayName": "Read and write all users' full profiles",
"value": "User.ReadWrite.All"
},
{
"adminConsentDescription": "Allows the app to read the full set of profile properties, reports, and managers of other users in your organization, on behalf of the signed-in user.",
"adminConsentDisplayName": "Read all users' full profiles",
"id": "a154be20-db9c-4678-8ab7-66f6cc099a59",
"isEnabled": true,
"type": "Admin",
"userConsentDescription": "Allows the app to read the full set of profile properties, reports, and managers of other users in your organization, on your behalf.",
"userConsentDisplayName": "Read all users' full profiles",
"value": "User.Read.All"
},
...
]
...
}
Few things to say about this topic.
First, it is important to note that all of the OAuth2Permission Scopes are registered on the main Application Object in the developer's tenant. Thus, in general, you would not have access to that information, since it would be in a tenant where you are not a user. So as an external developer, these permission scopes are not discoverable via our APIs.
Second, you are able to see that the Azure Portal has access to this information because it has elevated access to query the OAuth2Permissions for all resources in all tenants. This is how our UX is able to populate all the permissions for all the various external and internal resources that you want to use in your tenant. The portal will first check which service principals are in your tenant (service principals get provisioned most commonly once you consent to use the application), then it will look up the Application Object that corresponds to that service principal, and find all the permission scopes. This behavior will hopefully allow you to only see the resource applications which are relevant to you, rather than populating your screen with all possible resources.
Finally, moving forward we are looking to take a step back from having to statically register permissions that clients require to call resource applications. Instead we will be pushing a new Incremental and Dynamic Consent framework. You will note that here that we are taking a dependency on the scope names, rather than the ObjectID GUIDs of those permissions as we did in the past. But still, I agree with you in general that the discoverability of the scopes that resources expose is very heavily dependent their own public documentation. I imagine in the future there might be an endpoint which exposes all the scopes available on a particular resource, but I know of no such work to do this in the near future.
Let me know if this helps!
I was following this article and created a sample which works perfectly well. I can sign up, sign out and edit my profile with it but can't find out how to add a user in AAD B2C and assign it some role, so that I can differentiate them on the basis of roles, i.e. when I get to the Claims Page and get a user object, I can check the user by writing something like this:
User.IsInRole("client")
I added a custom attribute in "User Attributes" with the name of "Role" but that didn't solve my problem. I can only see that when I write:
foreach (Claim claim in ClaimsPrincipal.Current.Claims)
...claim.Type .... claim.Value
But I want it as I explained above
Thanks in advance.
Ok by now, I have found out the roles by clicking on the directory name -- users, but the available roles are User, Global Admin, Billing Admin, Service Admin, User Admin and Password Admin, but User.IsInRole("User") didn't work for me. So,
1. can I add any customized roles
2. how can I check if my user belongs to a particular role programmatically?
Thanks.
You can add custom roles by modifying application manifest file (application configured in Azure Active Directory). You just have to download manifest json file, add your custom roles and upload file again. You can do it here:
Then open the file and add custom role like that:
"appRoles": [
{
"allowedMemberTypes": [
"User"
],
"description": "some text",
"displayName": "Super role",
"id": "c530a40b-a47c-42b7-ba9a-f34d8ca7e443",
"isEnabled": true,
"origin": "Application",
"value": "Super role"
}
],
User attributes in Azure B2C are prefixed with "Extension_", so a user attribute "Role" will be called "extension_role" in your claims.
This is the reason the UserIsInRole doesn't work
Something that works for Azure AD, maybe for B2C also(not tried by me):
Try to use Groups (create a new group), add the user to the group.
Group membership isn't added to your claims by default:
http://justazure.com/azure-active-directory-part-4-group-claims/