Azure Active Directory - Assign to group - azure

Is it possible to assign an application (as an Application or Service Principal) to a group programatically, via the graph client or API? (Including the app user credentials needed to allow access of the members of the group to the app)
I searched everywhere and couldn't find documentation for it.
Thanks

No, 'Applications' in Azure AD are used to segment authorization and settings within Azure AD. It creates a trust between Azure AD and your application. The Application is not a User.
Users are Azure AD entities that have identity and can be authorized to access resources (like an Application). Users can be added to groups. See the below link for the Azure AD graph API documentation:
https://msdn.microsoft.com/Library/Azure/Ad/Graph/api/groups-operations#AddGroupMembers
And the documentation on what a user entity looks like:
https://msdn.microsoft.com/Library/Azure/Ad/Graph/api/entity-and-complex-type-reference#UserEntity

Thanks for the answer emseetea, but we do have a little more than that.
Back to the original question - can you programmatically "assign a group to an application". The answer is yes, using appRoleAssignments on the service principal. The service principal represents an application instance, that typically gets provisioned as part of a consent grant. On this tenant specific app instance (service principal) you can attach tenant specific permissions and policy. Permissions get created as part of consent, but you can also programmatically assign an application role (defined by the application) to a user or group. If no application role is assigned, then you can make a "default" assignment. You can find a little more on this topic here http://blogs.msdn.com/b/aadgraphteam/archive/2014/12/12/announcing-the-new-version-of-graph-api-api-version-1-5.aspx which describes a little about this with some sample REST API calls.
This same operation is also possible through the client library. You can take a look at https://github.com/Azure-Samples/active-directory-dotnet-graphapi-console. Look at the section titled "#region Assign Direct Permission". This shows how to assign an app role to a user. You can do the same thing on a group too. If your app doesn't specify any app roles, set the appRoleAssignment.Id to a zero GUID.
Hope this helps,

Related

Azure AD App Registration with multi-customer access

Hello friends and thank you for taking the time to read my question and for all potential answers.
I am building a customer application which allows several proprietors (business owners) to log-in and manage their business. I don't want to focus on the details of the app as it is not relevant (I think) because this is more of a qualitative question.
I am using Azure AD (App Registrations) for both the Blazor WASM and API. I am comfortable creating and utilizing those. What I am trying to understand is how to not allow customers to see each other's data by using purely just Azure AD.
Example:
Customer User A from business X logs into the app. They are redirected to myapp.com/Business-X
The Roles I have right now in Azure AD are User.Read, User.ReadWrite and User.Admin
Customer User B from business Y logs into the app and is redirected to myapp.com/Business-Y
Nothing is preventing User A from changing their URL to myapp.com/Business-Y and have the same role in another business' app. I understand that I can change my Roles in Azure AD to be User.Read.X, User.ReadWrite.X, User.Admin.X, User.Read.Y, User.ReadWrite.Y, User.Admin.Y etc. but imagine if I have hundreds of customer's let's say, that is unmanageable and my blazor code will just be a mess.
Is there a better/smarter way to do this? For example I can keep the current simplified roles and add users to a database where I map them to the business they have access to but is that secure? I suspect using a database to store this does not sound right because it feels that Azure AD can do this and I just don't know how.
Thank you again!
• Yes, you can surely do restrict the users access to a particular application registered in Azure AD by ensuring these applications are also registered as ‘Enterprise Applications’ in Azure AD. Once, these applications are shown up in ‘Enterprise Applications’ in Azure AD, then you can configure them to require assignment for a particular set of users only by ensuring that the required users only have access to that application. To enable user assignment and assign users for that application in Azure AD, you should have ‘Global Administrator, Application Administrator or Cloud Administrator’ directory roles assigned to your ID.
Please find the snapshots below for more information in this regard: -
Also, once you have configured the above, you should ensure to create a custom role at the directory-level and assign it the required permissions as then this role would be assigned to all the users and these users then individually can be assigned to the required application, thus ensuring that only specific users are allowed to access the assigned app.
Please note that tenant wide admin consent is granted to apps that would require assignment. Kindly refer to the below link for more information: -
https://learn.microsoft.com/en-us/azure/active-directory/develop/howto-restrict-your-app-to-a-set-of-users#update-the-app-to-require-user-assignment

How to prevent outside tenants from giving themselves an app's roles in Azure AD?

I am working on an application, and its registration in Azure AD must allow Accounts in any organizational directory to sign-in. We built this with the thought that we could manage the roles for the app within Azure, so we made a few roles. The roles would also be only assignable and used by employees within our organization.
The whole time we thought that these roles can only be assigned within the Azure AD of the organization that owns the app's registration. We now found that when a user from another tenant signs into our app, they can find the app in their Azure's Enterprise Applications and just assign themselves roles. This means that they'd be able to view data that was never meant to be accessible to them. We don't want any other organization to have access to assigning these roles.
So is there any way to disable other tenants' ability to assign themselves a role in their Azure's Enterprise Application? I just want them to be able to log into the app, not give themselves any roles.
Is this even the appropriate way to achieve what we want? If not, what would be the proper way to do this?
At least I am not aware of any mechanism that will prevent admins from other tenants to assign roles to user (it works by design).
If you want to use the application roles only within your tenant, I would suggest that you use the tenantid that is also part of the claims when you doing authorization within your application...

Azure AD App Registration via Powershell: How to ensure the proper permissions?

I need to register an application in Azure AD using PowerShell. I plan to use the New-AzADApplication cmdlet. The cmdlet documentation states the following:
Below are the permissions needed to create an application:
Azure Active Directory Graph
Application.ReadWrite.OwnedBy
Microsoft Graph
Directory.AccessAsUser.All
Directory.ReadWrite.All
I've learned that these permissions are scopes, which is a new concept to me and something I don't know how to deal with in Azure. I found this short demo, which shows these scopes can be managed as API permissions from the Azure App registration context. However, that demo shows the scopes being managed after the application has already been created. How can I establish the proper scopes before the application is created?
Or, more generally, how can I ensure that I have the appropriate permissions to execute the New-AzADApplication cmdlet?
The application that needs those permissions is Azure AD PowerShell in this case. If it didn't have a service principal in your AAD tenant yet, you would be asked for consent to those scopes on first login when using the Connect-AzureAD cmdlet.
In my experience, the service principal that it uses already exists in your tenant. So it already has the needed permissions. But what will also matter is your user permissions. Since it uses delegated permissions, it is acting on behalf of your user. In order for it to be able to create the app, it needs to have the necessary scope/delegated permission and your user must be able to create applications.
The cmdlets do also support acting as a service principal/app, in which case application permissions given to the app used to authenticate would apply, not delegated permissions. But that's another case that I don't think you are asking about.
Applications are able to note which permissions they require (both delegated and application) in the app registration portal. This allows use of the /.default scope and the Azure portal's "Grant admin consent" option.
You can follow this process:
1.Go to your application in the Azure portal – App registrations experience, or create an app if you haven't already.
2.Locate the API Permissions section, and within the API permissions
click Add a permission.
3.Select Microsoft Graph from the list of available APIs and then add
the permissions that your app requires.
4.Save the app registration.

One click button access to azure resource manager for customers

Is it possible currently to make an application in my Azure AD tenant and allow customers to give it permission to alter their resource groups.
I basically want to create an web application that allows any azure resource owner to allow my application to add something to a resource group of their choosing.
I cant figure out if its required for the customer to have the global administrator role for this to work?
Is it possible to make a flow that lets the customer sign in to my webapp, and give permission for a resource group of this choose, without him being the global administrator.
Is it possible for something in the azure portal to select his resource group add allow my azure ad application to get access to his resource group, or what is needed from the customer for this to be possible?
There are two ways by which a 3rd party application can access a user's subscription:
Delegated Permission (User Impersonation): Azure Portal is a good example of that. Basically in this scenario, a user logs in into your application by authenticating herself/himself against their Azure AD and then your application makes ARM API calls on behalf of the logged in user. If the user has permission to do something, your application will do that otherwise your user will get an error.
Application Permission: This is basically more for running things in the background when the user is not logged in. Essentially this is where the concept of Service Principal comes in. In this scenario, someone with administrative privileges grant certain permissions to your application and then your application will be able to do things it is permitted to do. The user need not be present in this scenario.
Now coming to your questions:
I basically want to create an web application that allows any azure
resource owner to allow my application to add something to a resource
group of their choosing.
I cant figure out if its required for the customer to have the global
administrator role for this to work?
Yes, it is possible for your to create such a web application and the customer need not be a global administrator to use such an application. In fact, this is how we're providing Azure Subscription management in Cloud Portam. Azure Portal works the same way. When you login into Azure Portal, you only do things you have permissions to. To see this in action, just login into Azure Portal using a user who is in Reader role and try to create some resources.
Is it possible to make a flow that lets the customer sign in to my
webapp, and give permission for a resource group of this choose,
without him being the global administrator.
Yes, it is entirely possible however the permission from Azure's perspective will be at Subscription level and not at a resource group level. Again since you would be impersonating the user, the user need not give you explicit permission to access certain resources. Azure RBAC will take care of this for you.
Is it possible for something in the azure portal to select his
resource group add allow my azure ad application to get access to his
resource group, or what is needed from the customer for this to be
possible?
Yes, it is possible to do so. However in this case, the user who's granting the permission to your application should be in a role that allows her/him to perform this operation. They should have write permission on Microsoft.Authorization resource provider. However please do keep in mind that once your application (also known as Service Principal) is granted access to a resource in your user's subscription, there's no need for a user to login. You typically would want to use this approach for background process kind of applications.

Role Claims when Federating Azure AD

We want to create a MVC web application using claims-based authentication, expecting roles as one of the claims. We want to Federate authentication providers using the Azure Access Control Service to manage this federation. One of the authentication providers is our Azure AD.
The problem is that Azure AD doesn't seem to be able to generate role (or even group) claims. What is the appropriate method to manage group or role access in Azure AD and have role claims served by Azure Access Control Service.
Thanks.
Edit:
A previous comment asked for details: We want to provide access to our cloud application to 3rd parties using their active directory (to simplify user management for them). Our application has a few levels of access to information that the 3rd parties can configure. We were hoping they could do this in their AD (based on our instructions). Groups seemed like the obvious choice, but if there is another way that works, as long as we can provide instructions, it'll work.
We want our application to get claims for a user's level of access. If we had only one partner that was using Azure AD, we could use the graph API against that endpoint, but with multiple partners changing over time, we wanted to federate them so our application only needs to trust the federation server. We were assuming that we needed Azure ACS to manage the federation.
AAD does support roles / groups and you can administer them from the Azure Portal.
Howeve, these are not passed in the "canned" set of claims.
You need to use the Graph API and then convert them e.g. Windows Azure Active Directory: Converting group memberships to role claims.
Update:
ACS requires something to federate with. You can't hook a customer AD up to ACS - you need something like ADFS on top of their AD.
I assume your cloud app. runs in Azure?
Then make your app. multi-tenanted. If your customers have their own Azure tenant, it will work. You just need to add the Graph API code to your app. ACS is not required.
Your customers then run DirSync. This keeps their Azure tenant in sync. with their AD changes.
So two options:
Customer does not have Azure tenant. They install ADFS and federate with AAD.
Customer's who do have Azure tenant use DirSync.
Good news: we have recently turned on the Application Roles and Groups Claim features in Azure AD.
Get a quick overview here: http://blogs.technet.com/b/ad/archive/2014/12/18/azure-active-directory-now-with-group-claims-and-application-roles.aspx
Deep dive post and video on app roles feature is here: http://www.dushyantgill.com/blog/2014/12/10/roles-based-access-control-in-cloud-applications-using-azure-ad/
Deep dive post and video on app roles feature is here: http://www.dushyantgill.com/blog/2014/12/10/authorization-cloud-applications-using-ad-groups/
Hope that helps.
Groups aren't the best choice because they are unique within each directory. Unless you get your customers to define a set of groups that have well-known names and match against the strings, that is (the object IDs of a group is different per directory even if they have the same name). I'm actually from the Azure AD team and we are seriously considering releasing a feature to allow you to define roles in your app that your customers can assign their users to. Please stay tuned on this. In the meantime, unfortunately groups are the only way to go. You would have to call "GetMemberGroups" using the Graph to retrieve the groups that the user is assigned to.
What are your timelines for releasing this application? You can contact me directly to see if we can work with your scenario.

Resources