Azure Active directory Roles Management - azure

I created some AD user in Azure Management Portal, too and would like to assign some roles to these users. My user has role "Global Administrator". There are only roles available that do not fit to my business requirements. So I would like to know whether there is already a solution how to add new roles because Graph Api or azure ad powershell seems not to support this feature.
Thx for the support

Azure AD doesn't yet allow creating custom "app roles". You can however create security groups and add users to those groups. The application that needs to check for these roles for authorization can check for the signed in user's group membership (transitively using this graph API: http://msdn.microsoft.com/en-us/library/azure/dn424889.aspx) for the group that represents the role(s).
App roles is on our radar - however you shouldn't block on it.
Hope this helps.

Now this is supported and in your app you can
[Authorize(Roles = "Admin, Observer, Writer, Approver")]
In this example of Microsoft you can see how to do it https://github.com/AzureADSamples/WebApp-RoleClaims-DotNet
You can red more about this feature in http://blogs.msdn.com/b/aadgraphteam/archive/2014/12/12/announcing-the-new-version-of-graph-api-api-version-1-5.aspx

Related

access to enterprise application (EA) in Azure

what is a significance of "Users and groups" under EA?
adding a person will give same access to person as that EA?
adding a SP will do what? added SP will not have same access as EA?
Just creating the identity (User type or Service Principal) you will not give any role.
After you create the user, you can assign any role that you require to give to the identity.
Assign Azure AD
Sign in to the Azure AD admin center.
Select Azure Active Directory > Roles and administrators to see the list of all available roles.
Select a role to see its assignments.
To help you find the role you need, use Add filters to filter the roles.
Select Add assignments and then select the users you want to assign to this role.
If you see something different from the following picture, you might have PIM enabled. See the next section.
Select Add to assign the role.
Source: https://learn.microsoft.com/en-us/azure/active-directory/roles/manage-roles-portal
To Grant a user access to Azure resources you can follow this tutorial https://learn.microsoft.com/en-us/azure/role-based-access-control/quickstart-assign-role-user-portal
Hopes this Helps!
The users and groups tab specifies who can access the application. This is based on the assumption that the app is 'closed' in the properties tab.

How can i add Custom Attributes to my Azure AD tenant members (Not B2C users)

I have an Azure AD tenant and I am looking for a way to include extra attributes while creating members within my organization. I have poked around the interface and can't find a way to achieve this on the Azure portal. From my findings, I can see tones of documentation and blog posts on how to achieve this using the B2C feature and graph API for external customers. However, this does not meet my requirements.
I believe this is a basic requirement that should be possible on Azure AD. Can someone please point me to the right documentation to achieve this?
Azure portal doesn't provide such a feature but we can archive this using Microsoft Graph API: Create extensionProperty.
You need to specify the targetObjects as "User".
An example (you can use any of your app registrations for {object id of the app registration}):
Post https://graph.microsoft.com/v1.0/applications/{object id of the app registration}/extensionProperties
{"name":"customAttribute","dataType":"string","targetObjects":["User"]}
It will generate an extension property named extension_{client id of the app registration without "-"}_customAttribute.
Then you can update the extension property for a user:
Patch https://graph.microsoft.com/v1.0/users/{user id}
{"extension_{client id of the Azure AD application without "-"}_customAttribute":"value"}

How to get AD user for Azure subscription Classic Administrators?

My goal is to get the Azure AD users who have been assigned the Classic Administrator role in an azure subscription.
I use the REST api's Classic Administrators - List to retrieve all classic admins but it returns an Email which is not unique enough and an ID called netId/puid which is not present on the user returned from the Graph API.
I followed the Azure Portal's network to see how it gets the users for AAD but it queries the Graph API with an internal API version '1.61-internal' that I can't use.
Does anyone know on a way to retrieve this information?
Thanks
There is not an exposed API to match netId/puid with users.
But you can get the puid from the access token.
Or you could use Microsoft 365 Powershell cmdlet Get-MsolUser -UserPrincipalName "{upn}" | fl to get the user and find the LiveId property.
Record the puid or LiveId above and the corresponding user information to your local configuration file and match them with the name property in response of Classic Administrators - List.
Then you can get the corresponding users who are classic Administrators.
It's just a workaround and there are many workloads. I don't think it is a good method but there is no other way.

What role do I assign to a user so he can manage MFA activities in my Azure subscription?

I want to delegate the 'MFA activities' to a group of people, because it is very difficult for only one person (Global administrator) to do this job. However, I do not see any built-in role for delegating the MFA responsibilities using RBAC.
Can anyone help me with this or help me in creating a custom RBAC policy?
I have queried the roles using powershell, but I do not get anything useful.
$role_definition = Get-AzureRmRoleDefinition | Format-Table Name, Description
It is a role of Azure Active Directory instead of the subscription. You can assign Authentication Administrator role(Allowed to view, set and reset authentication method information for any non-admin user.) to the users.

Add Azure AD Group like normal SharePoint Group to SharePoint Sites/Lists using HTTP request

I can add normal SharePoint Group to SharePoint using below HTTP request
https://imfdevdm.sharepoint.com/sites/SiteName/_api/web/lists/getByTitle('Sample Library')/items(1)/roleassignments/addroleassignment(principalid=12, roledefid=1073741827)
Similarly is there a method to add an Azure AD Group??
There is no initial principal Id for a AAD Group initially. If an AAD group is already added manually to SharePoint, then for that Group, a principal ID is generated. Else, we can't find a principal Id for the AAD Group.
If a principal Id was present, the same above HTTP request was enough to add role assignments.
Any help is appreciated. Thanks.
Updated:
I think this is not possible. The usual procedure is to add AAD Group to a SharePoint Group and then add it to SharePoint Sites/Lists
You can do this either through the Azure Portal or the O365 portal. I don't think it's possible to do this via HTTP requests and you're right that the recommended procedure is to create the Group in Azure AD and then assign it to SharePoint. You can also do this through Powershell but unless your creating a ton at once the portal is the easiest way.
https://learn.microsoft.com/en-us/azure/active-directory/saas-apps/sharepoint-on-premises-tutorial

Resources