Add User as owner of Azure AD Group through REST API - azure-rest-api

Is it possible to add the owner to the Azure AD group from any REST API?
I think I should have one service principal and I have to generate an access token to do that.
I tried to generate access token and used below query to add owner via Postman.
https://graph.microsoft.com/v1.0/groups/groupid/owners/$ref
But I am facing 403 Forbidden error like below:
{ "error": { "code": "Authorization_RequestDenied", "message":
"Insufficient privileges to complete the operation.", "innerError": {
"date": "2022-06-29T05:42:38", "request-id":
"ebd01257-b890-4b3d-8c22-a1b34738e5a6", "client-request-id":
"ebd01257-b890-4b3d-8c22-a1b34738e5a6" } }
I have granted API permissions like below:
What else permissions are needed? Is there any other way instead of Postman?

You can make use of Microsoft Graph Explorer instead of Postman that doesn't require you to generate access token separately.
You can call the same query by granting below permissions based on your account type:
I tried to reproduce the same in my environment and added the owner to the Azure AD group like below:
After running the above query, owner added successfully like below:
To confirm the above, check the portal whether the owner is added or not like below:
Reference:
Add owners - Microsoft Graph v1.0 | Microsoft Docs

Related

In Azure DevOps Services where can one configure "Administer Permissions" access of a user to some Environment?

When I am trying to change the access of Project Administrators from Reader to Administrator I get
Access Denied: e...4 needs the following permission(s) on the resource Environments/f...6/7 to perform this action: Administer Permissions
Where e...4 corresponds to the id of my user in Azure DevOps Services.
(I am a Project Administrator)
Who can grant these Administer Permissions rights? Is it some kind of Organization Administrator? Where its screen? Documentation? Rest API?
I could not find anything.
If the UI interface is improperly operated, even PCA (Project Collection Administrators) or Organization Owner will also be trapped in the UI interface here (the PCA/ORG Owner may also lose all operating permissions on Env in the UI interface of Env's permission settings.). But REST API can get rid of this situation.
There is a REST API document about this, but there doesn't have a specific document for this.
Roleassignments - Set Role Assignments
You can use f12 to capture the detailed request(UI also based on the above REST API).
I write a python demo to achieve your requirement.
import requests
import json
url = "https://dev.azure.com/<Organization Name>/_apis/securityroles/scopes/distributedtask.environmentreferencerole/roleassignments/resources/<Project ID>_<Env ID>?api-version=5.0-preview.1"
payload = json.dumps([
{
"userId": "<User ID>",
"roleName": "Administrator"
}
])
headers = {
'Authorization': 'Basic <Your Personal Access Token>',
'Content-Type': 'application/json'
}
response = requests.request("PUT", url, headers=headers, data=payload)
print(response.text)
Use List Projects REST API to get the project id.
Use List Users REST API to get the user ID.
Get the Env ID from the Env page url.

flutter User.Read azure active directory "Insufficient privileges to complete the operation"

I am trying to get the data of a signed in user using Microsoft graph API. I work with the "aad_oauth" package in flutter. When signing in, an access token is provided. This access token is then used in a http.get request.
However every time I try to get the data, the following error appears.
"{"error":{"code":"Authorization_RequestDenied","message":"Insufficient privileges to complete the operation:"
I also added a permission at the ad admin center.
That's how I get the access token
This is my http request
I tried to reproduce the same in my environment and got the below results:
I created an Azure AD application and added user.read permission:
Now I generated access token via Postman with below parameters:
GET https://login.microsoftonline.com/TenantID/oauth2/v2.0/token
grant_type:authorization_code
client_id:1b323717-80d8-4172-b141-XXXXXX
client_secret:GTT8Q~PErY3nTbj9LO8Nkkm2ai.XXXXXXX
scope:user.read
code:code
redirect_uri: redirect_uri
To get the details of the signed-in user, I ran the below query by including bearer token:
GET https://graph.microsoft.com/v1.0/me/

GCP IAM REST API Service account key issue

I have been struggling with this particular issue in GCP. I am trying to generate service account keys using Rest API calls outside of GCP. Below is screenshot of the service account along with the roles.
The as far as i can tell the Service account "Service account admin key" is the parent to create, list, etc child permissions.
So when invoking the Rest API call to generate key using this documentation:2
I get the below error
{
"error": {
"code": 403,
"message": "Permission iam.serviceAccountKeys.create is required to perform this operation on service account projects/XXXYYYZZZZZZ/serviceAccounts/XXXYYYYZZZZZZ.iam.gserviceaccount.com.",
"status": "PERMISSION_DENIED"
}
}
What am I missing?!
Updated: Adding additional screenshots of how i setup authorization and testing of Rest API call.
Following your steps, I was able to replicate it without any errors. As an alternative you can generate an access token instead as authentication.
Add an Auth Header. Generate a Bearer Token by using the command below:
gcloud auth application-default print-access-token
Remove the API Key to your URL. This sample URL retrieves:
https://iam.googleapis.com/v1/projects/PROJECT_ID/serviceAccounts/SA_NAME#PROJECT_ID.iam.gserviceaccount.com/keys
Add keyTypes
USER_MANAGED
Add access token from the gcloud results above.
See sample screenshots below:
You can also refer to this if you want to generate service account keys, just make sure you update your URL, add a JSON body with keyAlgorithm, and use POST instead of GET. For more info, follow this guide.

Microsoft Azure API List All Tenants

We are a CSP partner with MS. My goal is to call the Azure API and list all the different tenants we have in our account.
I found this Azure API resource that appears to allow the listing of all tenants: https://learn.microsoft.com/en-us/rest/api/resources/Tenants/List
I’ve been able to implement the authorization code flow, and I can call MS Graph API’s successfully. However when I try to call this API I receive this response:
{
"error": {
"code": "AuthenticationFailed",
"message": "Authentication failed."
}
}
I feel like it may an issue with the permissions I've granted in my app registration, but I can't seem to figure what is needed to make it happen.
I wish there was a way to use the MS Graph API to get all of our tenants, but from my research that doesn't exist.
I think you missed the bear token. I test this api by postman.
You can read this article.
Get an Azure Active Directory token using Azure Active Directory Authentication Library

Azure isMemberOf api gives "Insufficient privileges to complete the operation." error when trying to access from Azure Virtual Machine

So my requirement is for the application running on Azure Machine to check if a particular Azure user logged in belongs to an assigned Azure group.
I have enabled Managed Service Identity for the said virtual machine.
MSI
I get the token for the VM by making a call to the metadata service running locally using the following command for the graph resource on the VM:
curl 'http://169.254.169.254/metadata/identity/oauth2/token?api-version=2018-02-01&resource=https%3A%2F%2Fgraph.windows.net' -H Metadata:true
Once I get the token I make a POST request to the graph API of isMemberOf with that newly acquired token:
curl -i -H "Authorization: Bearer <token-value>" -H "Content-Type: application/json" --data '{"groupId":"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx","memberId":"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"}' https://graph.windows.net/xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx/isMemberOf?api-version=1.6
I get the following response
{"odata.error":{"code":"Authorization_RequestDenied","message":{"lang":"en","value":"Insufficient privileges to complete the operation."}}}
I have assigned the resource group the VM belongs to with IAM as a owner to the resource
Am I missing something that I should have it configured or I am doing something wrong here?
So I dug around a little bit and found that Microsoft prefers us developers using Microsoft Graph rather than the Azure AD Graph
Microsoft Graph vs Azure AD Graph
I found a similar call in Microsoft Graph API to get member of information User list member of call
This call requires the following scope:
Directory.Read.All
Directory.ReadWrite.All
And these are the steps I followed:
Application would need to fetch the token for making the Microsoft graph API call.
POST https://login.microsoftonline.com/{tenant-id}/oauth2/v2.0/token
HEADER
Content-type: application/x-www-form-urlencoded
BODY:
client_id=&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default&client_secret=&grant_type=client_credentials
RESPONSE:
{
"token_type": "Bearer",
"expires_in": 3600,
"ext_expires_in": 0,
"access_token": "<token-value>"
}
Client secret is generated at app registration time.
Application would make the call to microsoft graph API to fetch
POST https://graph.microsoft.com/v1.0/users/{user-object-id}/checkMemberGroups
HEADERS: Authorization: Bearer {token-value}
Content-Type: application/json
BODY:
{
"groupIds":["xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"]
}
RESPONSE:
200 OK - if user belongs to the group
{
"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#Collection(Edm.String)",
"value": [
"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
]
}
404 Not found - if user does not exist
{
"error": {
"code": "Request_ResourceNotFound",
"message": "Resource 'xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx' does not exist or one of its queried reference-property objects are not present.",
"innerError": {
"request-id": "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx",
"date": "2018-05-23T02:54:47"
}
}
}
This would help application identify if the Azure user belongs to the assigned group or not.
You are calling Azure AD Graph API, not ARM API.
The IAM blade only gives access rights for the ARM API.
You'll need to assign the necessary rights to the service principal kinda manually.
I actually wrote an article on this a while back: Calling your APIs with Azure AD Managed Service Identity using application permissions.
You will need:
Your MSI service principal object id (you can see how to find this in my article)
The target service principal object id (in this case Azure AD Graph API)
Id of the app permission you want to assign (you can use e.g. https://graphexplorer.azurewebsites.net to find these, they are under appRoles on the service principal)
Once you have these, then you can run this PowerShell cmdlet (using the AAD v2 cmdlets):
Connect-AzureAD
New-AzureADServiceAppRoleAssignment -ObjectId msi-sp-id -Id app-permission-id -PrincipalId msi-sp-id -ResourceId aad-graph-sp-id
Then everything should work.