Azure AD - Manage Group & User Assignments - azure-ad-graph-api

I am an Azure Global Tenant Admin for our [Premium] Azure AD instance. I have a Web App that requires Group/User Assignment to access. We need to know which Groups and Users have been assigned access. The Azure UI does not let you query this information so I am wondering if there is any way to obtain a list of Groups/Users that have been assigned access to a Web App.
Edit: It looks like the Graph API version 1.5 now supports this. I can download the servicePrincipal ODATA with this URL:
GET string.Format("https://graph.windows.net/{0}/servicePrincipals?api-version=1.5&$filter=appId+eq+'{1}'",
tenant, clientId)
According to this MSDN post, I should be able to use a URL format like
GET string.Format("https://graph.windows.net/{0}/servicePrincipals/{1}/appRoleAssignedTo?api-version=1.5",
tenant, clientId)
However, I am receiving this error:
"Resource 'f4126638-cb47-48df-ad9d-57c0684b6575' does not exist or one of its queried reference-property objects are not present."}

In the second Graph call, I should be using the servicePrincipal's ObjectID returned from the first call instead of the Application's ClientID.

Related

Azure Devops API - Can't find a way to get permission groups/membership using API

I am looking for a way to use the Azure DevOps API to get membership of permission groups. The data I am looking for is in the following location on the front end:
I had the same requirement to get team membership within Azure DevOps and was able to do so using the following URI:
https://dev.azure.com/{organization}/_apis/projects/hrs/teams/{teamname}/members?api-version=6.0
I could not find a similar URI to get permission groups and need a way to pull this information using the API.
I've tried many of the API endpoints on the official api documentation (below) focusing on any that seem like they may pull security group related information. In all cases I came up short either because the endpoint did not provide me with what I was looking for, or the documentation for an endpoint wasn't clear on how parameters need to be structured for more advanced use cases.
https://learn.microsoft.com/en-us/rest/api/azure/devops/graph/groups/get?view=azure-devops-rest-7.0&tabs=HTTP
I also tried asking this question to ChatGPT however the endpoints the chatbot provided me with did not work either.
I found a way to get what I am looking for, but I am not a big fan of the approach.
You can use the graph API to list all permission groups
once you have the permission groups, you can write a script to filter for the group object within the API response you want to get the members of.
The group object has the appropriate API endpoint to hit to get the member objects within the _links.memberships property.
Call the API with the memberships link from above. It will return an array of descriptors which can be used in further API calls.
For each descriptor, hit the appropriate API endpoint to resolve the object for that descriptor. If the descriptor starts with aad then it is a user and you can use the user get api. If the descriptor starts with aadgp then it is a group and you use the group get api.
This strategy is rather complicated and requires an API call for each member of the group. I'd hope there is a better solution.

How to get the teams that a user belongs to using Azure Devops REST API?

I am trying to find how to retrieve a list of teams that a user belongs to from a work item created in Azure DevOps. From the documentation I can't figure out if there is a way to retrieve the teams a user belongs to from the users userId, descriptor or displayName.
Just to clarify I am looking to obtain the teams from the Azure DevOps organisation/project that are located in the project setting menu.
Yes, you can.
But the REST API will not tell you directly that the user belongs to, it will tell you the descriptor of the group.
I will provide the detailed steps to get the information you want here.
1, List Users to capture all of the descriptor of the users.
https://learn.microsoft.com/en-us/rest/api/azure/devops/graph/users/list?view=azure-devops-rest-6.0&tabs=HTTP
2, Use the user's descriptor to get the User information content.
https://learn.microsoft.com/en-us/rest/api/azure/devops/graph/users/get?view=azure-devops-rest-6.0&tabs=HTTP
The response like below:
Sending a request to the box-selected data can get what group the user belongs to(This can only get the descriptor.).
3, Use the below API and compare to the descriptor you get from the above, you can get the name of all the groups that the user belongs to.
https://learn.microsoft.com/en-us/rest/api/azure/devops/graph/groups/list?view=azure-devops-rest-6.0&tabs=HTTP

How Do I Know What Each Azure AD App Registration Is For?

When I create a service principal it also creates an App in Active Directory.
az ad sp create-for-rbac --role="Contributor" --scopes="/subscriptions/123456a1-a1b2-1234-12ab-12a3b4cdef67"
If I go to the Azure Portal - Active Directory - App registrations it shows all the applications registered.
I have managed to find the service principal I use for terraform by matching the terraform client_id with the Azure "Application (client) ID". It also had a human readable display name (although not the best since I still had to look via client id!)
However, there are several others where the display name is just "project_subscription".
They look like they must have been generated automatically when setting up a pipeline registering a web app in the portal or something.
I can't tell if they are actually used or if they were just created for experimenting and are then left over.
How do I know what they are for and if they are still used or not?
Is it possible to search Azure for the id or anything?
Is it possible to add a description to these to identify what they are used for beyond just the display name?
e.g. I only identified the terraform one by matching up the id with my code
App registration can be used for many scenarios, the app registrations in your AAD tenant should be created by different users. There is no such thing as a description of them.
To see if they are used, it needs to combine the context, as in AAD, there are different usages for them. For example, there are no sign-in logs of the AD App's corresponding service principal, but you cannot make sure if it was used as a client app. For the details, you may need to check the Audit logs.
For more details about AD App(App Registration) and service principal, you could check this doc - https://learn.microsoft.com/en-us/azure/active-directory/develop/app-objects-and-service-principals

Is there a way to tell if user is the organization admin in azure devops extension api

Using the Azure Devops Extension API in an extension I'm building and wondering if there is an API available to tell if the current user is the organization admin so that we can hide/show different options for that user(s). Or is there another API that I can hit from my extension to get some extended details about the current user rather than what comes back with SDK.getUser()
You can get PCA members via the API below, and check whether the current user in PCA:
GET https://vsaex.dev.azure.com/{organization}/_apis/GroupEntitlements/{groupId}/members?api-version=6.0-preview.1
https://learn.microsoft.com/en-us/rest/api/azure/devops/memberentitlementmanagement/members/get?view=azure-devops-rest-6.0

ms Graph api, calendarView 403-accessdenied error

First, I'm using Spring, Jetty, Retrofit.
When I use calendarView in local, they return the successful values successfully.
But, When others connect to my local server and call this api, it always returns me 403-AccessDenied error.
(additionally, When they call another ms api, they return the successful values.)
I think I have set all the recommended permissions in Graph api.
But this could be my illusion.
In order for someone else to call api from my local server, what should I do?
Or Am I missing anything on this matter?
These are my permissions.
"openid",
"offline_access",
"profile",
"User.ReadWrite",
"Mail.ReadWrite",
"Calendars.ReadWrite",
"User.ReadBasic.All",
"BookingsAppointment.ReadWrite.All"
This is my azure info.
And I'm using this calendar view api
https://learn.microsoft.com/en-us/graph/api/calendar-list-calendarview?view=graph-rest-1.0&tabs=http
And Using This URL in my code(in this case, I'm using batch request)
GET | "/users/"+getAddress()+"/calendarView?startDateTime="+getStartTime()+"&endDateTime="+getEndTime()
Based on your description, other users are trying to access the calendarView of the user "{Room}".
In this case, you need 2 more configurations.
User "{Room}" gives mailbox permissions "Full Access" to other users
in Office 365. See Use the EAC to assign permissions to individual
mailboxes. (you should be able to find the room under
Resources. And the process can take up to hours for the changes to propagate through the system and be in effect.)
Add one more delegated permission: Calendars.ReadWrite.Shared into
the app registed in Azure AD.