Reputation: 73
How to check if an azure active directory user is already in an approle
I've created an Azure active directory user and added the user to app roles. Now i am retrieving this user and attempting to add it to more app roles.
var activeDirectoryUser = client.Users.Where(u => u.UserPrincipalName == user.UserName).ExecuteSingleAsync().Result as User;
As a precaution i want to first check if the user is already in an app role before adding however the problem is that the ApproleAssignments field on the User object is always empty. Even thou the user has app role assignments and i get an error if i try and add the user to the same app role.
Creating new app role assignment.
var appRoleAssignment = new AppRoleAssignment
{
Id = appRole.Id,
ResourceId = Guid.Parse(servicePrincpal.ObjectId),
PrincipalType = "User",
PrincipalId = Guid.Parse(user.ObjectId)
};
if(IsUserInAppRole(user,appRoleAssignment))return;
user.AppRoleAssignments.Add(appRoleAssignment);
user.UpdateAsync().Wait();
Checking if user is in app role.
private bool IsUserInAppRole(User user, AppRoleAssignment appRoleAssignment)
{
var userInApprole = user.AppRoleAssignments.Where(ara => ara.ObjectId == appRoleAssignment.Id.ToString());
return userInApprole.Any();
}
I'm using the latest version of Microsoft.Azure.ActiveDirectory.GraphClient library
Upvotes: 3
Views: 2661
Answers (2)
Reputation: 5828
Sorry for the late response. The following code worked for me. Not sure if you need to use the IUserFetcher interface, but your LINQ query fails because you are comparing the objectID of the assignment, with the appRole Id. What you need to compare is the ID of the assignment.
var userFetcher = user as IUserFetcher;
IPagedCollection<IAppRoleAssignment> rawObjects = userFetcher.AppRoleAssignments.ExecuteAsync().Result;
IList<IAppRoleAssignment> assignments = rawObjects.CurrentPage.ToList();
IAppRoleAssignment a = null;
a = assignments.Where(ara => ara.Id.Equals(appRole.Id)).First();
if (a != null) {
Console.WriteLine("Found assignment {0} for user {1}", appRole.Id, user.DisplayName);
}
Hope this helps...
Upvotes: 3
Reputation: 71
var userFetcher = user as IUserFetcher;
IPagedCollection rawObjects = userFetcher.AppRoleAssignments.ExecuteAsync().Result;
IList<IAppRoleAssignment> assignments = rawObjects.CurrentPage.ToList();
Above lines of code is causing exception due to casting not done, if cast it as:
IPagedCollection rawObjects =
(IPagedCollection)userFetcher.AppRoleAssignments.ExecuteAsync().Result;
IList<IAppRoleAssignment> assignments =
(IList<IAppRoleAssignment>)rawObjects.CurrentPage.ToList();
Code get compiled successfully but gives runtime exception as:
Cannot implicitly convert type 'System.Collections.Generic.List' to 'System.Collections.Generic.IList'. An explicit conversion exists (are you missing a cast?)
Could you please guide how to use those two statements?
Update:
private static bool IsUserInRole(User user, AppRole appRole, bool roleAlreadyAssigned = false)
{
var userFetcher = user as IUserFetcher;
IPagedCollection rawObjects = (IPagedCollection)userFetcher.AppRoleAssignments.ExecuteAsync().Result;
foreach (IAppRoleAssignment item in rawObjects.CurrentPage)
{
if (item.Id == appRole.Id)
{
roleAlreadyAssigned = true; break;
}
}
return roleAlreadyAssigned;
}
The above code worked for me. Try this, hope this will help :)
Upvotes: 2
Related Questions
- How to check if Azure AD User exist?
- Active directory check if user belongs to a group
- Check role membership against Azure Active Directory
- Check if Azure AD user is allowed to access my application
- Azure AAD Role Based Authentication, User.IsInRole()
- Azure Active Directory Group Membership check for Individual User
- How to check if currently logged-in user is Azure Active Directory B2C "Global Administrator"? ASP.NET MVC
- How to check if a user that is in Azure Active Directory belongs to a specific group membership?
- Determine if a logged in user is a member of an AD group, in a web app deployed to Azure
- How to get all users that belong in an AppRole using Azure Active Directory Graph API