Reputation: 415
How to assign user an application role in azure active directory using graph api 1.5?
I had faced an issue on adding user an application role in azure active directory. In User model,there is a property called ApproleAssignment where i think i can set an application role for the user.But when i had done that,its not assigning.Can anyone help me?
I added application roles using App roles in application model.And i can populate through drop down when creating a user.Below shows the section of creating user. What should be given as ResourceId in AppRoleAssignment?
[HttpPost]
public async Task<ActionResult> Create(UserModel user)
{
ActiveDirectoryClient client = null;
try
{
client = AuthenticationHelper.GetActiveDirectoryClient();
}
catch (Exception e)
{
if (Request.QueryString["reauth"] == "True")
{
//
// Send an OpenID Connect sign-in request to get a new set of tokens.
// If the user still has a valid session with Azure AD, they will not be prompted for their credentials.
// The OpenID Connect middleware will return to this controller after the sign-in response has been handled.
//
HttpContext.GetOwinContext()
.Authentication.Challenge(OpenIdConnectAuthenticationDefaults.AuthenticationType);
}
//
// The user needs to re-authorize. Show them a message to that effect.
//
ViewBag.ErrorMessage = "AuthorizationRequired";
return View();
}
try
{
User mappedUser = MapToUser(user);
await client.Users.AddUserAsync(mappedUser);
await AddUserRole(mappedUser, user);
return RedirectToAction("Index");
}
catch (Exception exception)
{
ModelState.AddModelError("", exception.Message);
return View();
}
}
/// <summary>
/// Adds the user role.
/// </summary>
/// <param name="mappedUser">The mapped user.</param>
/// <param name="model">The model.</param>
/// <returns></returns>
private async Task AddUserRole(User mappedUser, UserModel model)
{
ActiveDirectoryClient client = AuthenticationHelper.GetActiveDirectoryClient();
IPagedCollection<IUser> pagedCollection = await client.Users.ExecuteAsync();
var currentUser = pagedCollection.CurrentPage.Where(x => x.UserPrincipalName.Equals(mappedUser.UserPrincipalName)).FirstOrDefault();
var appRoleAssignment = new AppRoleAssignment();
appRoleAssignment.Id = model.AppRoleId;
appRoleAssignment.PrincipalId = Guid.Parse(currentUser.ObjectId);
appRoleAssignment.ResourceId = Guid.Parse(clientId);
////((ClaimsIdentity)ClaimsPrincipal.Current.Identity).AddClaim(
//// new Claim(ClaimTypes.Role, "Manager", ClaimValueTypes.String, "GRAPH"));
await currentUser.UpdateAsync();
////Remaining have to be completed.
}
/// <summary>
/// Maps to user.
/// </summary>
/// <param name="model">The model.</param>
/// <returns></returns>
private Microsoft.Azure.ActiveDirectory.GraphClient.User MapToUser(UserModel model)
{
var user = new User();
user.UserPrincipalName = model.UserPrincipalName;
user.AccountEnabled = model.AccountEnabled;
user.PasswordProfile = model.PasswordProfile;
user.MailNickname = model.MailNickname;
user.DisplayName = model.DisplayName;
user.GivenName = model.GivenName;
user.Surname = model.Surname;
user.JobTitle = model.JobTitle;
user.Department = model.Department;
return user;
}
Upvotes: 1
Views: 5441
Answers (2)
Reputation: 807
The resource ID you have in your code is the wrong one:
appRoleAssignment.ResourceId = Guid.Parse(clientId);
The resource that the graph app uses is the ID of the service principle associated with the application. You can read about the difference between applications and service principles here, but briefly the clientID is the ID of the application definition whereas the service principle, as I understand it, is an active instance of it. So the ID you need is the objectID of the service principle making the role assignment. Some test code to get the service principle ID would be like this:
var servicePrincipleList = await client.ServicePrincipals.Where(e => e.AppId == clientId).ExecuteAsync();
var roleResourceUpdateID = servicePrincipleList.CurrentPage.First().ObjectId;
and that is the Object ID you need to use in your role assignment.
Upvotes: 1
Reputation: 5838
Sorry I'm struggling to follow your code, because some of it is missing (like your definition of the application and any application roles it declares). At a high level, an application would define a series of application roles (appRoles). Once a user consents to the app, an app instance representing the application will be present in the consenting tenant. If you want to assign a user to that application, in one of the specified app roles, you'll need to set the appRoleAssignment on the user (picking the app role id, and the resource id - the application's id). appRoleAssignment and its properties are described here: https://msdn.microsoft.com/en-us/library/azure/dn835128.aspx and the REST API examples described here http://blogs.msdn.com/b/aadgraphteam/archive/2014/12/12/announcing-the-new-version-of-graph-api-api-version-1-5.aspx.
Also we have a console sample that shows both appRole creation on an application, and assignment of the application (in the declared app role) to a user. You can find that on github here: https://github.com/AzureADSamples/ConsoleApp-GraphAPI-DotNet
HTHs,
Upvotes: 3
Related Questions
- create a application role using Microsoft Graph API
- how to set User administrator role to azure active directory application through graph API
- How to use microsoft graph api for assigning role to the user in azure ad
- Assigning application roles to user with MicrosoftGraph API fails
- Assign AD Group to Azure AD Application Role using Graph API
- Adding users with roles into app registration
- How to get AppRole for azure active directory user using Microsoft Graph API
- Azure Active Directory: assign user to an application from the gallery via Graph API
- Azure Active Directory - how to assign application role to group programmatically
- How to create custom role in azure active directory using graph api?