CODEWITHSUNDEEP
azure-active-directorymicrosoft-graph-api
Lenny D
Lenny D

Reputation: 2024

How do I get the "Assigned Role" of a User in Azure Active Directory?

I am using Azure AD with a registered Application and I am using the Microsoft Graph API to query the AD.

The following code below tells which groups the User is Assigned to

var memberof = await graphClient.Users[xxx].MemberOf.Request().GetAsync();

I am using standard AD package and it seems that groups are somewhat restricted and I need to buy the "Premium AD Package" to use them fully.

So I don't want to use the group information. I am interested in the roles that I assign my users that I have put into my application manifest.

e.g

"appRoles": [
    {
      "allowedMemberTypes": [
        "User"
      ],
      "displayName": "Case Manager",
      "id": "{A_Guid}",
      "isEnabled": true,
      "description": "Case Manager's can create and assign Cases to other users",
      "value": "CaseManager"
    },

So, how can I use the Graph Api to tell me if a user has a particular role ?

Upvotes: 4

Views: 19909

Answers (2)

Sai Varun
Sai Varun

Reputation: 156

I just found a way to get roles of an user at an application level.

You can create application level roles by updating the manifest's appRoles array.

[azure/app registrations/<your-app>/manifest)]

I used Microsoft.Graph.Beta, to get access to service principals api.

var userRoles = await _client.Me.AppRoleAssignments.Request().GetAsync();

The above query would fetch all the application roles for the user.

var appRoleAssignments = await _Client.ServicePrincipals[<<application_objectId>>].Request().GetAsync();

The above query would fetch all the roles of an application assigned at manifest level. 

And application object Id could be found at [azure/app registrations/<your-app>)] -> Object ID

And execute the below to get list of user roles

var roles = new List<string>();
if (appRoleAssignments != null && appRoleAssignments.AppRoles.Any())
{
        var userRolesOfCurrentResource = userRoles.First(role => role.ResourceId == Guid.Parse(<<application object id>>));
        if(userRolesOfCurrentResource!=null)
        {
              var role = appRoleAssignments.AppRoles.First(role => role.Id == userRolesOfCurrentResource.AppRoleId);
              if (role!=null)
              {
                  roles.Add(role.Value);
              }
        }
 }

Upvotes: 1

Rohit Saigal
Rohit Saigal

Reputation: 9664

1. Microsoft Graph API

The ability to read all application specific roles assigned to a user (i.e. AppRoleAssignments) is only available as part of Microsoft Graph API beta endpoint currently AFAIK. This is not available as part of v1.0. You can read about versions here

As evident from name "beta", it's not expected to be a stable version that can be relied upon for production applications. Read more specific points in this SO Post by Marc LaFleur

Exact API (Microsoft Docs Reference):

GET    https://graph.microsoft.com/beta/users/{id | userPrincipalName}/appRoleAssignments

I tried using GraphServiceClient (.NET SDK for Microsoft Graph) but wasn't able to find anything related to AppRoleAssignments. (probably because SDK uses metadata from stable 1.0 version and not the beta version)

In any case, if you can still test this, use Microsoft Graph Explorer or directly call the endpoint from C# code

string graphRequest = $"https://graph.microsoft.com/beta/users/{my user GUID}/appRoleAssignments";
HttpClient client = new HttpClient();
HttpRequestMessage request = new HttpRequestMessage(HttpMethod.Get, graphRequest);
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", authResult.AccessToken);
HttpResponseMessage response = await client.SendAsync(request);

2. Windows Azure AD Graph API

Even though it's recommended to use Microsoft Graph API whenever possible, there are still some cases where Microsoft Graph hasn't caught up yet so you are forced to use Azure AD Graph API. Application management related cases are some of those.

So you could use this Azure AD Graph API. I quickly tested this from Azure AD Graph Explorer and it works fine.

https://graph.windows.net/{yourtenantid}/users/{id}/appRoleAssignments?api-version=1.6

Just like Microsoft Graph Library for .NET you can use Azure AD Graph Client Library for .NET and your code would look something like this..

aadgraphClient.Users["<user guid>"].AppRoleAssignments;

On a side note, since you've asked the question specifically for Microsoft Graph API, I've answered it accordingly.

At least for the currently signed in user for an application, you can always find the Application Roles assigned to them from the Role claims available as part of the access token from Azure Active Directory.

This although only helps with roles for current user and not in management sort of scenarios if you're trying to go across all users for an application. Here's a sample that reads role claims and does authorization based on App Roles for currently signed in user.

Authorization in a web app using Azure AD application roles & role claims

Upvotes: 5

Related Questions