Reputation: 664
Get assigned roles in Azure Web App with PHP
I have created a Azure Web App using PHP. I enabled AAD Authentication, and got it all worked out where you have to login as a company user to access the site.
Then I created new App Roles using the App Registration --> Manifest. I have assigned myself that role, logged off, and back on, and within the $_SERVER variable I cannot find any reference to that role. I can find my username, tokens, principle_id, etc. but nothing referencing the AppRole I just created.
My question is, how do I get the App Roles that the logged in user is assigned? The only documentation I find on this is for .net or really old Azure classic stuff.
Any ideas?
Upvotes: 0
Views: 1168
Answers (2)
Reputation: 5549
Based on the official documentation, the defined AppRole will be returned in id_token.
To get user's id_token, you can use Azure AD OAuth 2.0 authorization code flow, and add openid to scope. Here I use postman to acquire access_token and id_token:
And then I can get the id_token
By analyzing the id token, you can get the role of the user:
Upvotes: 1
Reputation: 5294
Simplest way i can think of utilizing Microsoft Graph API for this kind of operation.
Here is a sample Github Repo for reference:
https://github.com/Azure-Samples/active-directory-php-graphapi-directoryextensions-web
For getting the user role , you can simply call below graph api :
GET /me/memberOf
or
GET /users/{id | userPrincipalName}/memberOf
You can check below doc for further reference:
https://learn.microsoft.com/en-us/graph/api/user-list-memberof?view=graph-rest-1.0&tabs=http
Overall this is how the flow would look like:
- Register an application with required set of permission
- Get authorized from Azure AD using above create application
- Use the token form step 2 and call the graph api to get user roles
- Proceed with the validation
Sample response look like below:
HTTP/1.1 200 OK
Content-type: application/json
{
"value": [
{
"@odata.type": "#microsoft.graph.group",
"id": "id-value",
"createdDateTime": null,
"description": "All users at the company",
"displayName": "All Users",
"groupTypes": [],
"mailEnabled": false,
"securityEnabled": true,
}
]
}
Hope it helps.
Upvotes: 0
Related Questions
- How can I get the Azure Active Directory's app roles inside ASP.NET Core MVC?
- Retrieve App role assignments using Azure CLI
- AzureAD Powershell list all available roles rather than assigned roles
- Fetch Azure role assignments to AAD groups
- Using Azure AD and Getting App Role in C# Windows Application
- Getting the Azure AD App role name from a Group AppRole Assignment Using Azure Powershell
- Get all AppRole assignments in Azure Active Directory
- Get Azure Roles in the Web App
- Get Azure AD User Roles In PHP
- Get Azure Active Directory application users and roles