Reputation: 2131
Query for specific Azure AD permission
Is there a way in Microsoft Graph how to check whether signed-in user (device code auth is used) has a specific AAD permission? In my case that would be Microsoft.Directory/groups/members/update - I'd like to notify a user that he/she is not permitted to add service principal to an AD group.
My initial idea was to find DirectoryRoles a user is member of. Then view related DirectoryRoleTemplates and somehow check permissions attached to the template. It looks like this is not possible.
Upvotes: 3
Views: 1984
Answers (3)
Reputation: 1691
Looking into the JWT token you can look at that "wids" attribute that will contain the IDs of the assigned Entra Roles.
There are some good instructions on how to do that here
Upvotes: 0
Reputation: 76
I'm a program manager at Microsoft working on Azure AD access control. Thanks for your question and feedback. As Allen says, we don't have an API for this today. The best we have is what's called the 'wids' claim in the user's access token. Search this article for 'wids' for more information.
The wids claim contains the list of directory role template object ids the user is a member of. Role template object ids are immutable and consistent across the system, so you can hardcode your check against them. There is a role to template id mapping table here.
We're looking at exposing an API that returns the list of underlying permissions of the signed-in user following the syntax Allen mentions from the documentation. However, I don't have a date yet on when that would be available.
Let me know if you have any questions.
Thanks again, Vince Smith
Upvotes: 4
Reputation: 16438
Currently Microsoft has not exposed an API for obtaining Role permissions corresponding to DirectoryRole.
Based on the official document, microsoft.directory/groups/members/update permission only exists in the following roles:
Directory Writers
Groups Administrator
User Account Administrator
Intune Service Administrator
Partner Tier1 Support
Partner Tier2 Support
A workaround is to customize a config file in your project to set the fixed values. Read them to see if the user's directory role matches one of them.
Upvotes: 1
Related Questions
- Querying Azure AD using Graph API
- Get App Roles for user limited to the requesting app
- Using Microsoft Graph API to find all Applications with Admin Consent Granted
- Azure Ad/Microsoft Graph get all users with specific approle
- Azure Active directory API permissions
- Microsoft Graph Azure AD API filter users with access to Azure only
- Azure active directory graph api query user
- Azure Graph API - Query user information
- Query the AAD Graph API as a specific user
- Query Directory roles of a user in Azure Graph API