Back to List

​Viewing Application Roles from Azure Active Directory

Steven Nelson Steven Nelson  |  
Jun 07, 2016
 
If you have used the Azure Active Directory service in your application, then you have probably realized that it lacks the ability to see application roles assigned to users.  At the present time, the Azure Active Directory service must be configured using the classic Azure portal (https://manage.windowsazure.com).   In the classic portal, when looking at the users for your active directory, there is no way to see what application roles have been assigned to a user.  When you use the ‘Assign’ action to add a role to a user, you can pick a role to add to a user.  However, once that is done, there is no place in the Azure portal to view the role assignments for the users.

Because of this gap in functionality, we added a screen to our admin tool that lets us view the role assignments for a user.  This blog post is about the code required to query the Azure Active Directory to view its contents.  There is an API called the Graph API that I will show you how to use to query the Azure Active Directory.
How to setup Active Directory tenant for Graph API
There is an API called the Graph API that can be used to execute queries against the Azure AD environment.  Before working with the Graph API, you need to configure your app to request permissions to the Graph API.   To do this, you need to sign into the classic Azure portal and view the Active Directory dashboard.  Navigate to your Active Directory tenant and click ‘Configure’.  Towards the bottom of the screen is a section called ‘Permissions to other applications’.   You need to add the application called ‘Windows Azure Active Directory’.  This application is actually the Graph API, and it needs permission to read your directory.

You should configure the Application Permission to allow ‘Read directory data’.   
 


You should also configure some Delegated Permission


 
You should also configure a secret key.   In the Keys section, you will need an active key.  You can create a two-year key, and it will initially look like this:
 


When you save your changes to the Azure AD tenant, then the secret key value will be shown.  It’s important to save the value of this key.   This is the only time the private key value will be displayed.   You will need to have access to this private key value later on in this tutorial.  This secret key will be used as a client credential to request an access token for the Graph API.

Here is a link to additional info on the Active Directory Graph API https://msdn.microsoft.com/en-us/library/azure/hh974476.aspx 

How to return a list of directory users
In order to retrieve the list of users in your active directory, you make use of two additional nugget packages for your solution.   Add the following two packages:


 
Here is some code to query the list of users from the directory:


 
The graph api methods all make use of an async paging model.  It may not be necessary for you to retrieve the second page of results, unless your AD tenant contains many users.  This code example will allow you to fetch all users (notice the while loop over the pagedCollection).   In my app, I introduced a custom User object so that I could control the property names, and decouple my UI from the graph API user.  The call on line 64 to User.ConvertToDomain is simply a mapping of the GraphAPI User to my custom User.

In order to create the instance of the ActiveDirectoryClient from line 57 above:


 
The configuration variable on line 181 is the Tenant Id assigned to your Azure Active Directory.  The endpoint address being built here can be viewed in the Azure Portal by clicking ‘View Endpoints’ and scrolling down to look at the endpoint labeled ‘Microsoft Azure AD Graph API Endpoint’.

The next part of the magic comes from the access token required by the Graph API, used in line 182 shown above.  This method needs to be an async method that retrieves the access token from the azure login authority.
 


The ClientCredential on line 62 is built with the ClientId of the Azure AD tenant.  This can be found in the azure portal of the AD tenant.   The second parameter is the client secret value.  This was created earlier in this tutorial by using the azure portal and creating a 2-year secret key.    The config parameter referenced on line 63 is the azure ad login endpoint that you use to sign-on to your app and will look sort of like this:  https://login.windows.net/xxxx where ‘xxxx’ is the domain of your azure AD tenant.
 
How to lookup application roles for a user
In order to query the application roles of a user, you need to make use of the IUserFetcher object.  The userFetcher has the behavior of retrieving the AppRoleAssignments for this user.
 


In the code shown above, line 144 gets the list of all AppRoleAssignments for this particular user. If you have multiple applications configured in your AD environment, notice how the application is checked on line 152.  You may want to watch this code run in the debugger to verify that you need this level of complexity.  If you have a simple AD setup, this may not be necessary.

The domain user returned from this method will have the Application Roles contained in it (added on line 161 above).  Each AppRoles here has a DisplayName property which is the same value used in the Azure portal on the screen used to assign roles to the user.
 
Conclusion
Using these code samples, you should be able to build a screen to show the application roles for an Azure Active Directory user.
AzureActive DirectorySecurity

 

Love our Blogs?

Sign up to get notified of new Skyline posts.

 


Related Content


Spring 2019 Kentico User Group
Apr 17, 2019
Location: Waukesha County Technical College - Pewaukee Campus - 800 Main Street, Pewaukee, Wisconsin 53072 - Building: Q, Room: Q361
Blog Article
Accelerating Flow in the IT Value Stream
Bob SchommerBob Schommer  |  
Jul 21, 2020
Every CIO grapples with how to rapidly turn customer needs or good business ideas into working software to meet the demands of a VUCA (volatile, uncertain, complex, and ambiguous) world. With traditional waterfall development methodologies, it frequently takes months (or even years) before...
Blog Article
How to (and not to) Manage Group Permissions in SharePoint Online
Kyle ZiberKyle Ziber  |  
Jun 23, 2020
About the author: Kyle Ziber has been working in SharePoint and the Microsoft Cloud since 2010. He holds an MCSE in both SharePoint and Productivity from Microsoft.   There are many ways to manage permissions in SharePoint Online. Today, we’ll walk through three scenarios for...
Blog Article
Mitigating Security Challenges in the Professional Services Supply Chain
Brian MorganBrian Morgan  |  
Jun 02, 2020
In this blog, Brian Morgan, Director of Security at Skyline Technologies, explores how to protect your business from cybersecurity threats in the professional services supply chain. Click here to view the full webinar.   Cybersecurity threats are a mounting concern for the professional...
Blog Article
“Bye, Bye, Bye” to AES in ECB Mode
Tony RopsonTony Ropson  |  
May 05, 2020
Early last month, a group operating out of the University of Toronto released a report highlighting some of the security flaws found in the popular online meeting app Zoom. Their report highlighted a few concerning things. However, the one area I want to highlight is the type of encryption...