At a customer I needed to generate quite a few Azure AD dynamic groups, in order to create groups for each department, with users having a set of job titles. This is a good method to automatically assign application roles to a set of users based on their attributes, given that the attributes are managed by a sync from HR or similar. Here is how I did it.Continue reading “Script for generating Azure AD dynamic groups”
Some times it can be handy to be able to generate some demo content, and have some reference PowerShell for working with stuff. Here is my script for creating 5 access packages with different properties:
- A visible package available for any external user
- A hidden package available for any external user, requiring the user to know the url
- A package available to external users in connected organizations
- A package available for members of an internal group
- A package available to any internal user, with manager approval and self review
In this blog series on building a full Identity Governance and Administration solution, we have until now covered application roles extensively, and how these can be sent to an application.
For a quick summary, this is how you can define custom application roles, here is how to send these roles using the SCIM protocol, this article shows how to transfer the roles using the OpenID Connect ID Token or SAML claim and here I can show you how to use PowerShell to query the Microsoft Graph for application role assignments for your users and groups.Continue reading “Full IGA using Azure AD – Managing access using Entitlement Management”
The following contains a quick reference for how to extend the OpenID Connect ID Token that we created in this blog post with additional attributes.Continue reading “Adding custom attributes to the Azure AD OpenID Connect ID Token”
In this post I will quickly demo how to use PowerShell to get app role assignments for all application using the Microsoft Graph.
You should have followed my previous post in order to have created an application, added some appRoles to the manifest and granted access to the Graph.
In the last post we transferred to user information and roles to the application through Azure AD outbound provisioning with SCIM. This requires the application to either have or to implement a SCIM API, which might some times be unnecessary. Also, many applications does not have an internal user database, but relies on session information when doing access control.
In this blog post I will show you how applications can get user roles through the user’s ID token, demoed with OAuth 2.0 authorization code flow.
Continuing my series on how to achieve a full “Identity Governance and Administration” (IGA) solution using Azure AD, the topic this time and for the next few posts will be provisioning, with focus on actually transferring the app roles from my previous post into the application itself.