If you have used the Azure Active Directory service in your application, then you have probably realized that it lacks the ability to see application roles assigned to users. At the present time, the Azure Active Directory service must be configured using the classic Azure portal (https://manage.windowsazure.com). In the classic portal, when looking at the users for your active directory, there is no way to see what application roles have been assigned to a user. When you use the ‘Assign’ action to add a role to a user, you can pick a role to add to a user. However, once that is done, there is no place in the Azure portal to view the role assignments for the users.
Because of this gap in functionality, we added a screen to our admin tool that lets us view the role assignments for a user. This blog post is about the code required to query the Azure Active Directory to view its contents. There is an API called the Graph API that I will show you how to use to query the Azure Active Directory.
How to Set Up Active Directory Tenant for Graph API
There is an API called the Graph API that can be used to execute queries against the Azure AD environment. Before working with the Graph API, you need to configure your app to request permissions to the Graph API. To do this, you need to sign into the classic Azure portal and view the Active Directory dashboard. Navigate to your Active Directory tenant and click ‘Configure’. Towards the bottom of the screen is a section called ‘Permissions to other applications’. You need to add the application called ‘Windows Azure Active Directory’. This application is actually the Graph API, and it needs permission to read your directory.
You should configure the Application Permission to allow ‘Read directory data’.
You should also configure some Delegated Permission
You should also configure a secret key. In the Keys section, you will need an active key. You can create a two-year key, and it will initially look like this:
When you save your changes to the Azure AD tenant, then the secret key value will be shown. It’s important to save the value of this key. This is the only time the private key value will be displayed. You will need to have access to this private key value later on in this tutorial. This secret key will be used as a client credential to request an access token for the Graph API.
Here is a link to additional info on the Active Directory Graph API https://msdn.microsoft.com/en-us/library/azure/hh974476.aspx
How to Return a List of Directory Users
In order to retrieve the list of users in your active directory, you make use of two additional nugget packages for your solution. Add the following two packages:
Here is some code to query the list of users from the directory:
The graph api methods all make use of an async paging model. It may not be necessary for you to retrieve the second page of results, unless your AD tenant contains many users. This code example will allow you to fetch all users (notice the while loop over the pagedCollection). In my app, I introduced a custom User object so that I could control the property names, and decouple my UI from the graph API user. The call on line 64 to User.ConvertToDomain is simply a mapping of the GraphAPI User to my custom User.
In order to create the instance of the ActiveDirectoryClient from line 57 above:
The configuration variable on line 181 is the Tenant Id assigned to your Azure Active Directory. The endpoint address being built here can be viewed in the Azure Portal by clicking ‘View Endpoints’ and scrolling down to look at the endpoint labeled ‘Microsoft Azure AD Graph API Endpoint’.
The next part of the magic comes from the access token required by the Graph API, used in line 182 shown above. This method needs to be an async method that retrieves the access token from the azure login authority.
The ClientCredential on line 62 is built with the ClientId of the Azure AD tenant. This can be found in the azure portal of the AD tenant. The second parameter is the client secret value. This was created earlier in this tutorial by using the azure portal and creating a 2-year secret key. The config parameter referenced on line 63 is the azure ad login endpoint that you use to sign-on to your app and will look sort of like this: https://login.windows.net/xxxx where ‘xxxx’ is the domain of your azure AD tenant.
How to Look Up Application Roles for a User
In order to query the application roles of a user, you need to make use of the IUserFetcher object. The userFetcher has the behavior of retrieving the AppRoleAssignments for this user.
In the code shown above, line 144 gets the list of all AppRoleAssignments for this particular user. If you have multiple applications configured in your AD environment, notice how the application is checked on line 152. You may want to watch this code run in the debugger to verify that you need this level of complexity. If you have a simple AD setup, this may not be necessary.
The domain user returned from this method will have the Application Roles contained in it (added on line 161 above). Each AppRoles here has a DisplayName property which is the same value used in the Azure portal on the screen used to assign roles to the user.
Using these code samples, you should be able to build a screen to show the application roles for an Azure Active Directory user.