question

LindenROTH-8749 avatar image
0 Votes"
LindenROTH-8749 asked LindenROTH-8749 answered

Api Permission not being activated by consent

We are using AD to allow end user to login to a 3rd party application

We are using User Schema Extension fields to hold 3rd Party,

Issue major
I cannot update any of the extension fields despite having User.ReadWrite (and other permissions) set and consented to UNLESS I use a User Administrator account
A regular user reports Forbidden - it would appear I'm missing something

Minor issue
is there a way to limit normal user update to a single field of the Schema Extension

I have supplied some screen shot to azfretrl@microsoft.com

LINDEN

azure-active-directory
· 7
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi @LindenROTH-8749 , do you have any custom policies or roles? I would check them over and cross reference with built-in roles to make sure that your users have the appropriate permissions. Can you post a screenshot here of your settings? Why do you want to limit a user to a single field? Please let me know.

Thank you,
James


0 Votes 0 ·

Bit of context ... I am a developer writing a solution to allow Cloud users to login (with Cloud authority only) to a 3rd party system (3PS) via an inhouse server (this solution is already in place for Okta/Oracle/Google SSO Clouds). So we are taking about a brand new 6 user test system that I created last month.

To manage the 3PS data we have add a 5 field schema extension to USER to hold various encrypted data (username/password etc) for the 3rd party system AND a field to hold our system information eg last access time .

We have tools that handle the initial configuration and the admin task of linking the Cloud User to the User in the 3PS (all working) - done by elevated Admin User.

Continued

0 Votes 0 ·

...Continued ...

So finally after the server is deployed and links are made we need normal cloud user to be able to access the server and hence the 3PS this all work as expected (and was working 18mths ago when POC first developed)
BUT the update of the access time in the Schema Extension Field is "forbidden" (the only field we need the user to be able to change - hence the limit question - we want our server to be very bland as far as the normal user is concerned)
Despite our servers Cloud App having permissions (that have been admin consented to)
Unless our user is an elevated one

We Have tried API Permissions in the Portal and/or Scopes in the oauth2/token call

Thank you James for getting back to me
Linden ROTH

0 Votes 0 ·
Show more comments

RESOLVED - the solution is to us an application token rather that the user level token

POST https:// login.microsoftonline.com/401e70.....d0/oauth2/v2.0/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded

client_id= ce...b
&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default
&client_secret= K1e....u
&grant_type=client_credentials

0 Votes 0 ·
LindenROTH-8749 avatar image
0 Votes"
LindenROTH-8749 answered

RESOLVED - the solution is to us an application token rather that the user level token

POST https:// login.microsoftonline.com/401e70.....d0/oauth2/v2.0/token HTTP/1.1
Content-Type: application/x-www-form-urlencoded

client_id= ce...b
&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default
&client_secret= K1e....u
&grant_type=client_credentials

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JamesHamil-MSFT avatar image
0 Votes"
JamesHamil-MSFT answered LindenROTH-8749 commented

Hi @LindenROTH-8749 ,

"I cannot update any of the extension fields"

You should use these 2 permissions - Application.ReadWrite.All, Directory.AccessAsUser.All, to be able to update User Schema Extension fields. Currently you are only using User.ReadWrite. Reference: Permissions for User Schema Extensions.

"is there a way to limit normal user update to a single field of the Schema Extension"

For delegated flows, the signed-in user can update a schema extension as long as the owner property of the extension is set to the appID of an application the signed-in user owns. That application can be the one that initially created the extension, or some other application owned by the signed-in user - Update Schema Extension. User with required permissions can change the fields in schema extensions.Reference: schema extension service limit restriction.

Please let me know if you have any questions!

If this answer helped you please mark it as "Verified" so other users may reference it.

Thank you,
James




· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

James - thanks for getting back

I think there maybe some confusion

1) I need my user to update the DATA in a schema extension field - not manage schema extensions. Literally I need to have a signed in user account (general user) updating a last access field with date and time (in encrypted form) for their personal extension data

2) According to the doco Directory.AccessAsUser.All is required to create and manage schema extension definitions - my typical end user will not have this requirement non in the scope of our application should they

3) there is no mention of Application.ReadWrite.All in the schema extension page and this seem a seriously high level of permission and appropriate for system management tools but not end users

for the sake of completeness I have added these permissions and consented to them at directory level - however and attempt by an "end user" to in update data in a User Schema Extension field results in a "Forbidden" response to the patch

0 Votes 0 ·