question

RahulNair-7580 avatar image
0 Votes"
RahulNair-7580 asked saldana-msft edited

How to retrieve Azure Users, password requirements, guest users, custom roles using API

Hey everyone, I'm working on Azure CSPM. I have few checks to code.. One being "Ensures that all Azure passwords require uppercase characters". I know this information is stored in the users api which is "https://graph.windows.net/myorganization/users?api-version=1.6"

Now, for the other APIs, I used this code:

 import http.client
 import json
 import requests
    
    
 def get_token():
     r = requests.post("https://login.microsoftonline.com/TenantID/oauth2/token",data={"grant_type": "client_credentials","client_secret": "xxxxxxxxxxxx","client_id": "xxxxxxxxxx","resource": "https://management.azure.com"})
     ret_body = r.json()
     return ret_body['access_token']
    
 token = get_token()
 headers = {'Authorization': 'Bearer ' + token}
 conn = http.client.HTTPSConnection('management.azure.com')
 conn.request("GET", '/subscriptions/subscriptionid/providers/Microsoft.DBforPostgreSQL/servers?api-version=2017-12-01', "", headers)
 response = conn.getresponse()
 server_data = response.read()
 server_data = server_data.decode('utf-8')
 server_data = json.loads(server_data)
 print(server_data)


and yes i havent written the tenant id, client id etc here. But I've written it on my code. Can somebody help me retrieve the user data? It has to be done only using python btw.

azure-active-directorymicrosoft-graph-usersazure-ad-password-protection
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi dear @RahulNair-7580 Is your problem solved?

0 Votes 0 ·

1 Answer

CarlZhao-MSFT avatar image
1 Vote"
CarlZhao-MSFT answered CarlZhao-MSFT commented

Hi @RahulNair-7580

You can call https://graph.microsoft.com/beta/users?$expand=appRoleAssignments api endpoint to list all users of Azure ad (including guest users), custom appRoles and passwordProfile.

First, you need to grant the User.ReadWrite.All application permission to your application, and then modify the key parameters in your script.
1.
164646-image.png
2.
164647-image.png

  import http.client
  import json
  import requests
                
  def get_token():
      r = requests.post("https://login.microsoftonline.com/TenantID/oauth2/token",data={"grant_type": "client_credentials","client_secret": "xxxxxxxxxxxx","client_id": "xxxxxxxxxx","resource": "https://graph.microsoft.com"})
      ret_body = r.json()
      return ret_body['access_token']
        
  token = get_token()
  headers = {'Authorization': 'Bearer ' + token}
  conn = http.client.HTTPSConnection('graph.microsoft.com')
  conn.request("GET", '/beta/users?$expand=appRoleAssignments', "", headers)
  response = conn.getresponse()
  server_data = response.read()
  server_data = server_data.decode('utf-8')
  server_data = json.loads(server_data)
  print(server_data)

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.



image.png (193.2 KiB)
image.png (136.3 KiB)
· 17
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hey, it did help. Unfortunately, my password profile was set to none. When I tried to create a new user, all the password checks were working.

  • Ensures that all Azure passwords require lowercase characters

  • Ensures that all Azure passwords require numbers

  • Ensures that all Azure passwords require symbol characters

  • Ensures that all Azure passwords require uppercase characters

  • Ensures that all Azure passwords require a minimum length

All these rules were set by default but the password profile and policies were empty. What do I do?
164731-ss.jpg


0 Votes 0 ·
ss.jpg (72.0 KiB)

Hi @RahulNair-7580 The user you are checking is a guest account, the guest account is not created by you, only invited by you, so it is normal that password profile and policies have no value, because you cannot set any password policy for the guest account. What you should check is the member account, because the member account is what you created.

0 Votes 0 ·

I actually don't have any guest accounts. Just one.. And I'm a member. So, I'm just checking the member account and the password profile is empty. What do I do? Also, how do I check if there are custom roles?




165046-ss.jpg


0 Votes 0 ·
ss.jpg (66.2 KiB)
Show more comments