I have a working Azure app that gives me the group names when I call
https://graph.microsoft.com/v1.0/me/transitiveMemberOf/microsoft.graph.group
However, I have tried to recreate the app several times, and checked all settings in App Registrations and Enterprise Applications to match the original app - but can never get the group names in the new apps (created in the last 24 hours, if that is relevant).
API Permissions:
Group.Read.All
GroupMember.Read.All
User.Read
App is created using these steps
App registrations, add, Single tenant
Quickstart, Mobile and desktop applications, Desktop, Make this change for me
Token configuration, Add groups claim, Security groups, set all to sAMAccountName
API Permissions, add Group.Read.All and GroupMember.Read.All
Permission granted using “Grant admin consent for Default Directory”
There must be another setting somewhere else that I am missing, which I thought to post here to uncover, thinking it might help someone else with the same problem.
FYI fragment of group result that I get:
"#odata.id": "https://graph.microsoft.com/v2/5ed71832-327b-4b98-b68a-6c54ff1717c0/directoryObjects/2f95e1d3-c7cf-4796-92a2-df844feb52d0/Microsoft.DirectoryServices.Group",
"id": "12345678-c7cf-4796-92a2-df844feb5eee",
"deletedDateTime": null,
"classification": null,
"createdDateTime": null,
"creationOptions": [],
"description": null,
"displayName": null, <<<<<<<<<< why is this null???
When an application queries a relationship that returns a directoryObject type collection, if it does not have permission to read a certain derived type, members of that type are returned but with limited information. This could potentially be a reason for you seeing a 'null' value.
Also for using the transitive memberOf endpoint, I suggest you use directory level permissions.
Refer Documentation here - https://learn.microsoft.com/en-us/graph/api/user-list-transitivememberof?view=graph-rest-1.0&tabs=http
Hope this helps. Thanks!
Related
Is there a way to programmatically determine from a DocumentClientException where StatusCode == HttpStatusCode.NotFound whether it was the document, the collection, or the database that was not found?
I'm trying to figure out whether I can implement on-demand collection provisioning and only call DocumentClient.CreateDocumentCollectionIfNotExistsAsync when I need to. I'm trying to avoid calling it before making every request (presumably this adds an extra network roundtrip to every request). Likewise, I'm trying to avoid calling it on error recovery when I know it won't help.
From experimentation with the local emulator, the only field I see varying in these three cases is DocumentClientException.Error.Message, and only when the database cannot be found. I generally try to avoid exception dispatching based on human-readable messages.
Wrong database name:
StatusCode: HttpStatusCode.NotFound
Error.Message: {\"Errors\":[\"Owner resource does not exist\"]}...
Correct database name, wrong collection name:
StatusCode: HttpStatusCode.NotFound
Error.Message: {\"Errors\":[\"Resource Not Found\"]}...
Correct database name, correct collection name, incorrect document ID:
StatusCode: HttpStatusCode.NotFound
Error.Message: {\"Errors\":[\"Resource Not Found\"]}...
I'm planning to use a database with its own offer. Since collections inside a database with its own offer are cheap, I'm trying to see whether I can segregate each tenant in my multi-tenant application into its own collection. Each tenant ends up having a different indexing and default TTL policy. The set of collections is not fixed and changes dynamically during runtime as new tenants sign up. I cannot predict when I will need to add a new collection. There's no new tenant notification: I just get a request that I need to handle by creating a document in a possibly non-existent collection. There's a process to garbage collect unused collections.
I'm using the NuGet package Microsoft.Azure.DocumentDB.Core Version 1.9.1 in a .NET Core 2.1 app targeting a SQL API Cosmos DB instance.
If you look at the Message property in detail, you should see following strings that informs whether 404 Not Found response was generated due to Document vs Collection.
ResourceType: Document
ResourceType: Collection
It's not ideal but you can try to regex this information out of error message.
In IAM I tried creating the following policy for a user (account id in arn obfuscated):
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "dynamodb:*",
"Resource": "arn:aws:dynamodb:us-west-2:999999999999:table/busUsers"
}
]
}
However, it resulted in:
This policy defines some actions, resources, or conditions that do not provide permissions. To grant access, policies must have an action that has an applicable resource or condition. For details, choose Show remaining Learn more
Show remaining shows:
One or more actions do not have an applicable resource.
I looked up the Learn more link and it says to replace the arn in the Resource element with *. I am confused now. What does * mean? I want to grant access to a specific DynamoDB table of mine. How do I specify that?
EDIT: I removed all DyanamoDB actions and just selected one GetItem and it's:
When I deselect GetItem, both error messages go away.
When I select table Any, the first error message goes away.
When I select Resource Any, the second error message goes away.
Its because you are granting permissions for all dynamodb actions to a table resource, but not all of those actions are actually applicable to a table.
For example dynamodb:DescribeStream is not applicable to a table, only to a Stream, but your are granting permission to this resource anyway.
You can safely ignore this warning.
EDIT: You may not have realised you can just click Save Policy and it will work fine.
EDIT: Thanks for posting your screenshot. There are no errors here, just warnings, which might be better called tips in this case.
When you enter the ARN of a resource manually, AWS does not appear to recognise what type of resource it is (i.e. a table). If you add the resource through the table ARN generator, you wont any warnings. In either case you end up with the same policy.
It is possible that you are running into a bug [discussed by Amazon employee rob#AWS] of the IAM Policy Visual editor itself (and therefore not experiencing any actual problem):
https://forums.aws.amazon.com/thread.jspa?threadID=282453
When I alleviated my personal problem (which had me looking at this Question in the first place), my similar warnings still persisted (even after my problem was solved by something else) - that leads me to believe my similar experience per the Visual editor may have indeed been that bug (and not causing/involved in my prior problem at all).
When deploying a Microsoft.Web resource with the new MSI feature the principleId GUID for the created user is visible after deployment. Screenshot below shows the structure in the ARM-template.
What would be the best way to fetch this GUID later in the pipeline to be able to assign access rights in (for instance) Data Lake Store?
Is it possible to use any of the existing ARM template functions to do so?
I just struggled with this myself. The solution that worked for me was found deep in the comments here.
Essentially, you create a variable targeting the resource you are creating with the MSI support. Then you can use the variable to fetch the specific tenantId and principalId values. Not ideal, but it works. In my examples, I'm configuring Key Vault permissions for a Function App.
To create the variable, use the syntax below.
"variables": {
"identity_resource_id": "[concat(resourceId('Microsoft.Web/sites', variables('appName')), '/providers/Microsoft.ManagedIdentity/Identities/default')]"
}
To get the actual values for the tenantId and principalId, reference them with the following syntax:
{
"tenantId": "[reference(variables('identity_resource_id'), '2015-08-31-PREVIEW').tenantId]",
"objectId": "[reference(variables('identity_resource_id'), '2015-08-31-PREVIEW').principalId]"
}
Hope this helps anyone who comes along with the same problem!
Here are a few sample templates: https://github.com/rashidqureshi/MSI-Samples that show a) how to grant RBAC access to ARM resources b) how to create access policy for keyvault using the OID of the MSI
There is new way to get identity information. You can directly get them from resource that support Managed Identity for Azure resources (Managed Service Identity in the past).
{
"tenantId": "[reference(resourceId('Microsoft.Web/sites', variables('serviceAppName')),'2019-08-01', 'full').identity.tenantId]",
"objectId": "[reference(resourceId('Microsoft.Web/sites', variables('serviceAppName')),'2019-08-01', 'full').identity.principalId]",
}
You can also get principal Id for resource in other resource group or/and subscription. ResourceId supports optional parameters:
"tenantId": "[reference(resourceId(variables('resourceGroup'), 'Microsoft.Web/sites', variables('serviceAppName')),'2019-08-01', 'full').identity.tenantId]",
or
"tenantId": "[reference(resourceId(variables('subscription'), variables('resourceGroup'), 'Microsoft.Web/sites', variables('serviceAppName')),'2019-08-01', 'full').identity.tenantId]",
I have created my first Facebook app in R. Its purpose is solely to retrieve marketing data from my Facebook pages. So far I have created this (no authentication problems):
require("Rfacebook")
load("fb_oauth")
## Start retrieving insight from VivaraDE
rawinsightsDE<-getInsights(object_id= "my_id", token = fb_oauth,
metric="page_impressions", period = "days_28", version="2.6")
When running this, R does return:
Error in FUN(X[[1L]], ...) :
No data available. Are you the owner of this page? See ?getInsights.
I have an administrator role in my app (obviously) and an admin role on the page desginated by my_id.
I suspect I will have to alter some config somewhere. What am I missing?
You need read_insights permission from the page admin (you in this case), before you can access these metrics.
Any more common permissions I need to include, so I won't stumble upon some more rejections?
Nah, don’t ask for permissions “just to be on the safe side” – that will only give problems in review (if the app is supposed to be used by the general public at one point?), if they see you asking for permissions without actually using them.
I’d rather suggest you use Graph API Explorer first to test out the request you want to make; its debug feature usually displays a message in such cases as to what permission is missing to get the requested data.
I just want to ask about shiny accounts, I have two shiny registered accounts and now when I want to deploy I saw error like this
Do you want to proceed with deployment? [Y/n]: y
Error: Please specify the account which you want to deploy the application to (there is more than one account registered on this system).
So my question is how to specify the account that I want to used it in deploy application, when I just tried to run like this
shinyapps::setAccountInfo(name='xxxx',
token='13SDADASDSADAD9FCCEC48C016D5D97',
secret='863pLqbfaxeradasdafasfsadxzadadXgi2NfXh')
setwd('D:/ASD/test')
library(shinyapps)
deployApp()
I still got same error.
Go to top menu your Rstudio-> Tools-> ShinnyApps -> Manage Accounts
There are mainly two different parameters to set up: the name and the account, each used in a different function. Previous answers did not make this altogether clear, so let me add explanations.
Step 1: Set name via setAccountInfo():
Go to https://www.shinyapps.io/admin/#/dashboard and get your personal name/token/secret, e.g. "myName" / "myToken" / "mySecret". You'll need all three to authorize your account.
library(shiny)
library(rsconnect)
rsconnect::setAccountInfo(
name = "myName",
token = "myToken",
secret = "mySecret")
You're now ready to deploy your apps. If you have a single account, that is all you need to do. But with multiple accounts, you also need to set the account explicitly in the deployApp() function:
Step 2: Set account via deployApp():
setwd("my/local/dir/") # or set the full path below
rsconnect::deployApp("myAppNameOffline",
appName = "myAppNameOnline",
account = "myname")
Bonus: If you set option appName explicitly your app can have a different name online as it does offline, e.g. "myapp-version-999" can simply become "myapp" online.
If you have multiple accounts on shinyapps.io, specify the account name while deploying the app
get a list of accounts
deploy it to the desired account
accounts(server = NULL)
shinyapps::deployApp('./AppPath',account='second_account_name')
Use the following command to remove all the accounts
removeAccount("user")
Then, add reconfigure your rsconnet using the follwoing functions
rsconnect::setAccountInfo(name, token, secret)
In RStudio go to: Tools => Global Options => Publishing
and remove useless users.