apiops icon indicating copy to clipboard operation
apiops copied to clipboard

Published 20 hours ago verified publisher icon Azure

[FEATURE] Mapping Azure AD groups access on Products across environment

Open rohit3d2003 opened this issue 2 years ago • 6 comments

Release version

V3.0

Describe the bug

We have integrated with Azure AD on Developer Portal to manage access to Products. When an Azure AD group is assigned to a Product, the assignment creates a ID against ‘name’ field while ‘description’ contains name of the Azure AD group.

While deploying this setup to a higher environment, how do we map the group based on ‘Azure AD’ group name instead of ID (Name column in Products ->access)

Expected behavior

APIOps should be able to pick the Azure AD group name if the same is available in the respective environment’s Developer Portal -> Groups section. And it should assign this group to the product for access control

Actual behavior

APIOps is looking for ID/Name of the group which is generated randomly

Reproduction Steps

  1. Enable Azure Ad identity in Developer Portal
  2. Add an Azure AD group under ‘Groups’ section
  3. Create a new Product and grant access to the Azure AD group. It will show the Name as ID and description as ‘Group Name’
  4. Run extractor tool which will pull groups.json under product
  5. In another environment configure Azure Ad and add same group under ‘groups’ section.
  6. Run publisher to deploy the artifacts to this environment and the deployment will fail complaining about missing Group ID

rohit3d2003 avatar Mar 02 '23 05:03 rohit3d2003

Not sure this is a bug. I will let @guythetechie chime in.

waelkdouh avatar Mar 02 '23 12:03 waelkdouh

@rohit3d2003 - You can't. ApiOps works through the REST API, and Azure AD groups are associated to products by the externalId property. I understand it's not convenient to pass an ID, but unfortunately that's how APIM works.

guythetechie avatar Mar 02 '23 14:03 guythetechie

@guythetechie - The external Id is different across environments for the same AzureAD group. What’s your recommendation for mapping it in publisher configuration?

rohit3d2003 avatar Mar 02 '23 15:03 rohit3d2003

@rohit3d2003 - We currently don't support overriding Azure AD group external IDs, and we should. Adding it to our backlog.

guythetechie avatar Mar 02 '23 15:03 guythetechie

For the time being, should we ignore (.gitignore) groups.json artifact created by extractor tool and just manage it manually in different environments? In our current scenario, APIM Developer Portal is only enabled in 'test' environment and we don't want to deploy Product-> Group association in higher environments

rohit3d2003 avatar Mar 02 '23 16:03 rohit3d2003

It is possible to create groups via API so that they have the same name even in different environments instead of the random ID. You will have to enter external id (the AD object ID) manually and it can be different for each environment.

See: https://learn.microsoft.com/en-us/rest/api/apimanagement/group/create-or-update?view=rest-apimanagement-2022-08-01&tabs=HTTP#code-try-0

It's not convenient but it's a good workaround waiting for full support on APIOps.

moebius87 avatar Nov 14 '23 00:11 moebius87

This should be addressed by v6. Please let us know if you are still facing any issues.

waelkdouh avatar Jul 05 '24 15:07 waelkdouh