msgraph-sdk-powershell
msgraph-sdk-powershell copied to clipboard
Get-MgContext: include directory role values from wids claim?
Get-MgContext should include directory role ids from wids claim and resolve to role displayName if possible.
In the example below,
- "9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3" equates to "Authentication Admin" role
- "0997a1d0-0d1d-4acb-b408-d5ca73121e90" equates to default service principal permissions? { "aud": "https://graph.microsoft.com", "iss": "https://sts.windows.net/cc7d0b33-84c6-4368-a879-2e47139b7b1f/", "iat": 1675198725, "nbf": 1675198725, "exp": 1675202625, "aio": "E2YAgrYTLMzdKWLhDslMgbOV0wE=", "app_displayname": "PowerShell Client (Confidential)", "appid": "c3b902b3-0b1c-4338-8d49-b436597cbc52", "appidacr": "2", "idp": "https://sts.windows.net/cc7d0b33-84c6-4368-a879-2e47139b7b1f/", "idtyp": "app", "oid": "bdfa0a62-3d10-4d36-abad-3d432a3552a2", "rh": "0.ASgAMwt9zMaEaEOoeS5HE5t7HwMAAAAAAAAAwAAAAAAAAAAoAAA.", "sub": "bdfa0a62-3d10-4d36-abad-3d432a3552a2", "tenant_region_scope": "NA", "tid": "cc7d0b33-84c6-4368-a879-2e47139b7b1f", "uti": "k7opWtDqiEiZBfk_rzEFAA", "ver": "1.0", "wids": [ "9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3", "0997a1d0-0d1d-4acb-b408-d5ca73121e90" ], "xms_tcdt": 1525889780 }
"b79fbf4d-3ef9-4689-8143-76b194e85509" is default user permissions?
We can consider exposing wids
claims as a collection of GUIDs from the JWT access token when present.
Resolving the display names of the directory role ids in the wids claim may not be possible as this requires calls to the API, something Get-MgContext
does not do. Calls to the API also require high privilege permissions.
The GUIDs for built-in roles are the same across all tenants so perhaps those could be cached if the necessary scope does not exist? This would be similar to how the module has a json file with all the MS Graph permissions but does a lookup for the most recent list? However, even just having the wids GUIDs would at least allow the user to do the additional lookup on the roleId if desired.
The built-in Roles are listed here https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference
👍🏽 for at least including the UUIDs of the directory roles via wid as they are in the JWT token when using API via REST.
It would be good if the powershell SDK provided parallel functionality by including wids via Get-MgContext
cmdlet
How can we identity the role name of wids for eg: 0997a1d0-0d1d-4acb-b408-d5ca73121e90? Is there any documentation for the same?