msgraph-sdk-powershell icon indicating copy to clipboard operation
msgraph-sdk-powershell copied to clipboard

Published 20 hours ago verified publisher icon microsoftgraph

Get-MgContext: include directory role values from wids claim?

Open jazuntee opened this issue 1 year ago • 4 comments

Get-MgContext should include directory role ids from wids claim and resolve to role displayName if possible.

image

In the example below,

  • "9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3" equates to "Authentication Admin" role
  • "0997a1d0-0d1d-4acb-b408-d5ca73121e90" equates to default service principal permissions? { "aud": "https://graph.microsoft.com", "iss": "https://sts.windows.net/cc7d0b33-84c6-4368-a879-2e47139b7b1f/", "iat": 1675198725, "nbf": 1675198725, "exp": 1675202625, "aio": "E2YAgrYTLMzdKWLhDslMgbOV0wE=", "app_displayname": "PowerShell Client (Confidential)", "appid": "c3b902b3-0b1c-4338-8d49-b436597cbc52", "appidacr": "2", "idp": "https://sts.windows.net/cc7d0b33-84c6-4368-a879-2e47139b7b1f/", "idtyp": "app", "oid": "bdfa0a62-3d10-4d36-abad-3d432a3552a2", "rh": "0.ASgAMwt9zMaEaEOoeS5HE5t7HwMAAAAAAAAAwAAAAAAAAAAoAAA.", "sub": "bdfa0a62-3d10-4d36-abad-3d432a3552a2", "tenant_region_scope": "NA", "tid": "cc7d0b33-84c6-4368-a879-2e47139b7b1f", "uti": "k7opWtDqiEiZBfk_rzEFAA", "ver": "1.0", "wids": [ "9b895d92-2cd3-44c7-9d02-a6ac2d5ea5c3", "0997a1d0-0d1d-4acb-b408-d5ca73121e90" ], "xms_tcdt": 1525889780 }

"b79fbf4d-3ef9-4689-8143-76b194e85509" is default user permissions?

jazuntee avatar Jan 31 '23 21:01 jazuntee

We can consider exposing wids claims as a collection of GUIDs from the JWT access token when present.

Resolving the display names of the directory role ids in the wids claim may not be possible as this requires calls to the API, something Get-MgContext does not do. Calls to the API also require high privilege permissions.

peombwa avatar Feb 06 '23 22:02 peombwa

The GUIDs for built-in roles are the same across all tenants so perhaps those could be cached if the necessary scope does not exist? This would be similar to how the module has a json file with all the MS Graph permissions but does a lookup for the most recent list? However, even just having the wids GUIDs would at least allow the user to do the additional lookup on the roleId if desired.

jazuntee avatar Feb 22 '23 02:02 jazuntee

The built-in Roles are listed here https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/permissions-reference

👍🏽 for at least including the UUIDs of the directory roles via wid as they are in the JWT token when using API via REST. It would be good if the powershell SDK provided parallel functionality by including wids via Get-MgContext cmdlet

ckarawani avatar Dec 21 '23 03:12 ckarawani

How can we identity the role name of wids for eg: 0997a1d0-0d1d-4acb-b408-d5ca73121e90? Is there any documentation for the same?

TROUBLE-1 avatar Mar 13 '24 10:03 TROUBLE-1