get app role assignment as admin

Using Power Automate to get the list of users an app has been shared with?

Have you ever wanted to get the list of users a canvas app has been shared with?

Of course you could go to the maker portal and look at it there:

But you can also do it in your flows easily (assuming you have permissions).

There is Power Apps for Admins Connector:

https://docs.microsoft.com/en-us/connectors/powerappsforadmins/

And it offers “Get App Role Assignments as Admin” action which will give you the list of users for any given app in any given environment.

Here is an example:

As you can see, the output of this flow matches the original screenshot. You just need to pass environment ID and application ID to the action

And, from there, you need to parse json and format the output the way you want it to be formatted.

So how/why would we use it? In reality, this could probably help with monitoring/notifications. Which is where a lot of this functionality would already be available out of the box in the CoE toolkit:

https://docs.microsoft.com/en-us/power-platform/guidance/coe/starter-kit

But, if you don’t want to deal with the CoE toolkit rollout yet, you might implement your own flow for now using Power Apps for Admins Connector. And if you are wondering whether there is a similar connector for Power Automate flows – the answer is yes, here is another link: https://docs.microsoft.com/en-us/connectors/microsoftflowforadmins/

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Save my name, email, and website in this browser for the next time I comment.

Good Workaround!

Full IGA using Azure AD – Getting app role assignments using PowerShell

In this post I will quickly demo how to use PowerShell to get app role assignments for all application using the Microsoft Graph.

You should have followed my previous post in order to have created an application, added some appRoles to the manifest and granted access to the Graph.

Let’s recap the important parts:

1 – Create an enterprise application in Azure AD

2 – Go to “app registrations”, find the app and add appRoles to the manifest

The following are provided by default, disable those and add some custom ones. See the below example roles.

3 – Go back to enterprise applications and assign users some roles

4 – Grant access to the required Graph resources

Go to app registrations, find the application and go to “API permissions”. Click “Add a permission”:

Select the Microsoft Graph:

Choose Application permissions, as we are doing things without a user context:

Add “User.Read.All” and “Group.Read.All” and click save.

You will see that the added permissions now have “Not granted for <Organization>” as status. Click “Grant admin consent for <Organization>” in order to enable these new permissions:

This is what it should look like:

5 – Request data with PowerShell

First, generate a secret under app registrations in Azure AD. This is the $secret variable in the below PowerShells.

Go the enterprise application and copy the “Application ID” – this is the $clientid variable in the below PowerShells.

Copy “Object ID” – this is the $servicePrincipalId variable in the below PowerShells.

The $tenant variable can be either any custom domain registered in the tenant, the default domain or the tenant id (you can find it here) found on the app registrations page on your application.

The first example PowerShell will return a simple grid view with a multi valued column containing the roles of each assigned object. The script will not dig into the group members.

And here is an example for you that also digs into the different assigned groups and fetches all transitive members of those:

That’s it, I have now gone through three ways of getting the application role assignments from Azure AD into your application:

• SCIM provisioning
• At sign in (OAuth ID Token or SAML Claim)
• Fetching by Graph calls

The next posts will focus on how to actually manage application role assignments, dynamically assigning, using Entitlement Management to allow both internal and invited users to request access and other means. Stay tuned!

Share this:

• Full IGA using Azure AD

Published by Marius Solbakken

View all posts by Marius Solbakken

One thought on “ Full IGA using Azure AD – Getting app role assignments using PowerShell ”

• Pingback: Full IGA using Azure AD – Entitlement Management – Good Workaround!

Leave a comment Cancel reply

• Already have a WordPress.com account? Log in now.
• Subscribe Subscribed
• Copy shortlink
• Report this content
• View post in Reader
• Manage subscriptions
• Collapse this bar

Power Apps for Admins

Power Apps Management Connector for Administrators

Get-AdminAppRoleAssignment

Summary : Get App Role Assignments as Admin

Description : Returns permissions for a PowerApp.

PowerAppsforAdmins.Get-AdminAppRoleAssignment (string environment, string app, [Optional]string api-version, [advanced][Optional]integer $top)

Parameters:

          Type: Get-AdminAppRoleAssignmentResponse

Set-AdminAppOwner

Summary : Set App Owner

Description : Updates a PowerApp's owner role, and specifies the old owner's new role.

PowerAppsforAdmins.Set-AdminAppOwner (string environment, string app, [Optional]string api-version, [Optional]string Content-Type, [Optional]Set-AdminAppOwnerParameterBody body)

Get-AdminApps

Summary : Get Apps as Admin

Description : Returns a list of apps.

PowerAppsforAdmins.Get-AdminApps (string environment, [Optional]string api-version, [advanced][Optional]integer $top, [Optional]string $skiptoken)

          Type: ResourceArray[PowerApp]

Get-AdminApp

Summary : Get App as Admin

Description : Returns a PowerApp.

PowerAppsforAdmins.Get-AdminApp (string environment, string app, [Optional]string api-version)

          Type: PowerApp

Remove-AdminApp

Summary : Remove App as Admin

Description : Deletes a PowerApp.

PowerAppsforAdmins.Remove-AdminApp (string environment, string app, [Optional]string api-version)

Edit-AdminAppRoleAssignment

Summary : Edit App Role Assignment as Admin

Description : Sets permissions for a PowerApp.

PowerAppsforAdmins.Edit-AdminAppRoleAssignment (string environment, string app, [Optional]string api-version, [Optional]string $filter, [Optional]Edit-AdminAppRoleAssignmentParameterBody body)

          Type: Edit-AdminAppRoleAssignmentResponse

Get-AdminConnections

Summary : Get Connections as Admin

Description : Returns a list of Connections.

PowerAppsforAdmins.Get-AdminConnections (string environment, [Optional]string api-version, [advanced][Optional]integer $top)

          Type: Get-AdminConnectionsResponse

Remove-AdminConnection

Summary : Remove Connection as Admin

Description : Deletes a Connection.

PowerAppsforAdmins.Remove-AdminConnection (string environment, string connectorName, string connectionName, [Optional]string api-version)

Get-AdminConnectionRoleAssignment

Summary : Get Connection Role Assignments as Admin

Description : Returns all permissions for a Connection.

PowerAppsforAdmins.Get-AdminConnectionRoleAssignment (string environment, string connectorName, string connectionName, [Optional]string api-version, [advanced][Optional]integer $top)

          Type: Get-AdminConnectionRoleAssignmentResponse

Edit-AdminConnectionRoleAssignment

Summary : Edit Connection Role Assignment as Admin

Description : Sets permissions for a Connection.

PowerAppsforAdmins.Edit-AdminConnectionRoleAssignment (string environment, string connector, string connection, [Optional]string api-version, [Optional]string Content-Type, [Optional]Edit-AdminConnectionRoleAssignmentParameterBody body)

Get-AdminConnectors

Summary : Get Custom Connectors as Admin

Description : Returns a list of custom Connectors.

PowerAppsforAdmins.Get-AdminConnectors (string environment, [Optional]string api-version, [advanced][Optional]integer $top)

          Type: Get-AdminConnectorsResponse

Get-AdminConnectorRoleAssignment

Summary : Get Connector Role Assignments as Admin

Description : Returns permissions for a custom Connector.

PowerAppsforAdmins.Get-AdminConnectorRoleAssignment (string environment, string connectorName, [Optional]string api-version, [advanced][Optional]integer $top)

          Type: Get-AdminConnectorRoleAssignmentResponse

Edit-AdminConnectorRoleAssignment

Summary : Edit Connector Role Assignment as Admin

Description : Sets permissions for a Connector.

PowerAppsforAdmins.Edit-AdminConnectorRoleAssignment (string environment, string connectorName, [Optional]string api-version, [Optional]string Content-Type, [Optional]Edit-AdminConnectorRoleAssignmentParameterBody body)

ConnectionReference

Description :

          Properties:

Edit-AdminAppRoleAssignmentParameterBody

Description : properties

Description : principal

Edit-AdminAppRoleAssignmentResponse

Description : App Role Assignment properties object.

Description : App Role Assignment principal object.

ResourceResponsesItem

Edit-adminconnectionroleassignmentparameterbody, edit-adminconnectorroleassignmentparameterbody, get-adminapproleassignmentresponse.

Description : PowerApp Role Assignment properties object.

Description : PowerApp Role Assignment principal object.

Get-AdminConnectionRoleAssignmentResponse

Description : Connection Role Assignment properties.

Description : Connection Role Assignment principal object.

Get-AdminConnectionsResponse

Description : Connection properties.

StatusesItem

Description : Connection status error.

ConnectionParameters

Description : Connection property parameters object.

Description : Connection creator principal object.

Environment

Description : Connection Environment object.

TestLinksItem

Get-adminconnectorroleassignmentresponse.

Description : Connector Role Assignment principal object.

Get-AdminConnectorsResponse

Description : Connector connection parameters.

Description : metadata

Description : contact

Description : license

ApiDefinitions

Description : Connector api definitions.

Description : Connector creator's principal object.

Description : Connector last modified by principal object.

Description : Connector Environment.

Description : PowerApp properties object.

CreatedByClientVersion

Description : PowerApp property createdByClientVersion object.

MinClientVersion

Description : PowerApp property minClientVersion object.

Description : PowerApp owner principal object.

Description : PowerApp createdBy principal object.

LastModifiedBy

Description : PowerApp lastModifiedBy object.

Description : PowerApp appUri object.

DocumentUri

Description : PowerApp appUri documentUri object.

UserAppMetadata

Description : PowerApp property userAppMetadata object.

Description : PowerApp Environment property object.

Description : tags

ResourceArray[PowerApp]

Set-adminappownerparameterbody.

What's lurking in your Microsoft Graph app role assignments?

Gain insights for security and compliance reasons by reporting on all service principals in entra id (former azure ad) having microsoft graph app role assignments..

I’ve earlier blogged about Building a comprehensive report on admin role assignments in Powershell , this time we’ll look at app role assignments instead.

Application permissions, often called app role assignments in Entra ID (former Azure AD), are permission sets that an app, service principal or managed identity can be assigned in another resource app, and that app’s identity can then access and utilize the resource app’s API without a signed-in user present.

Service principals by default have no access to enumerate other objects in Entra ID (former Azure AD). An example, if a service principal used in automated workflows requires read access to all user objects in Entra ID, it will need to be assigned the app role User.Read.All application permission (app role) in Microsoft Graph, consented by an admin, to be able to query Graph for any or all users.

The Microsoft Graph API is covering endpoints for most of Entra ID and Microsoft 365 services, and it has a wide range of app roles for providing specific API access. And let’s not forget the old and deprecated Azure AD Graph API which has not yet been fully been sunset. It’s critical for compliance and security hygiene of the tenant to audit and monitor app role assignments for these resources especially. Do note that there are a lot of other APIs with their own sets of app roles in Entra ID, some examples below, but for this blog post I will focus on Microsoft Graph and Azure AD Graph.

Some app roles can be abused for privilege escalation all the way up to Global Admin , as Andy Robbins (co-creator of BloodHound) points out in this blog post . A Global Admin can do whatever it wants in Entra ID, and it can also elevate its access for all Azure subscriptions in the tenant with the flip of a switch . This just proves how critical it is to have full control on any high-privilege app roles.

With these things in mind, let’s look at how to extract all app role assignments for Microsoft Graph and Azure AD Graph, including other valuable information for each service principal, using Powershell and the Graph Powershell SDK v2 module.

Identify highly privileged app roles

Required scopes in graph powershell sdk, app roles and assignments.

• Owner organizations and sign-in activities

Compiling the report

Full script on github.

I wish there was a list of all Microsoft Graph app roles with tiering information, identifying how privileged each app role is. Since there are none I’ve added some of the app roles that I know are highly privileged - they will be specifically flagged as Tier 0 in the report. There are many other privileged app roles, but let’s start with these as abusing them can lead to Global Admin access. You can easily add other roles and other tiers, depending on what you want to report on.

Update 2023-08-17 @ 11:00 (CEST): Removed ‘Application.ReadWrite.OwnedBy’ from the list as this permission isn’t Tier 0 at all: “Allows the app to create other applications, and fully manage those applications (read, update, update application secrets and delete), without a signed-in user. It cannot update any apps that it is not an owner of.”

When connecting to Microsoft Graph with the Graph Powershell SDK v2 module, the following delegated scopes are required:

• Application.Read.All (to enumerate service principals)
• AuditLog.Read.All (to pull out service principal sign-in activity)
• CrossTenantInformation.ReadBasic.All (to query app owner tenant information for 3.party apps)

Other than that, no special privileges are necessary for the user account connecting to Microsoft Graph - only read-access is used.

Extracting data

Now let’s start extracting the data we need from Microsoft Graph to create the report.

First we are querying for Microsoft Graph and Azure AD Graph’s service principal objects in the tenant - by filtering on their well-known Application IDs ( 00000003-0000-0000-c000-000000000000 and 00000002-0000-0000-c000-000000000000 ). Once the service principals have been found, we are extracting all app roles and app role assignments, creating hashtable for quick lookups, and lastly joining the app role assignments for both service principals.

We can now process each of the app role assignments in $joinedAppRolesAssignedTo to create a report, while enriching the data set even further.

Service principals, owner organizations and sign-in activities

The app role assignments in $joinedAppRolesAssignedTo does not contain all the information we need about the assigned service principals. So we will query Graph for the service principal objects, the owner organizations for multi-tenant apps, and sign-in activities. To optimize the script we’re utilizing cache and only querying each object one time even tho it has multiple app role assignments.

Note that looking up the app owner organization (for multi-tenant apps) uses Invoke-MgGraphRequest with a URI since I haven’t found a cmdlet for this in Graph Powershell SDK yet.

Let’s pull the sign-in activities for the service principals. This gives us information about the most recent service principal sign-in and delegated (user) sign-in, which can help us identify stale apps. Note that this newly released reporting endpoint in Graph is still in beta, which is why we need to utilize the Get-MgBetaReportServicePrincipalSignInActivity cmdlet.

And finally we can generate a PSCustomObject with the data we need for the report.

This will generate a list of all the app role assignments for Microsoft Graph and Azure AD Graph, enriched with additional data for the assigned service principals and any configured tier. Here’s an example.

I like to explain how the Powershell scripts I publish works, and this blog post does just that. I have also published the full Powershell script on GitHub so you don’t have to copy/paste from this page, feel free to check it out.

Thanks for reading!

Be sure to provide any feedback on X (former Twitter) or LinkedIn .

• ← Previous Post

Software Engineering

• ASP.NET Core
• Elasticsearch
• Entity Framework

Implement app roles authorization with Azure AD and ASP.NET Core

This post shows how to implement Azure AD App roles and applied to users or groups in Azure AD. The roles are used in an ASP.NET Core Razor page application as well as a ASP.NET Core API. The roles from the access token and the id token are used to authorize the identity which is authenticated.

Code: App roles

Create an Azure App registration for Web APP

In this example, a web application will implement authentication and will use a second ASP.NET Core application which implements the user API. Two Azure AD App registrations are created for this, one for each application.

The ASP.NET Core Razor page application is a client which can be authenticated, as well as the identity using the application. It has a trusted back end which can keep a secret. The Azure AD App registration uses a standard web application with a client secret. You could also use a certificate instead of a secret to authenticate the client.

App roles are added to the App registration for the UI client. These roles are used in the UI application which are returned in a user data profile request or in the id token, depending how your client implemented the OIDC standard.

Three roles were added to the Azure AD App registration using the App roles | preview blade.

The roles could also be added directly in the manifest json file.

The API permissions are setup to include the scope created in the API Azure AD App registration. The standard OIDC scopes are added to the registration. All scopes are delegated scopes.

Create an Azure App registration for Web API

The App registration used for the API implements NO authentication flows. This App registration exposes an API and defines roles for the API project authorization. An access_as_user scope is added to the Azure App registration which is a delegated scope type.

Three roles were added to the Azure AD App registration for the API. These roles are for the API and will be added to the access token if the identity has been assigned the roles in the enterprise application of the Azure AD directory. The roles could also be added directly in the manifest.

Apply roles in Azure AD enterprise applications

The new roles which were defined in the Azure AD App registration can now be used. This is setup in the Enterprise application blade of the Azure AD directory. In the Enterprise application list, select the App registration for the API. New users or groups can be added here, and the roles can then be assigned.

In the Add user/group a user or a group can be selected (! Groups can only be selected if you have the correct license) and the roles which were created in the Azure AD App registration can be applied.

If creating applications for tenants with lots of users, groups would be used.

Implement ASP.NET Core API

The API is implemented in ASP.NET Core . The startup class is used to setup the authorization of the access tokens. The Microsoft.Identity.Web Nuget package is used for this. This application configuration will match the configuration of the Azure AD App registration setup for the API. The AddMicrosoftIdentityWebApiAuthentication method is used for this.

ASP.NET Core adds namespaces per default to the claims which are extracted from the access token. We do not want this and so disable the default claim mapping. The roles and the name can should also be mapped, as the default setting does not match what Azure AD returns in the token.

Authorization is added for the API using the AddAuthorization method or it can be added global as a filter. The roles claims are mapped to policies which can then be enforced throughout the application. You could also do this directly using the roles property in the authorize attribute, but I prefer to use policies and separate the authorization. Only policies are used in the application.

A ValidateAccessTokenPolicy policy is implemented to do validation on the access token. The scp claim is validated for an access_as_user value as this is a user API for delegated access and not an application token. The azp claim is used to validate the client calling the API. The API is made specifically for the UI application and so we can validate that only access tokens created for the UI application can use this API. The azp claim is only sent in version 2 Azure App registrations. You must set this in the manifest.

The azpacr claim is also validated. Only authenticated clients can use this API. Any application which gets an access token for this API must use a secret as the value of “1” is controlled. This ensures that public clients cannot create access tokens for this API. If this was a value of “2”, only clients which used certificates to authenticate can acquire access tokens for this API.

It is good to validate the intended user, if possible.

Authorization can also be added globally as a filter in the AddControllers. This would be applied to this middleware.

The policies can then be applied in the API application as required. The access token used to access the API must fulfil all policies used on the API endpoint. If any single policy fails, the a 403 forbidden is returned.

Implement ASP.NET Core Razor Page APP

The ASP.NET Core Razor Page application uses an OIDC interactive flow to authenticate using Azure AD as the identity provider. Both the client application and the identity are authenticated. Microsoft.Identity.Web is used to implement the client code which uses Open ID connect. The AddMicrosoftIdentityWebAppAuthentication method is used in the Startup class in the ConfigureServices method. The downstream APIs are enabled as well as in memory cache. In memory cache is a bit of a problem with testing, as you need to delete the cookies in the browser manually after every test run. You can fix this by using a persistent cache. A filter is added so that an authenticated user is required.

The app.settings.json file contains the configurations for the Azure AD authentication of the application which uses the Microsoft.Identity.Web client. The ClientId from the Web APP App registration and the TenantId for the directory are added here. The ClientSecret also needs to be defined. This should be added to the user secrets in development or added to an Azure Key Vault if deploying to Azure. The ApiWithRoles configuration added the API scope and the URL for the API.

The GetDataFromApi method calls the APIs. The UI application can call any one of the APIs, user, student or admin, each which required a different role. The policies were applied to these APIs. If an error is returned, the exception is handled and returned as a list to demonstrate. The ITokenAcquisition interface is used to get the access token from cache or from the Azure AD identity provider and the access token is added to the Authorization header of the HTTP request as a Bearer token.

To demonstrate the application, the user has been assigned the user “web-api-with-roles-user” and the “web-api-with-roles-admin” roles but not the “web-api-with-roles-student” for the API access. The “web-app-with-roles-user” was assigned for the UI application.

After a successful authentication, the claims from Azure AD are added to the HttpContext.User. A single roles claim (“web-app-with-roles-user”) is added for the UI application. This is as we expected.

If the API is called, the access token can be extracted from the debugger and pasted to jwt.ms or jwt.io . The access token contains two roles, “web-api-with-roles-user”, “web-api-with-roles-admin” as was configured in the enterprise application for this user. The access token also has the scp claim with the access_as_user . The azp claim and the azpacr claims have the expected values. A secret was using to signin to the client UI application which we allow.

A breakpoint was added to Visual Studio in the API project and the claims from the access token can be inspected. We expect the same values like in the access token and without the ASP.NET Core extras.

The ASP.NET Core UI application displays the results of the three API calls. The user and the admin APIs return data and the student API returns a forbidden result. This is what was configured. Now if the user is assigned new roles, after a logout, login, the new claims will be included in the tokens.

This approach works well if you do not have many roles, groups or claims, or if you do not need to change the authorization without re-authentication. The size of the access_token is important, this should not become large. If you require lots of claims for the authorization rules, the claims should not be included in the access token and Microsoft Graph API could be used to access these, or you could implement your own policy management.

https://docs.microsoft.com/en-us/azure/architecture/multitenant-identity/app-roles

https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-enterprise-app-role-management

https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/tree/master/5-WebApp-AuthZ/5-1-Roles

https://docs.microsoft.com/en-us/azure/active-directory/develop/microsoft-identity-web

https://github.com/AzureAD/microsoft-identity-web

https://docs.microsoft.com/en-us/azure/active-directory/develop/id-tokens

https://docs.microsoft.com/en-us/azure/active-directory/develop/access-tokens

Restricting access to an Azure AD protected API using Azure AD Groups

https://docs.microsoft.com/en-us/aspnet/core/security/authorization/policies

Share this:

10 comments.

[…] Implement app roles authorization with Azure AD and ASP.NET Core – Damien Bowden […]

Thank you for the agreat post,

When WebAppWithRoles calls WebApiWithRoles returns an forbidden as result . Can you place explain how you configured web apps claims as azp, azpacr, roles”: [ “web-api-with-roles-user”, “web-api-with-roles-admin” ], and scp to the access token

Unable to run the application end-to-end…. Would appreciate some tips..

Sorry for the slow reply, just saw this now. The Azure App registrations need to be added from your tenants Azure App registration as well as the secrets

Nice tutorial.

Did you map users/groups in the SPA Enterprise App AND in the Api Enterprise App?

or did you only do it in the Api Enterpise App?

thanks, yes

It sounds like a problem from a maintenance point of view. Lets say you add the correct roles to the SPA for a user, but forgets one role on the API.

Then the user will be presented with some functionality, but when he tries to use it, he will get a 403 from the API.

I also asked this question in the msal library: https://github.com/AzureAD/microsoft-authentication-library-for-js/issues/4389

But not sure what the best strategy is to tackle this problem

I normally do this with security groups. The groups roles and APP are setup once at the start. The I restrict access to the Enterprise APP. Then you only need to assign or remove users from the security groups. But this is not black and white. You need too think about lifespan of the roles, where these belong and so on. No authz is ever the same. I would need to analyze this in more detail for your setup. Greetings Damien

[…] También revisa esto Implementar la autorización de roles de aplicaciones con Azure AD y ASP.NET Core | Ingeniería de S… […]

Can you kindly suggest changes to above required for App Role (application)

Leave a comment Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed .

blogs 1 web, general

• Andrew Lock
• Anthony Giretti
• ASP.NET Core blog
• Benjamin Abt (de)
• Bryan Hogan
• Claudio Bernasconi
• code-maze.com
• Davide Bellone
• dotnetcore tutorials
• dotnetthoughts
• Fabian Gosebrink
• Filip WOJCIESZYN
• Gérald Barré
• Gunnar Peipman's
• haacked.com
• Isaac Abraham
• Isaac Levin
• Jürgen Gutsch
• Jeremy Likness
• João Antunes
• josef.codes
• joseph guadagno
• Jussi Roine
• khalid abuhakmeh
• Laurent Kempé
• mikesdotnetting
• Morning brew
• Niels Swimburger
• Ramani Sandeep
• Rockford Lhotka
• Scott Hanselman
• Shawn Wildermuth
• Steve Gordon
• thomas claudius huber
• Tobias Zimmergren

blogs 2 security

• Ackermann Yuriy
• Azure security podcast
• Bárbara Vieira
• Daniel Fett
• Daniel Miessler
• Dominick Baier
• Elie Bursztein
• futurae.com
• James Kettle
• John Patrick Dandison
• Justin Richer
• Kévin Chalet
• Kevin Dockx
• Matthijs Hoekstra
• Michal Špaček
• Microsoft Secure
• Mike Jones self-issued
• Nat Sakimura
• Philippe De Ryck
• research.kudelskisecurity
• Robert Broeckelmann
• Rory Braybrook
• Scott Brady
• Scott Helme
• securityguill
• sirdarckcat
• Stephen Haunts
• Steve Syfuhs
• Takahiko Kawasaki
• Tanya Janca
• Torsten Lodderstedt

blogs 3 Azure

• Alexandre Verkinderen
• Anthony Chu
• Azure DevOps
• Boris Wilhelms
• cloud-architekt.net
• cloudbrothers
• daniel chronlund
• Daniel Krzyczkowski
• Dominique St-Amand
• Eduard Keilholz
• francois leon
• Gareth Emslie
• Jan de Vries
• jeffrey appel
• Joonas Westlin
• Mahindra Morar
• Marius Solbakken
• Martin Lingstuyl
• Mickaël Derriey
• o365blog Dr Nestori Syynimaa
• olivier vaillancourt
• René Bremer
• Rick van den Bosch
• Sahil Malik
• Stephan van Rooij
• Stephane Eyskens
• Stian A. Strysse
• thomas maurer
• Thomas Naunheim
• Toon Vanhoutte

blogs 4 SSI DID

• hyperledger
• hyperledger aries-framework-dotnet
• identity.foundation
• identity.foundation blog
• idunion.org
• Kaliya-Identity Woman
• Kim Hamilton Duffy
• Kyle Den Hartog
• Markus Sabadello
• mattr.global
• Microsoft DID
• newsletter.identosphere.net
• Phillip J. Windley
• ssi-orbit-podcast
• Tomislav Markovski
• Andreas Helland
• Damien Guard
• Dan Wahlin's
• Data Farm Julie Lerman
• Dave Paquette
• Development With A Dot
• Elton Stoneman
• exceptionnotfound.net
• jeff handley
• Jeffrey T. Fritz
• Juan Carlos Sanchez's
• Maarten Balliauw
• Manfred Steyer (de)
• Manuel Meyer
• Mete Atamel
• Minko Gechev
• Nate Barbettini
• Nicholas Blumhardt
• Pawel Kadluczka
• Rui Figueiredo
• Stefan Prodan
• Stephen Cleary
• Alexander Beletsky
• Anders Janmyr
• Anže Vodovnik
• chsakell's Blog
• Florian Hopf
• fredrik normén
• Galdin Raphael
• Gernot Starke (de)
• Imran Baloch
• Jalpesh Vadgama DotNetJalps
• Jeffrey Palermo
• Jimmy Nilsson
• job tips for geeks
• Johnny Graber (de)
• Jon Galloway
• Kevin Jones
• Laurent Bugnion
• Linda Lawton
• Mick Taulty
• Muhammad Rehan Saeed
• PPEDV blog (de)
• Rashim's Blog
• Scott Addie
• scottgu .NET
• Shayne Boyer
• steven sanderson
• Taiseer Joudeh
• Thomas Ardal
• Thomas Levesque
• Tugberk Ugurlu
• .NET (Core, 5+ ) SDK
• Angular CLI
• bootstrap 4
• gitextensions
• IDP Azure AD
• IDP DuendeSoftware
• IDP keycloak
• IDP node-oidc-provider
• IDP OpenIddict
• lets encrypt
• protobuf-net
• randommer.io
• Search elasticsearch
• Search Solr
• Test achecker.ca
• Test DotTrace Profiler
• Test FakeItEasy
• Test Fiddler
• Test mkjwk.org JSON Web Key
• Test Ndepend
• Test Sysinternals Suite
• Test wireshark
• Test xunit.net
• Test zaproxy
• Visual Studio
• Visual Studio Code
• .NET Group Basel
• .NET Group Bern (de)
• .NET Group Luzern (de)
• .NET Group Zürich
• .NET User Group Geneva
• Angular Switzerland
• blackhat.com
• Brice's Entity Links
• Christian Mosers
• Code Project
• devcurry Suprotim Agarwal
• developer.chrome
• Fabrice Bellard
• fido alliance
• jeremy skinner
• Martin Fowler
• one unicorn
• OPC Foundation
• rob tiffany
• Simple Talk Red Gate
• thinktecture
• Thoughtworks Radar
• tutorialzine
• Web Fundamentals
• Entries feed
• Comments feed
• WordPress.com
• February 2024
• January 2024
• December 2023
• November 2023
• October 2023
• September 2023
• August 2023
• February 2023
• January 2023
• December 2022
• November 2022
• October 2022
• September 2022
• August 2022
• February 2022
• January 2022
• December 2021
• November 2021
• October 2021
• September 2021
• August 2021
• February 2021
• January 2021
• December 2020
• November 2020
• October 2020
• September 2020
• August 2020
• February 2020
• January 2020
• December 2019
• November 2019
• October 2019
• September 2019
• August 2019
• February 2019
• January 2019
• December 2018
• November 2018
• October 2018
• September 2018
• August 2018
• February 2018
• January 2018
• December 2017
• November 2017
• October 2017
• September 2017
• August 2017
• February 2017
• January 2017
• December 2016
• November 2016
• October 2016
• September 2016
• August 2016
• February 2016
• January 2016
• December 2015
• November 2015
• October 2015
• September 2015
• August 2015
• February 2015
• January 2015
• December 2014
• November 2014
• October 2014
• September 2014
• August 2014
• February 2014
• January 2014
• December 2013
• November 2013
• October 2013
• September 2013
• August 2013
• February 2013
• January 2013

• Already have a WordPress.com account? Log in now.
• Subscribe Subscribed
• Copy shortlink
• Report this content
• View post in Reader
• Manage subscriptions
• Collapse this bar

Oracle Cloud Infrastructure Documentation

• Managing App Roles in Microsoft Azure AD

In Azure AD, you can create and manage app roles that will be assigned to Azure AD users and groups and also be mapped to Oracle Database global schemas and roles.

• Creating a Microsoft Azure AD App Role Azure AD users, groups, and applications that need to connect to the database will be assigned to the database app roles.
• Assigning Users and Groups to the Microsoft Azure AD App Role Before Microsoft Azure AD users can have access to the Oracle database, they must first be assigned to the app roles that will be mapped to Oracle Database schema users or roles.
• Assigning an Application to an App Role An application that must connect to the database using the client credential flow must to be assigned to an app role.

Parent topic: Enable Azure AD Authentication on Autonomous Database

• Creating a Microsoft Azure AD App Role

Azure AD users, groups, and applications that need to connect to the database will be assigned to the database app roles.

• Log in to Azure AD as an administrator who has privileges for creating app roles.
• Use the Directory + subscription filter to locate the Azure Active Directory tenant that contains the Oracle Database app registration.
• Select Azure Active Directory .
• Under Manage , select App registrations , and then select the Oracle Database instance that you registered earlier.
• Under Manage , select App roles .
• In the App roles page, select Create app role .
• Display name is the displayed name of the role (for example, HR App Schema ). You can include spaces in this name.
• Value is the actual name of the role (for example, HR_APP ). Ensure that this setting matches exactly the string that is referenced in the database mapping to a schema or role. Do not include spaces in this name.
• Description provides a description of the purpose of this role.
• Do you want to enable this app role? enables you to activate the role.

The app role appears in the App roles pane.

Parent topic: Managing App Roles in Microsoft Azure AD

• Assigning Users and Groups to the Microsoft Azure AD App Role

Before Microsoft Azure AD users can have access to the Oracle database, they must first be assigned to the app roles that will be mapped to Oracle Database schema users or roles.

• Log in to Azure AD as an administrator who has privileges for assigning Azure AD users and groups to app roles.
• Use the Directory + subscription filter to locate the Azure Active Directory tenant that contains the Oracle connection.
• Under Manage , select Enterprise applications , and then select the Oracle Database app registration name that you registered earlier.
• Under Getting Started, select Assign users and groups .
• Select Add user/group .
• In the Add assignment window, select Users and groups to display a list of users and security groups.
• From this list, select the users and groups that you want to assign to the app role, and then click Select .
• In the Add assignment window, select Select a role to display a list of the app roles that you have created.
• Select the app role and then select Select .
• Click Assign .
• Assigning an Application to an App Role

An application that must connect to the database using the client credential flow must to be assigned to an app role.

• Access the app registration for the application.
• Under Manage, select API permissions .
• In the Configured permissions area, select + Add a permission .
• In the Request API permission pane, select the My APIs tab.
• Select the Oracle Database app that you want to give permission for this application to access. Then select the Application permissions option.

• Select Grant admin consent for tenancy to grant consent for the tenancy users, then select Yes in the confirmation dialog box.

Related Topics

• Configure the admin consent workflow

This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

Set-Admin Power App Role Assignment

Sets permissions to the app.

Description

The Set-AdminPowerAppRoleAssignment cmdlet sets up permission to an app depending on the parameters. Use Get-Help Set-AdminPowerAppRoleAssignment -Examples for more detail.

Gives the specified security group CanEdit permission to the app with the name 1ec3c80c-c2c0-4ea6-97a8-31d8c8c3d488.

-ApiVersion

Specifies the Api version that is called.

App ID for app where you want to set permission.

-EnvironmentName

The environment ID.

Specifies the option ( Notify , DoNotNotify ) on notifying the share target.

-PrincipalObjectId

If this app is being shared with a user or security group principal, this field specifies the ObjectId for that principal. Use the Get-UsersOrGroupsFromGraph cmdlet to look-up the ObjectId for a user or group in Microsoft Entra ID.

-PrincipalType

Specifies the type of principal this app is being shared with; a user, a security group, or the entire tenant.

Specifies the permission level given to the app: CanView , CanEdit . Sharing with the entire tenant is only supported for CanView .

Additional resources

• Microsoft Power Automate Community
• Welcome to the Community!
• News & Announcements
• Get Help with Power Automate
• General Power Automate Discussion
• Using Connectors
• Building Flows
• Using Flows
• Power Automate Desktop
• Process Mining
• Power Automate Mobile App
• Translation Quality Feedback
• Connector Development
• Power Platform Integration - Better Together!
• Power Platform Integrations (Read Only)
• Power Platform and Dynamics 365 Integrations (Read Only)
• Community Connections & How-To Videos
• Webinars and Video Gallery
• Power Automate Cookbook
• 2021 MSBizAppsSummit Gallery
• 2020 MSBizAppsSummit Gallery
• 2019 MSBizAppsSummit Gallery
• Community Blog
• Power Automate Community Blog
• Community Support
• Community Accounts & Registration
• Using the Community
• Community Feedback
• "Edit App Role Assignment" action from "Power Apps...
• Subscribe to RSS Feed
• Mark Topic as New
• Mark Topic as Read
• Float this Topic for Current User
• Printer Friendly Page
• All forum topics
• Previous Topic

• Mark as New
• Report Inappropriate Content

"Edit App Role Assignment" action from "Power Apps for Makers" connector not working 100%

• Issue Using a Connection

Helpful resources

Community Roundup: A Look Back at Our Last 10 Tuesday Tips

As we continue to grow and learn together, it's important to reflect on the valuable insights we've shared. For today's #TuesdayTip, we're excited to take a moment to look back at the last 10 tips we've shared in case you missed any or want to revisit them. Thanks for your incredible support for this series--we're so glad it was able to help so many of you navigate your community experience!   Getting Started in the Community An overview of everything you need to know about navigating the community on one page!  Community Links: ○ Power Apps ○ Power Automate  ○ Power Pages  ○ Copilot Studio    Community Ranks and YOU Have you ever wondered how your fellow community members ascend the ranks within our community? We explain everything about ranks and how to achieve points so you can climb up in the rankings! Community Links: ○ Power Apps ○ Power Automate  ○ Power Pages  ○ Copilot Studio    Powering Up Your Community Profile Your Community User Profile is how the Community knows you--so it's essential that it works the way you need it to! From changing your username to updating contact information, this Knowledge Base Article is your best resource for powering up your profile. Community Links: ○ Power Apps ○ Power Automate  ○ Power Pages  ○ Copilot Studio    Community Blogs--A Great Place to Start There's so much you'll discover in the Community Blogs, and we hope you'll check them out today!  Community Links: ○ Power Apps ○ Power Automate  ○ Power Pages  ○ Copilot Studio    Unlocking Community Achievements and Earning Badges Across the Communities, you'll see badges on users profile that recognize and reward their engagement and contributions. Check out some details on Community badges--and find out more in the detailed link at the end of the article! Community Links: ○ Power Apps  ○ Power Automate  ○ Power Pages  ○ Copilot Studio    Blogging in the Community Interested in blogging? Everything you need to know on writing blogs in our four communities! Get started blogging across the Power Platform communities today! Community Links: ○ Power Apps  ○ Power Automate  ○ Power Pages  ○ Copilot Studio   Subscriptions & Notifications We don't want you to miss a thing in the community! Read all about how to subscribe to sections of our forums and how to setup your notifications! Community Links: ○ Power Apps  ○ Power Automate  ○ Power Pages  ○ Copilot Studio   Getting Started with Private Messages & Macros Do you want to enhance your communication in the Community and streamline your interactions? One of the best ways to do this is to ensure you are using Private Messaging--and the ever-handy macros that are available to you as a Community member! Community Links: ○ Power Apps  ○ Power Automate  ○ Power Pages  ○ Copilot Studio   Community User Groups Learn everything about being part of, starting, or leading a User Group in the Power Platform Community. Community Links: ○ Power Apps  ○ Power Automate  ○ Power Pages  ○ Copilot Studio   Update Your Community Profile Today! Keep your community profile up to date which is essential for staying connected and engaged with the community. Community Links: ○ Power Apps  ○ Power Automate  ○ Power Pages  ○ Copilot Studio   Thank you for being an integral part of our journey.   Here's to many more Tuesday Tips as we pave the way for a brighter, more connected future! As always, watch the News & Announcements for the next set of tips, coming soon!    

Calling all User Group Leaders and Super Users! Mark Your Calendars for the next Community Ambassador Call on May 9th!

This month's Community Ambassador call is on May 9th at 9a & 3p PDT. Please keep an eye out in your private messages and Teams channels for your invitation. There are lots of exciting updates coming to the Community, and we have some exclusive opportunities to share with you! As always, we'll also review regular updates for User Groups, Super Users, and share general information about what's going on in the Community.     Be sure to register & we hope to see all of you there!

April 2024 Community Newsletter

We're pleased to share the April Community Newsletter, where we highlight the latest news, product releases, upcoming events, and the amazing work of our outstanding Community members.   If you're new to the Community, please make sure to follow the latest News & Announcements and check out the Community on LinkedIn as well! It's the best way to stay up-to-date with all the news from across Microsoft Power Platform and beyond.    COMMUNITY HIGHLIGHTS   Check out the most active community members of the last month! These hardworking members are posting regularly, answering questions, kudos, and providing top solutions in their communities. We are so thankful for each of you--keep up the great work! If you hope to see your name here next month, follow these awesome community members to see what they do!   Power AppsPower AutomateCopilot StudioPower PagesWarrenBelzDeenujialexander2523ragavanrajanLaurensMManishSolankiMattJimisonLucas001AmikcapuanodanilostephenrobertOliverRodriguestimlAndrewJManikandanSFubarmmbr1606VishnuReddy1997theMacResolutionsVishalJhaveriVictorIvanidzejsrandhawahagrua33ikExpiscornovusFGuerrero1PowerAddictgulshankhuranaANBExpiscornovusprathyooSpongYeNived_Nambiardeeksha15795apangelesGochixgrantjenkinsvasu24Mfon   LATEST NEWS   Business Applications Launch Event - On Demand In case you missed the Business Applications Launch Event, you can now catch up on all the announcements and watch the entire event on-demand inside Charles Lamanna's latest cloud blog.   This is your one stop shop for all the latest Copilot features across Power Platform and #Dynamics365, including first-hand looks at how companies such as Lenovo, Sonepar, Ford Motor Company, Omnicom and more are using these new capabilities in transformative ways. Click the image below to watch today!   Power Platform Community Conference 2024 is here! It's time to look forward to the next installment of the Power Platform Community Conference, which takes place this year on 18-20th September 2024 at the MGM Grand in Las Vegas!   Come and be inspired by Microsoft senior thought leaders and the engineers behind the #PowerPlatform, with Charles Lamanna, Sangya Singh, Ryan Cunningham, Kim Manis, Nirav Shah, Omar Aftab and Leon Welicki already confirmed to speak. You'll also be able to learn from industry experts and Microsoft MVPs who are dedicated to bridging the gap between humanity and technology. These include the likes of Lisa Crosbie, Victor Dantas, Kristine Kolodziejski, David Yack, Daniel Christian, Miguel Félix, and Mats Necker, with many more to be announced over the coming weeks.   Click here to watch our brand-new sizzle reel for #PPCC24 or click the image below to find out more about registration. See you in Vegas!       Power Up Program Announces New Video-Based Learning Hear from Principal Program Manager, Dimpi Gandhi, to discover the latest enhancements to the Microsoft #PowerUpProgram. These include a new accelerated video-based curriculum crafted with the expertise of Microsoft MVPs, Rory Neary and Charlie Phipps-Bennett. If you’d like to hear what’s coming next, click the image below to find out more!   UPCOMING EVENTS Microsoft Build - Seattle and Online - 21-23rd May 2024 Taking place on 21-23rd May 2024 both online and in Seattle, this is the perfect event to learn more about low code development, creating copilots, cloud platforms, and so much more to help you unleash the power of AI.   There's a serious wealth of talent speaking across the three days, including the likes of Satya Nadella, Amanda K. Silver, Scott Guthrie, Sarah Bird, Charles Lamanna, Miti J., Kevin Scott, Asha Sharma, Rajesh Jha, Arun Ulag, Clay Wesener, and many more.   And don't worry if you can't make it to Seattle, the event will be online and totally free to join. Click the image below to register for #MSBuild today!   European Collab Summit - Germany - 14-16th May 2024 The clock is counting down to the amazing European Collaboration Summit, which takes place in Germany May 14-16, 2024. #CollabSummit2024 is designed to provide cutting-edge insights and best practices into Power Platform, Microsoft 365, Teams, Viva, and so much more. There's a whole host of experts speakers across the three-day event, including the likes of Vesa Juvonen, Laurie Pottmeyer, Dan Holme, Mark Kashman, Dona Sarkar, Gavin Barron, Emily Mancini, Martina Grom, Ahmad Najjar, Liz Sundet, Nikki Chapple, Sara Fennah, Seb Matthews, Tobias Martin, Zoe Wilson, Fabian Williams, and many more.   Click the image below to find out more about #ECS2024 and register today!     Microsoft 365 & Power Platform Conference - Seattle - 3-7th June If you're looking to turbo boost your Power Platform skills this year, why not take a look at everything TechCon365 has to offer at the Seattle Convention Center on June 3-7, 2024.   This amazing 3-day conference (with 2 optional days of workshops) offers over 130 sessions across multiple tracks, alongside 25 workshops presented by Power Platform, Microsoft 365, Microsoft Teams, Viva, Azure, Copilot and AI experts. There's a great array of speakers, including the likes of Nirav Shah, Naomi Moneypenny, Jason Himmelstein, Heather Cook, Karuana Gatimu, Mark Kashman, Michelle Gilbert, Taiki Y., Kristi K., Nate Chamberlain, Julie Koesmarno, Daniel Glenn, Sarah Haase, Marc Windle, Amit Vasu, Joanne C Klein, Agnes Molnar, and many more.   Click the image below for more #Techcon365 intel and register today!     For more events, click the image below to visit the Microsoft Community Days website.      

Tuesday Tip | Update Your Community Profile Today!

It's time for another TUESDAY TIPS, your weekly connection with the most insightful tips and tricks that empower both newcomers and veterans in the Power Platform Community! Every Tuesday, we bring you a curated selection of the finest advice, distilled from the resources and tools in the Community. Whether you’re a seasoned member or just getting started, Tuesday Tips are the perfect compass guiding you across the dynamic landscape of the Power Platform Community.   We're excited to announce that updating your community profile has never been easier! Keeping your profile up to date is essential for staying connected and engaged with the community.   Check out the following Support Articles with these topics: Accessing Your Community ProfileRetrieving Your Profile URLUpdating Your Community Profile Time ZoneChanging Your Community Profile Picture (Avatar)Setting Your Date Display Preferences Click on your community link for more information: Power Apps, Power Automate, Power Pages, Copilot Studio   Thank you for being an active part of our community. Your contributions make a difference! Best Regards, The Community Management Team

Hear what's next for the Power Up Program

Hear from Principal Program Manager, Dimpi Gandhi, to discover the latest enhancements to the Microsoft #PowerUpProgram, including a new accelerated video-based curriculum crafted with the expertise of Microsoft MVPs, Rory Neary and Charlie Phipps-Bennett. If you’d like to hear what’s coming next, click the link below to sign up today! https://aka.ms/PowerUp  

Super User of the Month | Ahmed Salih

We're thrilled to announce that Ahmed Salih is our Super User of the Month for April 2024. Ahmed has been one of our most active Super Users this year--in fact, he kicked off the year in our Community with this great video reminder of why being a Super User has been so important to him!   Ahmed is the Senior Power Platform Architect at Saint Jude's Children's Research Hospital in Memphis. He's been a Super User for two seasons and is also a Microsoft MVP! He's celebrating his 3rd year being active in the Community--and he's received more than 500 kudos while authoring nearly 300 solutions. Ahmed's contributions to the Super User in Training program has been invaluable, with his most recent session with SUIT highlighting an incredible amount of best practices and tips that have helped him achieve his success.   Ahmed's infectious enthusiasm and boundless energy are a key reason why so many Community members appreciate how he brings his personality--and expertise--to every interaction. With all the solutions he provides, his willingness to help the Community learn more about Power Platform, and his sheer joy in life, we are pleased to celebrate Ahmed and all his contributions! You can find him in the Community and on LinkedIn. Congratulations, Ahmed--thank you for being a SUPER user!

Configure Google Calendar Permissions for Passport Service Account

• Last updated on May 13, 2024
• Google , Integrations , Passports

This article provides instructions to set permissions for the Google Calendar passport service account in the Google admin portal ( https://admin.google.com/ ). These permissions are necessary when creating an application passport for Google Calendar to be the calendar provider for Space Reservations in Appspace.

Back to top

Prerequisites

• A Google Administrator to perform the instructions in this article.
• A Google account with the super admin role or other (used as a service account for Google Calendar passport authentication).
• Access to the Google admin portal https://admin.google.com/

Instructions

The instructions in this article must be completed first by a Google Administrator prior to creating a Google calendar passport .

Follow the instructions in the order listed below:

Step 1: Enable Calendar App

Follow the instructions below to enable the Google Calendar service:  

• Access the Google admin portal at https://admin.google.com/ .

• In the User details tab, scroll down to the Apps section and click on it.

Step 2: Create New Role in Google Admin Portal

To grant access to the passport service account, you need to c reate a new role in the Google Admin portal and set up permissions.  

• Organizational Units > Read
• Users > Read
• Services > Contacts > Contacts Settings Message > Delegates Read
• Services > Calendar > All Settings > Manage Settings > Buildings And Resources

• Groups > Read
• Click Continue , then c lick Create Role .

Step 3: Assign Role to the Passport Service Account

After creating the new role, perform the following steps to assign the role to the passport service account and grant permissions to the user:  

• Select Directory > Users on the left menu panel and navigate to the user you will use as the passport service account for Google calendar integration.
• In the User details tab, scroll down to the Admin roles and privileges  section and click on it.
• Select the pencil icon in the upper right corner.

• Scroll down to the Privileges section and check that the user has the same privileges as the role.

Step 4: Share Room Calendar to the Service Account

Once you’ve assigned the role to the passport service account, follow these steps to grant room calendar access to the passport service account.

• Follow the instructions in the article to share the room calendar with the passport service account: https://support.google.com/calendar/answer/37082 .

• See all event details – Grants read-only access to events for the provider room or resource in Appspace Space Reservation.

Related Articles

Configure and manage building passes – administrators, publish content to webex for team communications, publish content to microsoft teams for team communications, create application passport for third-party integration, problem: unable to delete passport, create library passport for third-party integration, configure post connectors for third-party integration, advanced registration: register devices via crestron xio cloud, introduction to appspace integrations, publish content to slack for team communications, latest articles, appspace employee app 8.x release notes for mobile, configure and manage workspace & desk reservations – administrators, appspace 8.6 aquarius release notes for cloud, appspace 8.x release notes for private cloud, countdown card release notes, appspace 8.5 orion release notes for cloud, appspace compatible and self-certified devices, advanced registration: register devices with serial numbers, mac addreses, and vendor ids, configure desk booking for qbic smart panel pc devices, browse by category, helpful links.

• Manage an account
• Join our community