Google Admin - role privileges relation to specific APIs not found - roles

A table for each API with which privilege is required would be VERY useful - I assume one exists but Googling gives no such thing!
In my case I need to know what (minimal) role privilege(s) is/are required for the https://www.googleapis.com/admin/directory/v1/customers/my_customer API (GET) unless I have "Super Admin" turned on I don't have access to this API (403) the I have tried various combinations of the privileges added with "Super Admin" with no success
Regards
Linden

You are right, Super Admin is necessary in order to call customers.get. Even if a custom role is created with all possible privileges, 403 is given as long as Super Admin role is not set.
Request feature:
Regarding a table relating admin privileges and API methods, you could try request it via Send feedback at the Admin SDK documentation page or at Admin roles for businesses.

Related

Need admin approval unverified This app may be risky. If you trust this app, please ask your admin to grant you access

I have made a web app that using Microsoft Graph api's. when we authenticate user using their personnel account then it work perfectly but when someone use their organizational account then error display which is
"AADSTS65001: The user or administrator has not consented to use the application with ID '29eb2e50-3e2b-45a4-9488-d9b08a34b6f0' named 'testing app'.
Send an interactive authorization request for this user and resource.
Trace ID: 4a665bcf-c19e-48f8-b5c2-056e61aa2d00
Correlation ID: 1ad728bb-6fa2-4f27-ae5e-215f580d2e9e
Timestamp: 2022-09-05 10:46:49Z","error_codes":[65001],"timestamp":"2022-09-05 10:46:49Z","trace_id":"4a665bcf-c19e-48f8-b5c2-056e61aa2d00","correlation_id":"1ad728bb-6fa2-4f27-ae5e-215f580d2e9e","suberror":"consent_required"}
now kindly let me know how can we resolve it. I have done all changes in our azure app which is provided by the internet but still the same error please let me know which permission I should add or which changes are made to resolve this issue thanks.
First, you need to be the administrator of the tenant (if you are not a tenant administrator, you cannot give the administrator permission), you can set up user roles according to Assign Azure AD roles.
1.Log in to https://portal.azure.com as a tenant administrator.
2.Open the registration of your application in the following location.
3.Go to settings and then the required permissions.
4.Press the grant permission button.
Check if the user or organizational account has the required permission granted as seen in the sample below.

Microsoft flow:ForbiddenError-403, when trying to create private channel in MS teams

I am trying to make an HTTP request into MS teams in order to create private channel like in the following example.
https://learn.microsoft.com/en-us/graph/api/channel-post?view=graph-rest-1.0&tabs=http
In order to authenticate it, the HTTP request, with option of "Active Directory oauth", it needs some info. 1) Cliend ID, 2) Tenant ID, 3) Audience & 4) Credential Type.
Therefore, I register an app at Registration App Azure page, where I have all this info + create a secret to provide it. In addition I give permissions. My task is to create/delete private channels and add/drop members. Why is there a 403-statusCode error called it "Forbidden"?
Also, in a lot of docs, a token is mentioned, but I donot know how to create&use it, as there is also not an accurate, step-by-step example for all this authentication/authorization/permissions.
Can someone provide that? Or explain why is that error there, as the info microsoft.docs is inefficient?
https://learn.microsoft.com/en-us/graph/resolve-auth-errors
https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow
https://learn.microsoft.com/en-us/graph/resolve-auth-errors
The 403 error indicates that your token lacks the permission to call the api. Each api document clearly explains what permissions are required to call the api.
Take the create channel as an example: It lists the permissions you need to call the api. These permissions are arranged from small to large, and you only need to select one of them. Then you need to add the permission to your application, and then grant the administrator consent for the permission.
Go to Azure portal>Azure AD>App registrations>your app>API permissions.
What you need to note is that permissions are divided into application permissions and delegated permissions.
Delegated permission is the authorization of the service principal on
behalf of the user. It usually involves user interaction. If you need
to log in to the user, you can choose to grant the permission, and
then you need to use the auth code flow to obtain an access token.
Application permission is the authorization of the service principal
on their own behalf. It is usually used in a daemon where no user is
logged in. If you do not need to log in to the user, you can choose to
grant the permission, and then you need to use the
client credential flow to obtain an access token.

Create User via API in Azure AD

GOAL: Create users in Azure Active Directory using our Global Admin account from an API.
PROBLEM: Every single way I try, I get "unauthorized".
WHAT I'VE TRIED:
I've been focusing mostly on this: https://graph.microsoft.com/v1.0/invitations
I've tried as outlined here
the "Authorization Bearer {token}" is problematic -- I can't seem to properly retrieve tokens, using any of the built URLs recommended (ie, combining ClientID & TenantID in the URL.)
I've tried the relevant portions of this, including creating the app, setting permissions on the app, trying both Web API and Native. I'm able to get a code back, but using it always comes back with Unauthorized.
As an aside, I am using Nintex to run this web service, as it is part of my workflow. Typically, web services don't give me issues. So, this sucks.
I'm missing something, here. Any thoughts or direction?
UPDATE: Removed the word "method" - bad choice of phrasing.
If you want to use Microsoft Graph explorer to create user as the global admin, you could use POST https://graph.microsoft.com/v1.0/users, and the required permission is:
Permissions
For the details, you could read Create user.
Global admin runs as a user by default. To grant access to Active Directory, you need to elevate permissions in the portal.
I'm not convinced you have the permissions to create the user, and that's why I think you're getting the error.
Also, try and avoid using Global Admin. Create a Service Principal and provide more granular permissions.

Using Anypoint Access Management - Mulesoft APIs

Good morning I am using internal mulesoft Access Management APIs API Reference. I have successfully setup my postman to get the security token after login, and even executed successfully the /api/users/me. However, regardless of the access provided to the connection/login user, i can't get the full list of users (/api/users), receiving a Not authorized error. Let me explain the context. We are running on a federated platform, so we can't manage the users registration from the console, but need to wait until they login through SSO the first time to grant access to the correspondent business group and role. There is a complain as the users need to send the admin a note letting know of their successful first login, and afterwards wait to receive the access to the business group. After they login for the first time, their profiles are created in the root org. You can see them only when you are in the master organization. However, you can't get their new user id when you request a list of users of this master organization (/api/organizations/{orgId}/users). We are looking to execute this /api/users in a batch app that runs periodically and do a cross verification to get the users not associated to any orgid or role. This way we can avoid the requirement of the user sending a note to the admin. When I execute the /accounts/api/users, (API Call), we receive a 401 Unauthorized response, despite the token is correct as it is working fine with the others APIs. there is no mention of any other parameter or requirement in the API reference.
Please advise what can be done to solve this authorization error and complete our app. Thank you in advance.
Had the same issue but figured it out.
Instead of calling /api/users, you should be calling
https://anypoint.mulesoft.com/accounts/api/organizations/{orgId}/members
to get a list of users

The roles generated in Keyrock are not really registered

I am creating a permission for an application in Keyrock and associating it to user A. When I do a GET request to orion v2/entities (that is equal to created permission), I get a User token not authorized message. In the PEP log I can see that the role is not associated to the user:
INFO: AZF-Client - Checking authorization to roles [] to do GET on v2/entities and app 629cd23fe9bb42c58d3fde77e0323a7e
This is really strange because I added the role containing the specific permission to user A.
Can anyone help with this? What am I doing wrong?
Please, check the following:
You are creating the OAuth2 token for the user to whom you have assigned the role.
You have created the role in the application you are using to generate the OAuth2 token.
The role has the permission assigned.