/// <summary>
/// At the time of creating this application, there was no support for adding app-only permissions using the .NET AAD Graph Client SDK
/// </summary>
/// <param name="client"></param>
/// <param name="grant"></param>
/// <returns></returns>
private static async Task AddApplicationPermissionsGrantAsync(IActiveDirectoryClient client, OAuthGrant grant)
{
var token = await AuthenticationHelper.AcquireAADTokenAsyncForUser();
var webClient = new HttpClient();
webClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", token);
foreach (var graphPermissionId in grant.ApplicationPermissions)
{
var uri = $"{GlobalConstants.AADGraphResourceUrl}/{GlobalConstants.GraphTenantName}/servicePrincipals/{grant.ApplicationServicePrincipal.ObjectId}/appRoleAssignments?api-version=1.6";
string jsonBody = JsonConvert.SerializeObject(new
{
id = graphPermissionId,
principalId = grant.ApplicationServicePrincipal.ObjectId,
principalType = "ServicePrincipal",
resourceId = grant.ResourceServicePrincipal.ObjectId
});
var response = await webClient.PostAsync(uri, new StringContent(jsonBody, Encoding.UTF8, "application/json"));
if (!response.IsSuccessStatusCode)
{
Program.WriteError($"\nError adding App-only Permissions for {grant.Application.DisplayName}: {response.StatusCode}");
}
}
}
public static async Task <User> CreateNewUser(IActiveDirectoryClient client, VerifiedDomain defaultDomain,
string firstName, string lastName, int phoneNumber, string principalName)
{
// **********************************************************
// Requires Directory.ReadWrite.All or Directory.AccessAsUser.All, and the signed in user
// must be a privileged user (like a company or user admin)
// **********************************************************
User newUser = new User();
if (defaultDomain.Name != null)
{
newUser.DisplayName = firstName + " " + lastName;
//newUser.UserPrincipalName = firstName.ToLower() + "." + lastName.ToLower() + "@" +
// defaultDomain.Name;
newUser.UserPrincipalName = principalName;
newUser.AccountEnabled = true;
newUser.TelephoneNumber = phoneNumber.ToString();
newUser.MailNickname = firstName + lastName;
newUser.PasswordProfile = new PasswordProfile
{
Password = "******",
ForceChangePasswordNextLogin = true
};
newUser.UsageLocation = "PL";
await client.Users.AddUserAsync(newUser);
_dialogService.Show(DialogType.Success, $"New User {newUser.DisplayName} was created");
}
return(newUser);
}
/// <summary>
/// Based on the YOUR AAD ApplicationId determine if the Tenant already has the ServicePrincipal in their directory
/// </summary>
/// <param name="client"></param>
/// <param name="applicationId"></param>
/// <returns></returns>
private static async Task <IServicePrincipal> GetServicePrincipalAsync(IActiveDirectoryClient client, string applicationId)
{
IPagedCollection <IServicePrincipal> servicePrincipals = null;
try
{
servicePrincipals = await client.ServicePrincipals.ExecuteAsync();
}
catch (Exception e)
{
Program.WriteError("\nError getting Service Principal {0}", Program.ExtractErrorMessage(e));
}
while (servicePrincipals != null)
{
List <IServicePrincipal> servicePrincipalsList = servicePrincipals.CurrentPage.ToList();
IServicePrincipal servicePrincipal =
servicePrincipalsList.FirstOrDefault(x => x.AppId.Equals(applicationId));
if (servicePrincipal != null)
{
return(servicePrincipal);
}
servicePrincipals = await servicePrincipals.GetNextPageAsync();
}
return(null);
}
private static async Task <ITenantDetail> GetTenantDetails(IActiveDirectoryClient client, string tenantId)
{
//*********************************************************************
// The following section may be run by any user, as long as the app
// has been granted the minimum of User.Read (and User.ReadWrite to update photo)
// and User.ReadBasic.All scope permissions. Directory.ReadWrite.All
// or Directory.AccessAsUser.All will also work, but are much more privileged.
//*********************************************************************
//*********************************************************************
// Get Tenant Details
// Note: update the string TenantId with your TenantId.
// This can be retrieved from the login Federation Metadata end point:
// https://login.windows.net/GraphDir1.onmicrosoft.com/FederationMetadata/2007-06/FederationMetadata.xml
// Replace "GraphDir1.onMicrosoft.com" with any domain owned by your organization
// The returned value from the first xml node "EntityDescriptor", will have a STS URL
// containing your TenantId e.g. "https://sts.windows.net/4fd2b2f2-ea27-4fe5-a8f3-7b1a7c975f34/" is returned for GraphDir1.onMicrosoft.com
//*********************************************************************
ITenantDetail tenant = null;
IPagedCollection <ITenantDetail> tenantsCollection = await client.TenantDetails
.Where(tenantDetail => tenantDetail.ObjectId.Equals(tenantId)).ExecuteAsync();
List <ITenantDetail> tenantsList = tenantsCollection.CurrentPage.ToList();
if (tenantsList.Count > 0)
{
tenant = tenantsList.First();
}
if (tenant == null)
{
_dialogService.Show(DialogType.Error, "Tenant not found");
return(null);
}
else
{
TenantDetail tenantDetail = (TenantDetail)tenant;
StringBuilder sb = new StringBuilder();
sb.AppendLine("Tenant Display Name: " + tenantDetail.DisplayName);
// Get the Tenant's Verified Domains
var initialDomain = tenantDetail.VerifiedDomains.First(x => x.Initial.HasValue && x.Initial.Value);
sb.AppendLine("Initial Domain Name: " + initialDomain.Name);
var defaultDomain = tenantDetail.VerifiedDomains.First(x => [email protected] && [email protected]);
sb.AppendLine("Default Domain Name: " + defaultDomain.Name);
// Get Tenant's Tech Contacts
foreach (string techContact in tenantDetail.TechnicalNotificationMails)
{
sb.AppendLine("Tenant Tech Contact: " + techContact);
}
sb.Remove(sb.Length - 2, 2);
_dialogService.Show(DialogType.Success, sb.ToString());
return(tenantDetail);
}
}
/// <summary>
/// Initializes a new instance of the <see cref="GraphClient"/> class.
/// </summary>
/// <param name="service">Provides access to core services.</param>
/// <param name="client">Provides the ability to interact with the Microsoft AD Graph API.</param>
/// <exception cref="ArgumentNullException">
/// <paramref name="service"/> is null.
/// or
/// <paramref name="client"/> is null.
/// </exception>
public GraphClient(IExplorerService service, IActiveDirectoryClient client)
{
service.AssertNotNull(nameof(service));
client.AssertNotNull(nameof(client));
this.service = service;
this.client = client;
}
private static async Task CleanupPermissionGrantsAsync(IActiveDirectoryClient client, OAuthGrant grant)
{
IServicePrincipal servicePrincipal = await GetServicePrincipalAsync(client, grant.Application.AppId);
if (servicePrincipal == null)
{
Log(string.Format("No existing service principal for app {0}", grant.Application.DisplayName));
return;
}
Log(string.Format("Deleting existing service principal for app {0}", grant.Application.DisplayName));
await servicePrincipal.DeleteAsync();
}
/// <summary>
/// To ensure the latest Service Principal with the most up-to-date permissions are created,
/// if exists, remove the existing Service Principal for YOUR AAD application
/// </summary>
/// <param name="client"></param>
/// <param name="grant"></param>
/// <returns></returns>
private static async Task CleanupPermissionGrantsAsync(IActiveDirectoryClient client,
OAuthGrant grant)
{
IServicePrincipal servicePrincipal = await GetServicePrincipalAsync(client, grant.Application.AppId);
if (servicePrincipal == null)
{
Program.WriteInfo($"No existing service principal for app {grant.Application.DisplayName}");
return;
}
Program.WriteInfo($"Deleting existing service principal for app {grant.Application.DisplayName}");
await servicePrincipal.DeleteAsync();
}
public SolutionGroupManager([NotNull] IActiveDirectoryClient activeDirectoryClient,
[NotNull] IActiveDirectoryPathProvider activeDirectoryPathProvider)
{
if (activeDirectoryClient == null)
{
throw new ArgumentNullException(nameof(activeDirectoryClient));
}
if (activeDirectoryPathProvider == null)
{
throw new ArgumentNullException(nameof(activeDirectoryPathProvider));
}
_activeDirectoryClient = activeDirectoryClient;
_activeDirectoryPathProvider = activeDirectoryPathProvider;
}
public static async Task <Group> FindGroupByObjectId(IActiveDirectoryClient client, string groupId)
{
List <IGroup> foundGroups = null;
IGroup retrievedGroup = null;
IPagedCollection <IGroup> groupsCollection = await client.Groups
.Where(g => g.ObjectId.Equals(groupId))
.ExecuteAsync();
foundGroups = groupsCollection.CurrentPage.ToList();
if (foundGroups.Count > 0)
{
retrievedGroup = foundGroups[0];
}
return((Group)retrievedGroup);
}
/// <summary>
/// Initializes a new instance of the <see cref="GraphClient"/> class.
/// </summary>
/// <param name="service">Provides access to core services.</param>
/// <param name="customerId">Identifier for customer whose resources are being accessed.</param>
/// <exception cref="ArgumentException">
/// <paramref name="customerId"/> is empty or null.
/// </exception>
/// <exception cref="ArgumentNullException">
/// <paramref name="service"/> is null.
/// </exception>
public GraphClient(IExplorerService service, string customerId)
{
service.AssertNotNull(nameof(service));
customerId.AssertNotEmpty(nameof(customerId));
this.customerId = customerId;
this.service = service;
this.client = new ActiveDirectoryClient(
new Uri($"{this.service.Configuration.GraphEndpoint}/{customerId}"),
async() =>
{
AuthenticationToken token = await this.service.TokenManagement.GetAppOnlyTokenAsync(
$"{this.service.Configuration.ActiveDirectoryEndpoint}/{customerId}",
this.service.Configuration.GraphEndpoint);
return(token.Token);
});
}
/// <summary>
/// If the ServicePrincipal does not already exist in the tenant's directory,
/// then creates a ServicePrincipal for the specified application in the tenant's directory,
/// otherwise return the found ServicePrincipal
/// </summary>
/// <param name="client"></param>
/// <param name="application"></param>
/// <returns>IServicePrincipal</returns>
private static async Task <IServicePrincipal> CreateServicePrincipalAsync(IActiveDirectoryClient client, IApplication application)
{
IServicePrincipal servicePrincipal = null;
if (application.AppId != null)
{
// does the Service Principal already exist?
servicePrincipal = await GetServicePrincipalAsync(client, application.AppId);
// if exists then return the found Service Principal
if (servicePrincipal != null)
{
return(servicePrincipal);
}
// if not found then create a Service Principal for this tenant
servicePrincipal = new ServicePrincipal()
{
AccountEnabled = true,
AppId = application.AppId,
DisplayName = application.DisplayName
};
try
{
await client.ServicePrincipals.AddServicePrincipalAsync(servicePrincipal);
}
catch (Exception e)
{
Program.WriteError("\nError creating Service Principal for {0}: {1}", application.DisplayName, Program.ExtractErrorMessage(e));
return(null);
}
}
else
{
Program.WriteError("\nRefusing to create Service Principal for {0} because ApplicationID was not supplied", application.DisplayName);
return(null);
}
return(servicePrincipal);
}
public static async Task <bool> IsPrincipalNameAvailable(IActiveDirectoryClient client, string principalName)
{
//*********************************************************************
// People picker
// Search for a user using text string "Us" match against userPrincipalName, displayName, giveName, surname
// Requires minimum of User.ReadBasic.All.
//*********************************************************************
List <IUser> usersList = null;
IPagedCollection <IUser> searchResults = null;
IUserCollection userCollection = client.Users;
searchResults = await userCollection.Where(user =>
user.UserPrincipalName.StartsWith(principalName)).Take(1).ExecuteAsync();
usersList = searchResults.CurrentPage.ToList();
return(usersList.Count == 0);
}
public UserGroupMembershipProvider([NotNull] IActiveDirectoryClient activeDirectoryClient,
[NotNull] IActiveDirectoryPathProvider activeDirectoryPathProvider,
[NotNull] IUserPrincipalProvider userPrincipalProvider)
{
if (activeDirectoryClient == null)
{
throw new ArgumentNullException(nameof(activeDirectoryClient));
}
if (activeDirectoryPathProvider == null)
{
throw new ArgumentNullException(nameof(activeDirectoryPathProvider));
}
if (userPrincipalProvider == null)
{
throw new ArgumentNullException(nameof(userPrincipalProvider));
}
_activeDirectoryClient = activeDirectoryClient;
_activeDirectoryPathProvider = activeDirectoryPathProvider;
_userPrincipalProvider = userPrincipalProvider;
}
private static async Task AddDelegatedPermissionsGrantAsync(IActiveDirectoryClient client, OAuthGrant grant)
{
if (grant.DelegatedPermissions == "")
{
return;
}
try
{
// add the permissions
await client.Oauth2PermissionGrants.AddOAuth2PermissionGrantAsync(new OAuth2PermissionGrant
{
ClientId = grant.ApplicationServicePrincipal.ObjectId,
ConsentType = "AllPrincipals", // all users
ResourceId = grant.ResourceServicePrincipal.ObjectId,
Scope = grant.DelegatedPermissions,
ExpiryTime = new DateTime().AddYears(100) // when the grant expires
});
}
catch (Exception e)
{
Program.WriteError("\nError adding Delegated Permissions for {0}: {1}", grant.Application.DisplayName, Program.ExtractErrorMessage(e));
}
}
public UserStore(IActiveDirectoryClientAdapter activeDirectoryClientAdapter)
{
_activeDirectoryClient = activeDirectoryClientAdapter.GetActiveDirectoryClientAsApplication();
}
