public async Task <Tuple <bool, string, string, string, string> > RemoveApplicationRoleFromUser(ActiveDirectoryClient azureGraphclient, string accessToken, string AzureADGraphUrl, string Tenant,
string AppName, string UserEmailAddress, string AppRoleName)
{
List <ResultsItem> obj = new List <ResultsItem>();
Guid userObjectID = Guid.Empty, approleid = Guid.Empty, srvpr = Guid.Empty;
bool ActionStatus = false;
string message = string.Empty;
if (azureGraphclient == null || string.IsNullOrEmpty(AzureADGraphUrl) || string.IsNullOrEmpty(Tenant) ||
string.IsNullOrEmpty(AppName) || string.IsNullOrEmpty(UserEmailAddress) || string.IsNullOrEmpty(AppRoleName))
{
return(new Tuple <bool, string, string, string, string>(ActionStatus, "Invalid input", null, null, null));
}
else
{
try
{
var _usersFiltered = azureGraphclient.Users.Where(a => a.Mail.Equals(UserEmailAddress, StringComparison.InvariantCultureIgnoreCase) ||
a.UserPrincipalName.Equals(UserEmailAddress, StringComparison.InvariantCultureIgnoreCase)).Expand(p => p.AppRoleAssignments).ExecuteAsync().Result;
if (_usersFiltered != null)
{
userObjectID = Guid.Parse(_usersFiltered.CurrentPage.Select(a => a.ObjectId).SingleOrDefault().ToString());
var application = azureGraphclient.Applications.Where(a => a.DisplayName == AppName).ExecuteAsync().Result;
if (application != null)
{
var approle = application.CurrentPage.FirstOrDefault().AppRoles.Where(a => a.DisplayName == AppRoleName).FirstOrDefault();
if (approle != null)
{
approleid = Guid.Parse(approle.Id.ToString());
srvpr = Guid.Parse(azureGraphclient.ServicePrincipals.Where(a => a.DisplayName == AppName).ExecuteAsync().Result.CurrentPage.FirstOrDefault().ObjectId);
//check if assignment is already made
var cc = _usersFiltered.CurrentPage.FirstOrDefault();
var approlesassigns = AzureADExtensions.EnumerateAllAsync(cc.AppRoleAssignments).Result;
var filtered = approlesassigns.Where(a => a.Id == approleid && a.PrincipalType == "User").FirstOrDefault();
if (filtered != null)
{
var roleassignObjectID = filtered.ObjectId;
await RemoveRoleFromUser(accessToken, AzureADGraphUrl, Tenant, userObjectID, roleassignObjectID.ToString());
ActionStatus = true;
message = "Application role was succefully removed from user";
}
else
{
message = "User not associated with application role";
}
}
else
{
message = "Invalid application role";
}
}
else
{
message = "Invalid application";
}
}
else
{
message = "Invalid user";
}
}
catch (Exception ex)
{
message = ex.Message + (ex.InnerException != null ? Environment.NewLine + ex.InnerException.Message : "");
}
}
return(new Tuple <bool, string, string, string, string>(ActionStatus, message, userObjectID.ToString(), approleid.ToString(), srvpr.ToString()));
}
/// <summary>
///
/// </summary>
/// <param name="azureGraphclient"></param>
/// <param name="model"></param>
/// <returns>Return values are status,message, user-object-id, application-role-id, application-service-principal-id</returns>
public async Task <Tuple <bool, string, string, string, string> > AddApplicationRoleToUser(ActiveDirectoryClient azureGraphclient, string AppName, string UserEmailAddress,
string AppRoleName)
{
Guid userObjectID = Guid.Empty, appobjectid = Guid.Empty, approleid = Guid.Empty, srvpr = Guid.Empty;
bool ActionStatus = false;
string message = string.Empty;
if (azureGraphclient == null || string.IsNullOrEmpty(AppName) || string.IsNullOrEmpty(UserEmailAddress) || string.IsNullOrEmpty(AppRoleName))
{
return(new Tuple <bool, string, string, string, string>(ActionStatus, "Invalid input", null, null, null));
}
else
{
try
{
AppRoleAssignment assignment = new AppRoleAssignment();
assignment.CreationTimestamp = System.DateTime.Now;
var _usersFiltered = azureGraphclient.Users.Where(a => a.Mail.Equals(UserEmailAddress, StringComparison.InvariantCultureIgnoreCase) ||
a.UserPrincipalName.Equals(UserEmailAddress, StringComparison.InvariantCultureIgnoreCase)).ExecuteAsync().Result;
if (_usersFiltered != null)
{
userObjectID = Guid.Parse(_usersFiltered.CurrentPage.Select(a => a.ObjectId).SingleOrDefault().ToString());
var application = azureGraphclient.Applications.Where(a => a.DisplayName == AppName).ExecuteAsync().Result;
if (application != null)
{
var approle = application.CurrentPage.FirstOrDefault().AppRoles.Where(a => a.DisplayName == AppRoleName).FirstOrDefault();
if (approle != null)
{
approleid = Guid.Parse(approle.Id.ToString());
srvpr = Guid.Parse(azureGraphclient.ServicePrincipals.Where(a => a.DisplayName == AppName).ExecuteAsync().Result.CurrentPage.FirstOrDefault().ObjectId);
//check if assignment is already made
var cc = azureGraphclient.Users[userObjectID.ToString()].AppRoleAssignments.ExecuteAsync().Result;
var approlesassigns = await AzureADExtensions.EnumerateAllAsync(cc);
var filtered = approlesassigns.Where(a => a.Id == approleid && a.PrincipalType == "User").FirstOrDefault();
if (filtered == null)
{
assignment.PrincipalId = userObjectID;
assignment.PrincipalType = "User";
assignment.ResourceId = srvpr;
assignment.Id = approleid;
await azureGraphclient.Users[userObjectID.ToString()].AppRoleAssignments.AddAppRoleAssignmentAsync(assignment);
ActionStatus = true;
message = "User successfully associated with application role";
}
else
{
message = "user already associated with application role";
}
}
else
{
message = "Invalid application role";
}
}
else
{
message = "Invalid application";
}
}
else
{
message = "Invalid user";
}
}
catch (Exception ex)
{
message = ex.Message + (ex.InnerException != null ? Environment.NewLine + ex.InnerException.Message : "");
}
}
return(new Tuple <bool, string, string, string, string>(ActionStatus, message, userObjectID.ToString(), approleid.ToString(), srvpr.ToString()));
}
