Get Active Directory Administrators using Azure AD Graph Client

9
votes

Using the Azure Active Directory Graph Client, I can successfully query the AD for its user roles with the ff. code:

var activeDirectoryClient = new ActiveDirectoryClient(); // Instantiate the Graph Client here.
var adRoles = await activeDirectoryClient.DirectoryRoles.ExecuteAsync();

Is it possible, however, to get:

  1. A list of roles that are admin roles?, and
  2. A list of users who fall under the admin roles?

In this case, my definition of an admin would be users under the Company Administrator role, or those who would be able to authorize an application (via the auth request URL with format https://login.microsoftonline.com/common/oauth2/authorize?response_type=code&client_id=xxx-xxx&resource=yyy-yyy&redirect_uri=zzz-zzz&prompt=admin_consent)

1
c#azureactive-directoryuser-roles

1 Answers

3
votes

There are a couple of ways you can do this and let's look at the REST API as a starting point.

You can get a list of groups and roles per USER using making a GET request to: https://graph.windows.net/myorganization/users/{user_id}/$links/memberOf?api-version

On success, returns a collection of links to the Group's and DirectoryRole's that this user is a member of

ref: Get a user's group and directory role memberships

To get the membership of a group you would make a GET request to: https://graph.windows.net/myorganization/groups/{object_id}/$links/members?api-version

ref: Get a group's direct members

However per the docs:

No functions or actions may be called on directory roles

ref: https://msdn.microsoft.com/en-us/Library/Azure/Ad/Graph/api/entity-and-complex-type-reference#DirectoryRoleEntity

This has to be done from the USER object. The SDK will reflect this.

IPagedCollection<IDirectoryObject> pagedCollection = retrievedUserFetcher.MemberOf.ExecuteAsync();

The GraphAPI console app has some great examples that should show you how to complete these actions: Program.cs