Azure AD - Office365APIs. Check if connected user is global admin without admin consent scopes

2
votes

I have a mutlitenant Office365 web application that authenticates users with an Authorization code flow (my server does the requests to the APIs) secured by Azure AD on OAUTH/OpenIdConnect.

We use Microsoft.Owin.Security.OpenIdConnect, Version=3.0.0.0 and Azure Active Directory ADAL.NET client with Microsoft.IdentityModel.Clients.ActiveDirectory, Version=2.19.0.0 following this sample.

In my Azure AD application manifest, I use only scopes without admin consent.

However, I would like to know if the currently connected user is an Office 365 Global Admin of the tenant.

I checked the accepted answer here. That basically reads the response at <graphurl>/me/memberOf However, it is not acceptable in my situation. Following this reference, all the required scopes are "Admin consent" scopes.

I tried different approaches: using the System.Web.Security.Roles.GetRolesForUser(), looking in ClaimsPrincipal.Current and finally examining carefully the parsed JWT to see if there is an info on the Office365 roles of the connected user. All without success.

Can you provide a way to know the current user administration roles within the Office 365 tenants with an application declared with no admin consent scopes?

Remark: This question is more or less related to this one but the requirements are less strong: we only want to see if the current user is a Global Admin.

1
azureazure-active-directoryopenid-connectadaloffice365api

1 Answers

1
votes

Can you provide a way to know the current user administration roles within the Office 365 tenants with an application declared with no admin consent scopes?

For multi-tenant application, accessing to directory data requires the admin consent.

But once administrators give the consent for the application, all users within the organization will be allowed to use the application (no need to consent).

Add consent url parameter "prompt=admin_consent":

    public ActionResult AdminConsentApp()
    {
        string strResource = Request.QueryString["resource"];
        string strRedirectController = Request.QueryString["redirect"];

        string authorizationRequest = String.Format(
            "https://login.windows.net/common/oauth2/authorize?response_type=code&client_id={0}&resource={1}&redirect_uri={2}&prompt={3}",
                Uri.EscapeDataString(SettingsHelper.ClientId),
                Uri.EscapeDataString(strResource),
                Uri.EscapeDataString(String.Format("{0}/{1}", this.Request.Url.GetLeftPart(UriPartial.Authority).ToString(), strRedirectController)),
                Uri.EscapeDataString("admin_consent")
                );

        return new RedirectResult(authorizationRequest);
    }

For more details, you can reference the sample project O365-WebApp-MultiTenant.