Azure AD Guest Organization Management

AdamCoulterOz commented 5 years ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

A way to manage Allowed or Denied guest organisations in the Azure AD external organisational relationship settings.

Would like to be able to use an azuread_guest type resource (#41) but wouldn't be able to in many Azure AD tenancies until we can also whitelist the the domain for the guests.

New or Affected Resource(s)

azuread_guest_organization

Potential Terraform Configuration

locals {
    domains = ["domain1.com","domain2.com","..."]
}

# if whitelisting collaboration with specified external organisations
resource "azuread_guest_organization" "allow-entity" {
    count = "${length(local.domains)}"
    type = "Allow"
    domain = "${local.domains[count.index]}"
}

# if blacklisting collaboration with specified external organisations
resource "azuread_guest_organization" "deny-entity" {
    count = "${length(local.domains)}"
    type = "Deny"
    domain = "${local.domains[count.index]}"
}

Specifically separating management of individual guest organisations rather than treating it as a single collection set. Organisations may be added from elsewhere, managed under other processes.

An error would be given if specifying Allow in an AAD tenant with the Deny invitations ... setting, and the reverse, if specifying Deny in an AAD tenant with the Allow invitations only ... setting.

References

0000

AdamCoulterOz commented 5 years ago

Microsoft Graph can be used for this: https://docs.microsoft.com/en-us/graph/api/resources/policy?view=graph-rest-beta

{
    "B2BManagementPolicy": {
        "InvitationsAllowedAndBlockedDomainsPolicy": {
            "AllowedDomains": [
                "domain1.com",
                "domain2.com",
                "..."
            ]
        },
        "AutoRedeemPolicy": {
            "AdminConsentedForUsersIntoTenantIds": [],
            "NoAADConsentForUsersFromTenantsIds": []
        }
    }
}

AdamCoulterOz commented 5 years ago

Currently, the API doesn't support Applications to have permission to do this, only delegated work accounts. Not sure how this might be implemented without a direct Application permission.

screen shot 2019-02-25 at 11 28 12 am

divyavmnair commented 3 years ago

Can you please explain how we can do B2BManagementPolicy(Allow or deny certain domains on active directory on Azure) with Microsoft Graph api

AdamCoulterOz commented 3 years ago

So to achieve this the following is needed...

Service Principal with AAD Global Admin role assignment
Can use client_id and client_secret normally

Get the AAD Access token
Get the policy object ID: https://graph.windows.net/myorganization/policies?api-version=1.6, which gives this response:

{
    "odata.metadata": "https://graph.windows.net/myorganization/$metadata#directoryObjects",
    "value": [
        {
            "odata.type": "Microsoft.DirectoryServices.Policy",
            "objectType": "Policy",
            "objectId": "00000000-0000-0000-0000-000000000001",
            "deletionTimestamp": null,
            "alternativeIdentifier": null,
            "definition": [
                "{\"B2BManagementPolicy\":{\"InvitationsAllowedAndBlockedDomainsPolicy\":{\"AllowedDomains\":[]},\"AutoRedeemPolicy\":{\"AdminConsentedForUsersIntoTenantIds\":[],\"NoAADConsentForUsersFromTenantsIds\":[]}}}"
            ],
            "displayName": "B2BManagementPolicy",
            "isTenantDefault": true,
            "keyCredentials": [],
            "type": "B2BManagementPolicy"
        },
        {
            "odata.type": "Microsoft.DirectoryServices.Policy",
            "objectType": "Policy",
            "objectId": "00000000-0000-0000-0000-000000000002",
            "deletionTimestamp": null,
            "alternativeIdentifier": null,
            "definition": [
                "{\"B2BManagementPolicy\":{\"InvitationsAllowedAndBlockedDomainsPolicy\":{\"AllowedDomains\":[\"Worlintest.onmicrosoft.com\"]},\"PreviewPolicy\":{\"Features\":[\"OneTimePasscode\"]},\"AutoRedeemPolicy\":{\"AdminConsentedForUsersIntoTenantIds\":[],\"NoAADConsentForUsersFromTenantsIds\":[]}}}"
            ],
            "displayName": "B2BManagementPolicy2",
            "isTenantDefault": false,
            "keyCredentials": [],
            "type": "B2BManagementPolicy"
        }
    ]
}

Use the first policy object to change the setting. Here is the request (targeting https://graph.windows.net):

PATCH /myorganization/policies/00000000-0000-0000-0000-000000000001?api-version=1.6 HTTP/1.1
Content-Type: application/json;charset=UTF-8
Authorization: Bearer <token>

PATCH request body:

{
    "definition": [
        "{\"B2BManagementPolicy\":{\"InvitationsAllowedAndBlockedDomainsPolicy\":{\"AllowedDomains\":[\"Worlintest.onmicrosoft.com\"]},\"PreviewPolicy\":{\"Features\":[\"OneTimePasscode\"]},\"AutoRedeemPolicy\":{\"AdminConsentedForUsersIntoTenantIds\":[],\"NoAADConsentForUsersFromTenantsIds\":[]}}}"
    ],
    "displayName": "B2BManagementPolicy2",
    "type": "B2BManagementPolicy"
}

There seems to be a limitation using this where Allow invitations only to the specified domains (most restrictive) needs to be set on the portal (Azure AD > External Identities > External collaboration settings > Collaboration restrictions) first, then we can use the API to edit it. I haven't had a chance yet to find how to work around it, which I'm confident I will be able to.

FYI - @divyavmnair - this might also help your question

divyavmnair commented 3 years ago

Thanks Adam The solution works perfect. Please provide solution for setting Collaboration restrictions if you can find the solution. It was a great help :)

divyavmnair commented 3 years ago

Hi Adam,

Collaboration settings also works perfect for me with this solution.

I can seethe settings changed on active directory after refreshing the page.

manicminer commented 3 years ago

It looks like this API was deprecated and/or removed from MS Graph. Marking as blocked for now.

kieran-turnbull commented 1 year ago

Looks like cross-tenant configuration is supported on Graph now, is there possibility to revive this? https://learn.microsoft.com/en-us/graph/api/resources/crosstenantaccesspolicy-overview?view=graph-rest-1.0 https://learn.microsoft.com/en-us/graph/permissions-reference#application-permissions-52

hashicorp / terraform-provider-azuread