Azure-sdk-for-python: Add list_users as a method to ServicePrincipalOperations class in graphrbac
Hello everyone,
I've been using Graph RBAC to try and list all users that have access to an Enterprise Application (service principal)
(the people listed in the blade below, Terraform is just one example app):
I can list owners using list_owners:
https://docs.microsoft.com/en-gb/python/api/azure-graphrbac/azure.graphrbac.operations.service_principals_operations.serviceprincipalsoperations?view=azure-python#list-owners-object-id--custom-headers-none--raw-false----operation-config-
But I don't see any option for listing users, which is what I actually need for my task. Is something similar to list_users something that exists and I can run in the same way as list_owners (maybe I'm missing it) or is there another method/approach anyone can suggest for this?
Much appreciated
ctolley2
All 5 comments
Hi @ctolley2
I think the right way to do it is to list users with a SP filter instead:
https://docs.microsoft.com/en-gb/python/api/azure-graphrbac/azure.graphrbac.operations.usersoperations?view=azure-python#list-filter-none--custom-headers-none--raw-false----operation-config-
Example of list users with filters (not the one you want but as example):
https://github.com/Azure/azure-sdk-for-python/blob/e400440b2608537d78faad12544782381cca18f8/sdk/graphrbac/azure-graphrbac/tests/test_graphrbac.py#L132-L134
Let me know if this helps or not. If not, will try to ping the service team for insights.
Thanks!
lmazuel
on 8 Sep 2020
Hi @lmazuel thanks for getting back to me.
I think you're right about going at it from the users end and filtering for those that have access to the SP, but I'm not sure how to use a filter to do so. I've had a look at:
which seems to give the list of declared properties that can be filtered, like displayName in your example. I can see a navigation property 'appRoleAssignments' which looks like it would do the job, but I'm a little confused about how I'd filter for that (I'm quite new to entities/properties etc. in Azure). Is this something you can provide an example for?
Thanks again!
ctolley2
on 9 Sep 2020
Quick update, I gave it a go using the following (thought I was along the right lines):
apps = graphrbac_client.users.list(filter = "appRoleAssignments/any(c: c/objectId eq '5934a173-9c9d-4f70-87e1-5461a3d74936')")
for app in apps:
print(app.display_name)
However that returned the error:
azure.graphrbac.models.graph_error_py3.GraphErrorException: Unsupported Query.
ctolley2
on 9 Sep 2020
Final update from my end for now...
I've identified the exact Graph query through using Graph Explorer and it's the below:
https://graph.microsoft.com/v1.0/servicePrincipals/
Which gives us back app roles and the service principals they belong to, which we can then filter through.
This is exactly what we need and can probably get a workaround in a script just querying the Graph API. Wondering if you're able to add it into the SDK though as it seems like a really useful operation to have in there.
ctolley2
on 10 Sep 2020
Hi @ctolley2
May I ask you to try this RC SDK?
https://github.com/AzureSDKAutomation/azure-sdk-for-python/pull/2086
The diff is big since there is some generators update, but there should be not breaking changes, just a a new API for you under service_principals
lmazuel
on 17 Sep 2020
Related issues
yunhaoling
路
3Comments
dmurnane
路
3Comments
vnimbalkar
路
4Comments
raviteja59
路
3Comments
smereczynski
路
4Comments