'Querying Graph api as App but for some situations as user or how to do rbac filtering

in my project iam using graph api and authenticate like this:

services.AddAuthentication(JwtBearerDefaults.AuthenticationScheme)
                    .AddMicrosoftIdentityWebApi(Configuration)
                    .EnableTokenAcquisitionToCallDownstreamApi()
                    .AddMicrosoftGraph(Configuration.GetSection("GraphApi"))
                    .AddMicrosoftGraphAppOnly(authenticationProvider => new GraphServiceClient(authenticationProvider))                    
                    .AddInMemoryTokenCaches();

As you can see the graphserviceclient will be injected then in my service and iam using it like this as an example with the graph sdk.

var roleGroups = await _graphServiceClient.Groups[cityId].Members.Request().GetAsync();

because of our own logic my api uses Graph api as app and the webfrontend authenticates against my api using azure authentication.

My project works wonderfull, but in the next stage i need to query managed devices from intune (managedevice) or other things. Here i need the ability to see all device as an example only the user has accesrights (scopes) in intune.

Since i have here a lack of knowledge, knows anyone a way to call graph api for this situation as user (onBehalf) or can anyone advice how is the rbac working to filter devices on rbacrules?

In sccm before it was an easy task, because the database had an underlying function for rbacfiltering, but for intune i don't know how it works.

Thanks a lot

EDIT: one way i solved it now, will work, but is against the dependency injection.

The WebApp is getting an Token for my api and in addtion one on behalf of the user for Graphapi.

Then the webapp is sending me both.

I will take token for graphapi then and create an GraphClient like this:

private static GraphServiceClient GetClient(string accessToken)
        {
            var delegateAuthProvider = new DelegateAuthenticationProvider((requestMessage) =>
            {
                requestMessage.Headers.Authorization = new AuthenticationHeaderValue("bearer", accessToken);

                return Task.FromResult(0);
            });

            var graphClient = new GraphServiceClient(delegateAuthProvider);

            return graphClient;
        }

with this i have an graphclient on behalf in addition to the client as app.

Anyone an idea to solve this in dependency injection way?

.net-coremicrosoft-graph-api


Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source

Related Questions

How do I add Pulumi to my GitHub Codespaces / VSCode .NET devcontainer?

Unit Testing WeakReference

Nearest location from JSON column

Using 'UseMvc' to configure MVC is not supported while using Endpoint Routing

Azure Functions how to get a new local.settings.json?

Unable to create an object of type 'MyContext'. For the different patterns supported at design time

Unable to start process dotnet.exe

Is it possible to run a .NET Core console application silently (hide console window)?

Displaying website image testing vs. production

How to set json serializer settings in asp.net core 3?

Form view designer is not working in Visual Studio 2019 with C# .NET Core 3.1 [duplicate]

Remove unnecessary usings with dotnet format

Assets file project.assets.json doesn't have a target for 'net6.0-windows10.0.19041.0/win-x64'

The constraint reference 'string' could not be resolved to a type. (netcoreapp3.0)

How to use Bootstrap modal in Blazor client app?