Ok, so I created a custom role and I put this script into it.
param(
[Security.ClaimsPrincipal]$User
)
<#
Policies should return $true or $false to determine whether the user has the particular
claim that require them for that role.
#>
Import-Module ActiveDirectory
# Check if a user is in a specific Active Directory group
$ADGroup = "Test Group"
# Get the members of the group
$Members = Get-ADGroupMember -Identity $ADGroup
# Check if the user is in the group
if ($Members.SamAccountName -contains $User) {
$true
}
Else {
$false
}
But after I login with my user account that is part of that group is not added to the role.
Policy authentication, to my knowledge, does not appear in the Identities menu if that is where you are looking for the role to appear. If you create a test resource (app, script, endpoint, etc) and assign that new role to it, then test that sign-in process, can you confirm the user is unable to see the resource?
@parzog
Ok, I tested that and it still wonât allow me to use the app. I created an app with the same code to do a UDToast and it confirmed that my account is in the AD group so it worked as expected code wise but not within the role.
Update: I added create file calls in my script to see if it will generate files to see if it is actually running and it didnât generate any file so I am not sure what I am missing for the script to be called.
Can you share the code of the test app? If they can get to the point where the Show-UDToast is working it seems like the role is working, provided that role is assigned via the above policy and to the app in question.
New-UDApp -Title 'Test App' -Content {
Import-Module ActiveDirectory
# Check if a user is in a specific Active Directory group
$ADGroup = "Test Group"
# Get the members of the group
$Members = Get-ADGroupMember -Identity $ADGroup
# Check if the user is in the group
$Split = $User.Split('@')[0]
if ($Members.SamAccountName -contains $Split) {
Show-UDToast -Message "$User in AD Group" -Persistent
}
Else {
Show-UDToast -Message "$User Not in AD Group $($Members.SamAccountName)" -Persistent
}
}
It looks like it is working⌠So, confirm for me the following:
The test user has no roles manually configured on the Identities page
The test user is able to sign in
The test user is able to navigate to this app and launch it
If all of these things are true, then it looks like the policy authentication with custom roles is working properly. There is another forum post that can be found here referencing how to set an authorization flow for custom roles, if that is more conducive to your needs.
Sorry, I donât feel as though I can be (or have been, rather) much help here - there are a lot of factors that Iâm having to assume while writing these and itâs a question now of how to get down to where the issue actually lies.
@parzog
Ok, so I have my test account and my admin account they are both in the AD group. Admin account can get to the app so I can confirm that toast message works as expected. My test account always get âUnauthorized Accessâ and I donât see the files getting created.
@parzog
Ok,so I was digging around and I found this log.
[9/30/2024 3:17:32 PM] [Error] [Security-roles.ps1] Could not find a part of the path âC:\Temp\authresults2.txtâ.
[9/30/2024 3:17:32 PM] [Error] [Security-roles.ps1] Method invocation failed because [Security.ClaimsPrincipal] does not contain a method named âSplitâ.
[9/30/2024 3:17:31 PM] [Error] [Security-roles.ps1] Could not find a part of the path âC:\Temp\authresults.txtâ.
[9/30/2024 3:17:31 PM] [Error] [Security-roles.ps1] Could not find a part of the path âC:\Temp\authresults2.txtâ.
[9/30/2024 3:17:31 PM] [Error] [Security-roles.ps1] Method invocation failed because [Security.ClaimsPrincipal] does not contain a method named âSplitâ.
[9/30/2024 3:17:29 PM] [Error] [Security-roles.ps1] Could not find a part of the path âC:\Temp\authresults.txtâ.
Ah - nice catch. I didnât even think about that. I would try this on app load so you can see the user properties:
Write-Output "$($User | gm)"
That way you can find the available properties of the Security.ClaimsPrincipal type in the browser console. My guess would be that the text representation of the username is something like $User.Username but I could be wrong.
Bit of a redirect there, my apologies. Found the documentation for what I was talking about in the documentation here. However, if youâre searching through AD, using their UPN as it shows up in the top right corner of the screen should in most environments pull the correct user. If you still need to split like that, you can try the following to access the userâs name:
$UserName = $User.Identity.Name
Then, call .split() on the $UserName instead.
Actually your first option did work as well. I just had to log out and log back in for it to process correctly.
$Split = $User.Username.Split(â@â)[0]
if ($Members.SamAccountName -contains $Split) {
$true
New-Item -ItemType File -Name âauthresults1.txtâ -Path âC:\Tempâ
}
Else {
$false
New-Item -ItemType File -Name âauthresults2.txtâ -Path âC:\Tempâ
}
But yes Thank you very much for your time looking at this!!!