Migrate Azure AD features in Az.Synapse to MSGraph API (#16713)

* Migrate AAD Graph to MS Graph and update help doc
    -Set-AzSynapseSqlActiveDirectoryAdministrator
    -New-AzSynapseRoleAssignment
    -Get-AzSynapseRoleAssignment
    -Remove-AzSynapseRoleAssignment

* Update Get-AzSynapseRoleAssignment.md

* Update New-AzSynapseRoleAssignment.md

* Update Set-AzSynapseSqlActiveDirectoryAdministrator.md

* Update Remove-AzSynapseRoleAssignment.md

Co-authored-by: Jin Lei <[email protected]>

Author: yanjungao718

src/Synapse/Synapse/ChangeLog.md

@@ -20,6 +20,11 @@
 
 ## Upcoming Release
 * General availability of Az.Synapse
+* Migrated Azure AD features in Az.Synapse to MSGraph APIs. The cmdlets below called MSGraph API according to input parameters:
+    - `New-AzSynapseRoleAssignment` cmdlet
+    - `Get-AzSynapseRoleAssignment` cmdlet
+    - `Remove-AzSynapseRoleAssignment` cmdlet
+    - `Set-AzSynapseSqlActiveDirectoryAdministrator` cmdlet
 * Added a default value for [-AutoPauseDelayInMinute] parameter of command `New-AzSynapseSparkpool` and `Update-AzSynapseSparkpool`
 
 ## Version 0.19.0

src/Synapse/Synapse/Models/DataPlaneModels/AccessControl/SynapseAnalyticsRoleClient.cs

@@ -14,13 +14,15 @@
 
 using Azure.Analytics.Synapse.AccessControl;
 using Azure.Analytics.Synapse.AccessControl.Models;
+using Microsoft.Azure.Commands.Common.Authentication;
 using Microsoft.Azure.Commands.Common.Authentication.Abstractions;
 using Microsoft.Azure.Commands.Common.Exceptions;
+using Microsoft.Azure.Commands.Common.MSGraph.Version1_0;
+using Microsoft.Azure.Commands.Common.MSGraph.Version1_0.Applications;
+using Microsoft.Azure.Commands.Common.MSGraph.Version1_0.Applications.Models;
+using Microsoft.Azure.Commands.Common.MSGraph.Version1_0.Users.Models;
 using Microsoft.Azure.Commands.Synapse.Common;
 using Microsoft.Azure.Commands.Synapse.Properties;
-using Microsoft.Azure.Graph.RBAC.Version1_6;
-using Microsoft.Azure.Graph.RBAC.Version1_6.ActiveDirectory;
-using Microsoft.Azure.Graph.RBAC.Version1_6.Models;
 using System;
 using System.Collections.Generic;
 using System.Linq;
@@ -31,7 +33,7 @@ public class SynapseAnalyticsRoleClient
     {
         private readonly RoleAssignmentsClient _roleAssignmentsClient;
         private readonly RoleDefinitionsClient _roleDefinitionsClient;
-        private readonly ActiveDirectoryClient _activeDirectoryClient;
+        private readonly MicrosoftGraphClient _graphClient;
 
         public SynapseAnalyticsRoleClient(string workspaceName, IAzureContext context)
         {
@@ -44,7 +46,8 @@ public SynapseAnalyticsRoleClient(string workspaceName, IAzureContext context)
             Uri uri = new Uri("https://" + workspaceName + "." + suffix);
             _roleAssignmentsClient = new RoleAssignmentsClient(uri, new AzureSessionCredential(context));
             _roleDefinitionsClient = new RoleDefinitionsClient(uri, new AzureSessionCredential(context));
-            _activeDirectoryClient = new ActiveDirectoryClient(context);
+            _graphClient = AzureSession.Instance.ClientFactory.CreateArmClient<MicrosoftGraphClient>(context, AzureEnvironment.ExtendedEndpoint.MicrosoftGraphUrl);
+            _graphClient.TenantID = context.Tenant.Id.ToString();
         }
 
         public IReadOnlyList<RoleAssignmentDetails> ListRoleAssignments(string roleDefinitionId = null, string objectId = null, string scope = null)
@@ -110,14 +113,15 @@ public string GetObjectIdFromSignInName(string signInName)
                 return null;
             }
 
-            var odataQueryFilter = new Rest.Azure.OData.ODataQuery<User>(s => s.UserPrincipalName == signInName);
-            var user = _activeDirectoryClient.GraphClient.Users.List(odataQueryFilter.ToString()).SingleOrDefault();
+            var odataQueryFilter = new Rest.Azure.OData.ODataQuery<MicrosoftGraphUser>(s => s.UserPrincipalName == signInName);          
+            var user = _graphClient.FilterUsers(odataQueryFilter).SingleOrDefault();
+                
             if (user == null)
             {
                 throw new AzPSInvalidOperationException(String.Format(Resources.UserNameDoesNotExist, signInName));
             }
 
-            return user.ObjectId;
+            return user.Id;
         }
 
         public string GetObjectIdFromServicePrincipalName(string servicePrincipalName)
@@ -127,14 +131,14 @@ public string GetObjectIdFromServicePrincipalName(string servicePrincipalName)
                 return null;
             }
 
-            var odataQueryFilter = new Rest.Azure.OData.ODataQuery<ServicePrincipal>(s => s.ServicePrincipalNames.Contains(servicePrincipalName));
-            var servicePrincipal = _activeDirectoryClient.GraphClient.ServicePrincipals.List(odataQueryFilter.ToString()).SingleOrDefault();
+            var odataQueryFilter = new Rest.Azure.OData.ODataQuery<MicrosoftGraphServicePrincipal>(s => s.ServicePrincipalNames.Contains(servicePrincipalName));
+            var servicePrincipal = _graphClient.FilterServicePrincipals(odataQueryFilter).SingleOrDefault();
             if (servicePrincipal == null)
             {
                 throw new AzPSInvalidOperationException(String.Format(Resources.ServicePrincipalNameDoesNotExist, servicePrincipalName));
             }
 
-            return servicePrincipal.ObjectId;
+            return servicePrincipal.Id;
         }
 
         public string GetRoleDefinitionIdFromRoleDefinitionName(string roleDefinitionName)

src/Synapse/Synapse/Models/ManagementModels/SynapseAnalyticsManagementClient.cs

@@ -19,8 +19,6 @@
 using Microsoft.Azure.Commands.Synapse.Common;
 using Microsoft.Azure.Commands.Synapse.Properties;
 using Microsoft.Azure.Commands.Synapse.VulnerabilityAssessment.Model;
-using Microsoft.Azure.Graph.RBAC.Version1_6.ActiveDirectory;
-using Microsoft.Azure.Graph.RBAC.Version1_6.Models;
 using Microsoft.Azure.Management.Internal.Resources;
 using Microsoft.Azure.Management.Internal.Resources.Models;
 using Microsoft.Azure.Management.Internal.Resources.Utilities.Models;
@@ -30,7 +28,6 @@
 using Microsoft.Azure.Management.Synapse.Models;
 using Microsoft.Rest;
 using Microsoft.Rest.Azure;
-using Microsoft.Rest.Azure.OData;
 using Newtonsoft.Json;
 using Newtonsoft.Json.Linq;
 using System;
@@ -51,6 +48,10 @@
 using ErrorResponseException = Microsoft.Azure.Management.Synapse.Models.ErrorResponseException;
 using Microsoft.Azure.Commands.Synapse.Models.Auditing;
 using Microsoft.DataTransfer.Gateway.Encryption;
+using Microsoft.Azure.Commands.Common.MSGraph.Version1_0;
+using Microsoft.Azure.Commands.Common.MSGraph.Version1_0.Applications.Models;
+using Microsoft.Azure.Commands.Common.MSGraph.Version1_0.Groups.Models;
+using Microsoft.Rest.Azure.OData;
 
 namespace Microsoft.Azure.Commands.Synapse.Models
 {
@@ -62,7 +63,7 @@ public class SynapseAnalyticsManagementClient
         private readonly Guid _tenantId;
         private readonly SynapseManagementClient _synapseManagementClient;
         private readonly SynapseSqlV3ManagementClient _synapseSqlV3ManagementClient;
-        private ActiveDirectoryClient _activeDirectoryClient;
+        private MicrosoftGraphClient _graphClient;
         private ResourceManagementClient _resourceManagementClient;
         private StorageManagementClient _storageManagementClient;
         private MonitorManagementClient _monitorManagementClient;
@@ -88,20 +89,20 @@ public SynapseAnalyticsManagementClient(IAzureContext context)
 
             _monitorManagementClient = SynapseCmdletBase.CreateSynapseClient<MonitorManagementClient>(context,
                 AzureEnvironment.Endpoint.ResourceManager);
-        }
+        }   
 
-        public ActiveDirectoryClient ActiveDirectoryClient
+        public MicrosoftGraphClient GraphClient
         {
             get
             {
-                if (_activeDirectoryClient == null)
-                {
-                    _activeDirectoryClient = new ActiveDirectoryClient(Context);
+                if (_graphClient == null) {                     
+                    _graphClient = AzureSession.Instance.ClientFactory.CreateArmClient<MicrosoftGraphClient>(Context, AzureEnvironment.ExtendedEndpoint.MicrosoftGraphUrl);
+                    _graphClient.TenantID = Context.Tenant.Id.ToString();
                 }
-                return this._activeDirectoryClient;
+                return this._graphClient;
             }
-
-            set { this._activeDirectoryClient = value; }
+            
+            set { this._graphClient = value; }
         }
 
         public ResourceManagementClient ResourceManagementClient
@@ -422,19 +423,20 @@ private WorkspaceAadAdminInfo GetActiveDirectoryInformation(string displayName,
             Guid tenantId = _tenantId;
 
             // Check for a Azure Active Directory group. Recommended to always use group.
-            IEnumerable<PSADGroup> groupList = null;
-            PSADGroup group = null;
+            IEnumerable<MicrosoftGraphGroup> groupList = null;
 
-            var filter = new ADObjectFilterOptions()
+            MicrosoftGraphGroup group = null;
+
+            var filter = new MicrosoftObjectFilterOptions()
             {
                 Id = (objectId != null && objectId != Guid.Empty) ? objectId.ToString() : null,
                 SearchString = displayName,
                 Paging = true,
             };
 
             // Get a list of groups from Azure Active Directory
-            groupList = ActiveDirectoryClient.FilterGroups(filter).Where(gr => string.Equals(gr.DisplayName, displayName, StringComparison.OrdinalIgnoreCase));
-
+            groupList = GraphClient.FilterGroups(filter).Where(gr => string.Equals(gr.DisplayName, displayName, StringComparison.OrdinalIgnoreCase));
+            
             if (groupList != null && groupList.Count() > 1)
             {
                 // More than one group was found with that display name.
@@ -453,19 +455,19 @@ private WorkspaceAadAdminInfo GetActiveDirectoryInformation(string displayName,
             }
 
             // Lookup for serviceprincipals
-            ODataQuery<ServicePrincipal> odataQueryFilter;
+            ODataQuery<MicrosoftGraphServicePrincipal> odataQueryFilter;
 
             if ((objectId != null && objectId != Guid.Empty))
             {
                 var applicationIdString = objectId.ToString();
-                odataQueryFilter = new Rest.Azure.OData.ODataQuery<ServicePrincipal>(a => a.AppId == applicationIdString);
+                odataQueryFilter = new ODataQuery<MicrosoftGraphServicePrincipal>(a => a.AppId == applicationIdString);
             }
             else
-            {
-                odataQueryFilter = new Rest.Azure.OData.ODataQuery<ServicePrincipal>(a => a.DisplayName == displayName);
+            { 
+                odataQueryFilter = new ODataQuery<MicrosoftGraphServicePrincipal>(a => a.DisplayName == displayName);
             }
-
-            var servicePrincipalList = ActiveDirectoryClient.FilterServicePrincipals(odataQueryFilter);
+           
+            var servicePrincipalList = GraphClient.FilterServicePrincipals(odataQueryFilter);
 
             if (servicePrincipalList != null && servicePrincipalList.Count() > 1)
             {
@@ -475,7 +477,7 @@ private WorkspaceAadAdminInfo GetActiveDirectoryInformation(string displayName,
             else if (servicePrincipalList != null && servicePrincipalList.Count() == 1)
             {
                 // Only one user was found. Get the user display name and object id
-                PSADServicePrincipal app = servicePrincipalList.First();
+                MicrosoftGraphServicePrincipal app = servicePrincipalList.FirstOrDefault();
 
                 if (displayName != null && string.CompareOrdinal(displayName, app.DisplayName) != 0)
                 {
@@ -490,7 +492,7 @@ private WorkspaceAadAdminInfo GetActiveDirectoryInformation(string displayName,
                 return new WorkspaceAadAdminInfo()
                 {
                     Login = displayName,
-                    Sid = app.ApplicationId.ToString(),
+                    Sid = app.AppId.ToString(),
                     TenantId = tenantId.ToString()
                 };
             }
@@ -506,42 +508,42 @@ private WorkspaceAadAdminInfo GetActiveDirectoryInformation(string displayName,
             }
 
             // No group or service principal was found. Check for a user
-            filter = new ADObjectFilterOptions()
+            filter = new MicrosoftObjectFilterOptions()
             {
                 Id = (objectId != null && objectId != Guid.Empty) ? objectId.ToString() : null,
                 SearchString = displayName,
                 Paging = true,
             };
 
             // Get a list of user from Azure Active Directory
-            var userList = ActiveDirectoryClient.FilterUsers(filter).Where(gr => string.Equals(gr.DisplayName, displayName, StringComparison.OrdinalIgnoreCase));
+            var userList = GraphClient.FilterUsers(filter).Where(gr => string.Equals(gr.DisplayName, displayName, StringComparison.OrdinalIgnoreCase));
 
             // No user was found. Check if the display name is a UPN
             if (userList == null || userList.Count() == 0)
             {
                 // Check if the display name is the UPN
-                filter = new ADObjectFilterOptions()
+                filter = new MicrosoftObjectFilterOptions()
                 {
                     Id = (objectId != null && objectId != Guid.Empty) ? objectId.ToString() : null,
                     UPN = displayName,
                     Paging = true,
                 };
 
-                userList = ActiveDirectoryClient.FilterUsers(filter).Where(gr => string.Equals(gr.UserPrincipalName, displayName, StringComparison.OrdinalIgnoreCase));
+                userList = GraphClient.FilterUsers(filter).Where(gr => string.Equals(gr.UserPrincipalName, displayName, StringComparison.OrdinalIgnoreCase));
             }
 
             // No user was found. Check if the display name is a guest user. 
             if (userList == null || userList.Count() == 0)
             {
                 // Check if the display name is the UPN
-                filter = new ADObjectFilterOptions()
+                filter = new MicrosoftObjectFilterOptions()
                 {
                     Id = (objectId != null && objectId != Guid.Empty) ? objectId.ToString() : null,
                     Mail = displayName,
                     Paging = true,
                 };
 
-                userList = ActiveDirectoryClient.FilterUsers(filter);
+                userList = GraphClient.FilterUsers(filter);
             }
 
             // No user was found

src/Synapse/Synapse/help/Get-AzSynapseRoleAssignment.md

@@ -84,6 +84,11 @@ Get-AzSynapseRoleAssignment -WorkspaceObject <PSSynapseWorkspace> [-RoleDefiniti
 The **Get-AzSynapseRoleAssignment** cmdlet gets a Azure Synapse Analytics Role Assignment.
 If you do not specify a role definition or a user principal name, this cmdlet gets all role assignment.
 
+The cmdlet may call below Microsoft Graph API according to input parameters:
+
+* GET /users/{id}
+* GET /servicePrincipals/{id}
+
 ## EXAMPLES
 
 ### Example 1

src/Synapse/Synapse/help/New-AzSynapseRoleAssignment.md

@@ -71,6 +71,11 @@ New-AzSynapseRoleAssignment -WorkspaceObject <PSSynapseWorkspace> -RoleDefinitio
 ## DESCRIPTION
 The **New-AzSynapseRoleAssignment** cmdlet creates an Azure Synapse Analytics role assignment.
 
+The cmdlet may call below Microsoft Graph API according to input parameters:
+
+* GET /users/{id}
+* GET /servicePrincipals/{id}
+
 ## EXAMPLES
 
 ### Example 1

src/Synapse/Synapse/help/Remove-AzSynapseRoleAssignment.md

@@ -83,6 +83,11 @@ Remove-AzSynapseRoleAssignment -WorkspaceObject <PSSynapseWorkspace> -RoleDefini
 ## DESCRIPTION
 The **Remove-AzSynapseRoleAssignment** cmdlet permanently deletes an Azure Synapse Analytics role assignment.
 
+The cmdlet may call below Microsoft Graph API according to input parameters:
+
+* GET /users/{id}
+* GET /servicePrincipals/{id}
+
 ## EXAMPLES
 
 ### Example 1

src/Synapse/Synapse/help/Set-AzSynapseSqlActiveDirectoryAdministrator.md

@@ -61,6 +61,12 @@ Microsoft accounts, such as those in the Outlook.com, Hotmail.com, or Live.com d
 Other guest accounts, such as those in the Gmail.com or Yahoo.com domains, are not supported as administrators.
 We recommend that you provision a dedicated Azure AD group as an administrator.
 
+The cmdlet may call below Microsoft Graph API according to input parameters:
+
+* GET /users/{id}
+* GET /servicePrincipals/{id}
+* GET /groups/{id}
+
 ## EXAMPLES
 
 ### Example 1