In my application, I have a list of users with their organization email-id. As per the requirement, I want to check user's email-id extension is of a valid Microsoft 365 account. For users who passed this check, I want to enable the SSO feature.
Example: If the user email-id is "user#company-domain.com" then I want to check that "#company-domain.com" is registered in MS 365.
I am not able to find any graph API to resolve this issue.
Any help would be appreciated.
What you should be able to use is the Organizations endpoint eg
https://learn.microsoft.com/en-us/graph/api/organization-get?view=graph-rest-1.0&tabs=http
then use the verified domains node
"verifiedDomains": [
{
"capabilities": "Email, OfficeCommunicationsOnline",
"isDefault": true,
"isInitial": true,
"name": "Contoso.com",
"type": "Managed"
}
This is what you see in the Portal or enumerated in things like Azure AD Connect
This will give you the verified domains for a particular org and your app will need permissions to query it.
Related
I want to be able to create a new user in our Azure B2C instance using their preferred email address as the username they will use when accessing our web portal.
I'm using the Invitation Microsoft Graph API to invite new users This sends them an email and they then signup with us. This however assigns them a unique username using a combination of their email and our domain i.e. myemail_adomain.com#EXT##our_verified_domain.com.
This leads to a terrible UX as users need to remember this very unmemorable username. Remembering passwords is enough of a challenge for users as it is.
If I create a user inside the Azure B2C portal I can give them any email address I want and not one of our verified domains using Create Azure AD B2C user
I want to be able to use this method but via an API.
The first 2 options, Create and Invite user, are available via the Microsoft Graph Inviations API
and the Create User API but I can't find a way to do option 3.
The Create API won't allow unverified domains and the Invite API creates the unique username which is very user unfriendly.
Does anyone know how I can do this?
The other option is to get them to signup themselves via a signup user flow but I'd rather avoid this as I want control over who is allowed to sign up.
• You can surely create a user in Azure AD B2C tenant through Microsoft Graph API by following the below documentation link for that purpose: -
https://learn.microsoft.com/en-us/graph/api/user-post-users?view=graph-rest-1.0&tabs=http
Ensure that you have ‘User.ReadWrite.All’ and ‘Directory.ReadWrite.All’ permissions for ‘Application’ and ‘Delegated’ permissions type and the same permissions are consented for Microsoft Graph API in the explorer also with ‘Admin Consent’. Once, these are done, then execute the below command in Graph API as shown below: -
POST https://graph.microsoft.com/v1.0/users
Content-type: application/json
{
"accountEnabled": true,
"displayName": "Adele Vance",
"mailNickname": "AdeleV",
"userPrincipalName": "AdeleV#contoso.onmicrosoft.com",
"passwordProfile" : {
"forceChangePasswordNextSignIn": true,
"password": "xWwvJ]6NMw+bWH-d"
}
}
As you can see, I don’t have sufficient privileges, so I can’t create a user in Azure AD B2C tenant.
The output will be as below after successful execution of the above Graph API command: -
HTTP/1.1 201 Created
Content-type: application/json
{
"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#users/$entity",
"id": "87d349ed-44d7-43e1-9a83-5f2406dee5bd",
"businessPhones": [],
"displayName": "Adele Vance",
"givenName": "Adele",
"jobTitle": "Product Marketing Manager",
"mail": "AdeleV#contoso.onmicrosoft.com",
"mobilePhone": "+1 425 555 0109",
"officeLocation": "18/2111",
"preferredLanguage": "en-US",
"surname": "Vance",
"userPrincipalName": "AdeleV#contoso.onmicrosoft.com"
}
I'm following the Microsoft tutorial Create a user (local or social account). So I'm trying to create a user from HTTP call, for this I'm sending a similar payload to the tutorial:
{
"accountEnabled": true,
"creationType": "LocalAccount",
"displayName": "Alex Wu",
"passwordProfile": {
"password": "Test1234",
"forceChangePasswordNextLogin": false
},
"signInNames": [
{
"type": "userName",
"value": "AlexW"
},
{
"type": "emailAddress",
"value": "alexw#gmail.com"
}
],
"userIdentities": [
{
"issuer": "google.com",
"issuerUserId": "MATxTNg5MzYyMzMyMNY1Njc="
}
]
}
My question is how I can generate the issuerUserId as it is necessary for the Google supplier to recognize the user. I'm trying with a random value encode with base64 but when I run the user flow the user it's created again with a duplicate email. I suppose Google don't recognize the issuerUserId.
Update:
Base on Allen Wu answer:
issuerUserId is a unique user identifier for the issuer. You can set any valid string (don't be duplicate) for it.
I create this issuerUserId with a valid string: 12345678909823456789
As before, I create successfully the user and the source show as Google:
But when I want to log in the account with Google provider
The user is duplicated:
I assume instead of launch Sign in process Azure/Google don't recognize the account's issuerUserId and launch the Sign-up process, for that reason that's why I think issuerUserId might be created by Google.
Some notes:
I'm changed the emails for demo emails, but that is the current
behavior.
I'm only using Google authentication, I don't using email and password fields of the login, because the purpose of the app is only for Social Authentication (Google specifically)
I'm using Sign up and sign in (Recommended) user type flow.
If you have more thoughts about issuerUserId that can help me, let me know, I'll really appreciate.
It's not true.
Based on my test, the user flow won't create a new user which has a duplicate email. (the previous user is created via AAD Graph)
issuerUserId is a unique user identifier for the issuer. You can set any valid string (don't be duplicate) for it.
And Google / Facebook or any other social idp won't verify it, because this user is created in B2C. It's an B2C local account. ("creationType": "LocalAccount")
Create an B2C local account doesn't mean this user has been created in Google.
I guess that you add Google idp into the user flow and are trying to create a new user in Google rather than B2C.
You should click on the "Sign up now" in user flow to create the local account. Kindly check it.
Update:
As I have mentioned above, the user you created with Azure AD graph is an B2C local account. You should use the default sign in feature to log into that user. B2C will verify your credential.
But when you click on the "Google" to sign in, in fact the Google will verify your credential and will associate your Google account to a new B2C account. It's not a local account.
So they are two different accounts. You can verify this by changing the password of the B2C local account. After changing the password, you still need to use the old password to sign in with the "Google" option. But you will need to use the new password to sign in with the first user (B2C local account).
You can use GET https://graph.windows.net/myorganization/users?api-version to get the two users and find that the issuerUserId of them are different.
To add users to our Azure Organization, we go to this page https://portal.azure.com/#blade/Microsoft_AAD_IAM/UsersManagementMenuBlade/AllUsers and then create or invite a new user.
Is it possible to do it via a REST API? I looked into their REST API docs https://learn.microsoft.com/en-us/rest/api/apimanagement/ but I couldn't find this information anywhere.
You can do this using Azure Graph API. In this link you can find an example for creating a user using the Graph API and here is the quick start guide for this API.
Basically, it looks like follows:
POST https://graph.windows.net/myorganization/users?api-version
Authorization: Bearer {token}
Content-type: application/json
{
"accountEnabled": true,
"displayName": "Alex Wu",
"mailNickname": "AlexW",
"passwordProfile": {
"password": "Test1234",
"forceChangePasswordNextLogin": false
},
"userPrincipalName": "Alex#a830edad9050849NDA1.onmicrosoft.com"
}
You can find the Grprah API reference to create users here. The Graph API quick-start can help you with sample codes on how to do it.
You would need to make sure that you have user creation rights in azure AD where you are trying to create users. generally, our account must have user account administrator role or global admin role in the directory.
I have two requirements that seem to conflict:
Use the email as the username.
Allow users to change their email.
The problem: if you configure the directory to use the email as the username then the edit profile policy does NOT show the email to allow you to change it.
Any solution I think of is a kludge and involves creating a whole new local account for the user.
Any ideas or suggestions?
You'll need to use the Azure AD Graph API to update the 'User' entity.
You can do this via Microsoft Graph now too.
Example:
PATCH: https://graph.microsoft.com/v1.0/users/{UUID}
{
"identities": [
{
"signInType": "emailAddress",
"issuer": "xxxx.onmicrosoft.com",
"issuerAssignedId": "{new email address}"
}
]
}
The possibilities have changed and #pswillies answer is not true anymore.
It is possible to change the sign-in name of local accounts where the sign-in name is an email address.
See this official sample: https://github.com/azure-ad-b2c/samples/tree/master/policies/change-sign-in-name
It is using custom policies.
I want to know if there is a way to retrieve the registered domain(s) for a tenant through REST API for Sharepoint/Office365.
Consider this scenario;
I have a tenant named abc.pqr and url for the "my" site(OneDrive) is abc-my.sharepoint.com.
Now when I create a user for this tenant, the UI panel gives the option to select a domain for this account. Available options are;
1) #abc.pqr
2) #abc.onmicrosoft.com
Now, the problem is, if I have a user of this sort >>> testUser#abc.onmicrosoft.com, how do I findout the registered domain for this tenant? Which in my case is abc.pqr.
Is there a way to find this through REST API?
Sounds like what you want to know is the list of verified domains in your Azure Active Directory tenant. (Azure AD is the directory service behind Office 365 and other Microsoft online services.)
The Azure AD Graph API—AAD's REST API—can provide this for you. In your case, the GET request you would want to make is:
https://graph.windows.net/abc.onmicrosoft.com/tenantDetails
Note: you can use either the tenant ID or any verified domain of the tenant instead of abc.onmicrosoft.com. The tenant ID can be obtained from the tid claim in the access token.
The JSON response will include something like this:
"verifiedDomains": [
{
"capabilities": "None",
"default": true,
"id": "0007ABE0983098",
"initial": false,
"name": "abc.pqr",
"type": "Managed"
},
{
"capabilities": "Email, OfficeCommunicationsOnline",
"default": false,
"id": "0007ABE0983098",
"initial": true,
"name": "abc.onmicrosoft.com",
"type": "Managed"
}
]
(There's a useful Quickstart for the Azure AD Graph API that shows how to start playing around with AAD Graph API, and the GraphExplorer.)
If you're using .NET, there is a full sample at https://github.com/AzureADSamples/WebApp-GraphAPI-DotNet. (More samples for other languages and platforms at https://github.com/AzureADSamples.)