I am successfully using ResolveName to get most of the contact information I need.
Below is the code I am using:
PropertySet itempropertyset = new PropertySet(BasePropertySet.FirstClassProperties);
NameResolutionCollection match = await mailClient.Service.ResolveName(customerEmail, ResolveNameSearchLocation.DirectoryOnly, true, itempropertyset);
I am querying against my Office365/Azure AD tenant.
One of the values I need is not being returned though.
I would like to get the user/contact's Object ID as shown in the Azure Portal - Azure Active Directory - Users - Basic Info screen.
Is that possible using EWS Managed API?
Regards.
You cannot get Azure AD user's object ID using EWS Managed API. Alternatively, you can make use of Microsoft Graph API.
I tried to reproduce the same in my environment via Graph Explorer and got below results:
I have Azure AD user named Sri in my tenant with below properties:
To get the Azure AD user's details via Graph API, I ran below query:
GET https://graph.microsoft.com/v1.0/users/user_principal_name
Response:
To get only object ID of an Azure AD user, you can include $select in the query like below:
GET https://graph.microsoft.com/v1.0/users/user_principal_name?$select=id
Response:
Before running the above queries, make sure to grant consent to required permissions like below:
Go to Graph Explorer -> Modify permissions -> Click on Consent
You will get consent screen and click on Accept like below:
After granting the consent, you can run the queries successfully.
Related
I am trying to implement functionality where I can get list of documents from share-point.I have tried this demo code from Azure directory implementation and login to account and also got details about sites and user data from graph API.
https://github.com/Azure-Samples/ms-identity-android-kotlin
I am able to get site data from graph API :
But when I am trying to get list then getting error or no value
I have also passed this authorization token to REST API but that too doesn't work.
You can try with scope Sites.ReadWrite.All instead of User.read, as I tested it using Graph Explorer and I got access denied as the scope permission was not consented. After I consent the permission, it worked .
Example 1:
Before Consent:
After Constent:
I have created a test list on the Communication Site.
After that when I query for lists , I successfully get the above one I created.
Example 2 :
I also tested it using a Application registered to Azure AD. It didn't return me any error or any value as well when I queried for lists using that app's credential's from Powershell.
After I add Sites.ReadWrite.All to the App's API permission's .
I can successfully get the Values of the lists.
To summarize it , it could be resolved in 2 ways :
Changing the Scope shown on the screenshot given by you to Sites.ReadWrite.All instead of User.Read.
Adding API permissions to the APP registration in the Azure AD for Microsoft Graph as shown in the example 2 second image.
I would like to store additional information about users in my Azure AD B2C instance. What I did is the following:
I've created a new custom attribute and the name of this attribute is Producer
I've added all required permissions for a new application registration which is intended to use Azure AD B2C API through Graph API
I call Graph API to set a custom attributed for one of the users: POST https://graph.microsoft.com/v1.0/users/{user-id} with the following data according to this example
{
"officeLocation": "US",
"extension_XXX_Producer": "AN"
}
When I try to query information about this user by using Graph API: GET https://graph.microsoft.com/v1.0/users/{user-id}, I do not get anything like my custom attribute
After reading Azure AD B2C documentation, it seems like custom attributes can be activated only if I add them to one of the user flows, but it is not what our business wants. They would like to have another UI and product to be responsible for custom attributed management, it is why I would like to use Graph API for custom attributes management.
Could you please recommend me how I can manage custom attributes without including them into Azure AD B2C user flows?
I also found a couple of resources where people recommend to use Azure AD Graph API, but Microsoft tells me in Azure that this API is legacy (I've checked it and it works, but I have some concerns because of Legacy API):
I looked at the document example you provided, and I noticed that the example is a demonstration with Azure Active Directory Graph, so I suggest you also try to use Azure Active Directory Graph. When you use api to query user information, it looks like this :
https://graph.windows.net/{tenant}.onmicrosoft.com/users/{user_id}?api-version = 1.6
Before that, as the document says, you need to obtain an access token for the api, and when granting permissions, you need to grant Azure Active Directory Graph permissions to the application.
For AAD Graph, it is an older API that only allows access to directory data, and some of its functions have been migrated from AAD Graph to Microsoft Graph. But in some cases, we can only achieve the requirements through AAD Graph.
please see:The difference between AAD Graph and Microsoft Graph.
What i've done:
Add a custom attribute (for example Producer) using the Azure Portal AD B2C
Add this attribute in the Application claims of the signin user flow
Use the Graph API to list the extension properties of the b2c-extensions-app. Do not modify. Used by AADB2C for storing user data. (where the custom attributes are stored, read https://learn.microsoft.com/en-us/azure/active-directory-b2c/extensions-app, https://learn.microsoft.com/en-us/graph/api/resources/extensionproperty?view=graph-rest-beta and https://learn.microsoft.com/en-us/graph/api/application-list-extensionproperty?view=graph-rest-beta&tabs=http).
client is an initialized MicrosoftGraphClient, appObjectId is the Object ID of the b2c-extensions-app:
async function getExtensionProperties(client, appObjectId) {
return await client
.api(`/applications/${appObjectId}/extensionProperties`)
.version('beta')
.get();
}
The response should contain a line like:
name: 'extension_<Application (client) ID of the b2c-extensions-app without the dashes>_Producer'
This is the name of the custom attribute as an extension property.
Use the Graph API to set your custom attribute on a user.
id is the user Object ID in AD, attributes is { "extension_<Application (client) ID of the b2c-extensions-app without the dashes>_Producer": "your_value" }
async function updateUser(client, id, attributes) {
return await client
.api(`/users/${id}`)
.version('beta')
.header("content-type", "application/json")
.patch(attributes);
}
When login using the signin user flow, in the browser, using MSAL, myMSALObj.getAccount().extension_Producer is now set to the custom attribute value (note: extension_Producer without the Application ID between extension and Producer).
This answer https://learn.microsoft.com/en-us/answers/questions/21843/how-to-set-custom-claims-for-a-user-in-azure-ad-b2.html from amanpreetsingh-msft has been a great help to solve this.
I am using Azure Graph API Explorer. I want to query the apps list in a tenant. I am user in tenant_x (where user was originally created) as well as admin in tenant_y (created later with my user). I understand that when I log in I go directly in the origin tenant (so tenant_x) therefore Graph Explorer does not allow me to query tenant_y. So as admin of tenant_y I have added a new user in tenant_y. I log in now with that user but still I am not able to query the applications that are in tenant_y. So how can I query apps in tenant_y? Is there a way? thanks.
The API I am calling (with new user log-in) to first retrieve all applications:
https://graph.microsoft.com/beta/applications
Response is:
{
"#odata.context": "https://graph.microsoft.com/beta/$metadata#applications",
"value": []
}
Of course I have apps in that tenant.
Based on our communication, you have used a personal account as guest of tenant_y to query the apps list in tenant_y.
Unfortunately, Microsoft Graph Explorer will not recognize your personal account as a guest user. It will still treat it as a personal account.
So it will query the apps list for the personal account rather than tenant_y.
So now you have two choices:
Create a new user in tenant_y by following add a new user and
then use this new user to log into Microsoft Graph Explorer to query
the apps list.
Implement Get access on behalf of a user and make sure that you
call {your tenant} endpoint rather than common endpoint while
requesting the access token. And you should use another tool (for
example Postman) instead of Microsoft Graph Explorer.
Update:
You can modify the permissions in Microsoft Graph Explorer like this:
Click on the "modify permissions" under your username in Microsoft Graph Explorer and check the Directory.Read.All permission.
Today that's possible if you pass the tenant query string parameter like this:
https://developer.microsoft.com/en-us/graph/graph-explorer?tenant=mydomainname.onmicrosoft.com
Note that you need to logout before going to this URL with the tenant query string. It'll ask you to login again. After login you can issue queries against the other tenant you have access to (not your home tenant where your account was originally created on).
If you get a 401 while running the specific query, make sure you grant the required permissions on "Modify permissions" tab and click the Consent button in each required permission. After that your query should return a 200 success result.
Graph Explorer today does not support signing in to the tenanted endpoint. A tenanted endpoint is used in the following format
https://login.microsoftonline.com/{tenantId}/V2.0
Once your user account from tenant_x is made a guest user in tenant_y, to effectively query tenant_y using your guest user account, an app (like Graph explorer) has to sign you in the other tenant. Instead Graph Explorer uses the /Common endpoint, which will always sign you in your home tenant (tenant_x).
The only available workaround is to develop a application quickly and sign-in to a tenant of your choice and run Apis in it.
Graph explorer is a tool to help developer's discover and learn about the Graph Api and thus might shy away from introducing too much complexity. But it does not hurt to ask for this feature at their Github repo.
Can someone please help me with the following, thanks in advance
I setup AD Connect in a LAB and my LAB Active Directory users are syncing OK to my LAB Azure AD
I then went through the Azure AD Connect setup wizard a second time to sync 'custom sync options' and chose 'Directory Extension Attribute Sync' and chose to sync two additional attributes (for testing), I chose the Active Directory attributes 'adminCount' and 'carLicense' I have a domain admin user called Craig who has his adminCount attribute set to 1 and I added a value for carLicense
When I check Get-ADSyncGlobalSettings
I can see under Microsoft.OptionalFeature.DirectoryExtensionAttributes the carLicense and adminCount listed (among other attributes) therefore looks like AD Connect should sync these two attributes from AD to Azure AD right?
However even after restarting AD Connect and doing a delta sync too I still do not see these attributes on my Azure AD User when I do Get-AzureADUser -SearchString Graig | select -ExpandProperty extensionproperty
There is no sign of the adminCount or carLicense attributes or their values in the output
Please advise, where I am going wrong?
Do I need an Azure AD P2 license or something to sync additional built in active directory attributes?
I also set up a separate custom rule to sync an AD attribute to extension13 of the AAD user class.
The above appears in the Metaverse under AD Connect OK (with the correct values populated)
However, there are not appears in the AAD User object, as above any idea please
Thanks in advance
CXMelga
I also set up a separate custom rule to sync an AD attribute to extension13 of the AAD user class.
If you sync the extension attribute to the extensionAttribute13, you are unable to get that via Azure AD powershell Get-AzureADUser.
The extensionAttribute13 belongs to onPremisesExtensionAttributes which is a property just for the User object in Microsoft Graph, but the AzureAD powershell calls Azure AD Graph API, the onPremisesExtensionAttributes property is not a property of the User in AAD Graph.
So if you want to get the attribute, here are two solutions for you to refer.
1.Use the Microsoft Graph - Get a user to do that, use the query as below in the Microsoft Graph Explorer. Or if you want to use powershell to do that, your option is to call the MS Graph in powershell with Invoke-RestMethod, a sample here.
GET https://graph.microsoft.com/v1.0/users/<object-id of the user>?$select=onPremisesExtensionAttributes
2.When you use the Azure AD Connect to sync, edit outbound synchronization rule like below. In your case, it should be like extension_3e2cd06ca3494546888b069a891b4bb6_adminCount. See this link for more details.
Then you will be able to get the extension attribute with the command as below(I recommend you not to use -SearchString parameter, sometimes it returns nothing.)
Get-AzureADUserExtension -ObjectId <object-id of the user>
Or
Get-AzureADUser -ObjectId <object-id of the user> | select -ExpandProperty extensionproperty
I have a multi tenant azure application. When i am trying to fetch subscription details using azure management api, it is always giving null.
I have followed all the steps except step3 mentioned in this post
Fetching VM details from multiple tenants
Its seems that you are trying to get azure subscription Information.
Try with REST API:
GET https://management.azure.com/subscriptions
Note: Refer to this docs. Then click on Try it section.
See the screen shot:
Click on Try it. you will prompt to login login with your credential. After that you will be given option for which tenant you want to get subscription. In response you would get your information like below: