I can get the direct groups that an Azure user is in using this API. I want to get the direct groups that an Azure application is in. When I add an application into a group, it is displayed as a service principle. And I can see that there is an API to get direct memberOf list for a service principle. But I do not see an API that get the group list for an application. What am I missing?
To get the list of groups that an application is a memberOf, you can make use of below query by including microsoft.graph.group:
GET https://graph.microsoft.com/v1.0/servicePrincipals/<SP_objectID>/memberOf/microsoft.graph.group?$select=id,displayName,createdDateTime
I tried to reproduce the same in my environment and got the below results:
I have an Azure AD application named TestApp and added it to the groups like below:
Likewise, I added that application to Group2 and Group3 as well.
To get the list of groups that this application is a memberOf, I ran the below query and got results successfully as below:
GET https://graph.microsoft.com/v1.0/servicePrincipals/<SP_objectID>/memberOf/microsoft.graph.group?$select=id,displayName,createdDateTime
Response:
You can also use below query where you will get only list of group IDs that an application is a memberOf like below:
POST https://graph.microsoft.com/v1.0/servicePrincipals/<SP_objectID>/getMemberGroups
{
"securityEnabledOnly": true
}
Response:
Related
I am trying to implement functionality where I can get list of documents from share-point.I have tried this demo code from Azure directory implementation and login to account and also got details about sites and user data from graph API.
https://github.com/Azure-Samples/ms-identity-android-kotlin
I am able to get site data from graph API :
But when I am trying to get list then getting error or no value
I have also passed this authorization token to REST API but that too doesn't work.
You can try with scope Sites.ReadWrite.All instead of User.read, as I tested it using Graph Explorer and I got access denied as the scope permission was not consented. After I consent the permission, it worked .
Example 1:
Before Consent:
After Constent:
I have created a test list on the Communication Site.
After that when I query for lists , I successfully get the above one I created.
Example 2 :
I also tested it using a Application registered to Azure AD. It didn't return me any error or any value as well when I queried for lists using that app's credential's from Powershell.
After I add Sites.ReadWrite.All to the App's API permission's .
I can successfully get the Values of the lists.
To summarize it , it could be resolved in 2 ways :
Changing the Scope shown on the screenshot given by you to Sites.ReadWrite.All instead of User.Read.
Adding API permissions to the APP registration in the Azure AD for Microsoft Graph as shown in the example 2 second image.
Afternoon all
Trying to get a logic app to run a query on a log analytics workspace and email the results on a weekly basis. Created a service principal, and have given it Reader access at Subscriptions level and I'm allowed to create the connection, but when I try to populate the drop down in Designer, it's throwing with an error:
Could not retrieve values. Error executing the api '/listSubscriptions'. Client request id: 'undefined'
As seen here: https://imgur.com/a/CDp1g6L
I was following this guide, and it's failing to populate those list boxes:
https://thomasthornton.cloud/2020/11/09/log-analytics-queries-to-csv-emailed-using-azure-logic-apps
Tried temporarily giving it permissions as subscription Owner, same deal. Also the same error with the logic app's own System Managed Identity. Got it to work in a different subscription by using my global admin ID, but I don't want to do that as it's of course dependent on that account and it's way too privileged.
I also tried editing in the correct values in code view, just in case it was only some enumeration error, but the test run fails with:
"Message": "Failed to get valid request parameters. Authorization Error
In my other subscription, I also tried giving the account permissions at the root Tenant level, in case it was purely unable to evaluate all subscriptions, but no joy, same error when using Managed Identities or Service Principals.
I'm at a loss. Any ideas?
I have saved some of the users in azure ad and now trying to get the properties of the users. For this I am using below api:
1. https://graph.microsoft.com/v1.0/users/
Documentation: https://learn.microsoft.com/en-us/graph/api/user-get?view=graph-rest-1.0&tabs=http
The above API responds with the default properties, so if you want to get more properties, you have to specifically mention them in the request like:
2. https://graph.microsoft.com/v1.0/users/?$select=userPrincipalName,givenName,surname,businessPhones,officeLocation,companyName
Now the above api is giving me the appropriate response but it only list down the user which are on first page. If you want to get the list of all the users, then you need to mention top in your request like:
3. https://graph.microsoft.com/v1.0/users?$top=998
Above api will give you all the user list. But I am unable to understand how can I merge the 2 and 3 so that it gives me all the user list but the properties which I have mentioned. Thanks
Just try this:
GET https://graph.microsoft.com/v1.0/users/?$select=userPrincipalName,givenName,surname,businessPhones,officeLocation,companyName&$top=998
Using & to connect all query params
Result:
I want to make the user login in my custom application and Get the list of Tenants and Once I Get i want to make other Graph API calls like getting list of Azure Resource Groups etc
I want to build a similar experience just like we see in Microsoft Documentation (Try It) section. So that to get details from Users Azure Account i wont have to create Azure AD application in their Subscription
For e.g.
I'm new to azure active directory and I'm trying to implement a group based access mechanism in my mvc5 (C#) app. I have the Azure side sorted, my users are assigned to groups but I want to be able to determine which group they are in to control access to areas within the web app. (similar to roles based access)
so I need something like this
if (User.IsInGroup("Admin") || User.IsIngroup("Creator"))
{
//do something here
}
there are only 2 groups so I don't really need roles. I've looked at a few options using the graph api and they seem like massive overkill for what I'm trying to achieve. Whats the best way to implement this ? Do I need to implement the graph API ? Id appreciate any advice
You could enable Group Claims in Azure AD app, that will makes it simple to enable access management using AD groups. To enable your application to receive group claims :
1.In your application page, click on "Manifest" to open the inline manifest editor.
2.Edit the manifest by locating the "groupMembershipClaims" setting, and setting its value to "All" (or to "SecurityGroup" if you are not interested in Distribution Lists).
3.Save the manifest.
Then when user login , you will get the groups information in token ,but it will return the object id of group(that is unique identity, group name could be changed).Please click here and here for more details , also see the new groups claim sample published in the Azure AD samples github repo: https://github.com/AzureADSamples/WebApp-GroupClaims-DotNet
Please let me know if it helps .