How can I get it via MS graph API?
Attributes & Claims
You can get this by calling graph API via access token. see the Microsoft doc: https://learn.microsoft.com/en-us/graph/api/user-get?view=graph-rest-1.0&tabs=http
Related
When I attempt to retrieve the sAMAccountName from Azure AD via Microsoft Graph and oAuth, the attribute is not returned.
I am trying to retrieve the onPremisesSamAccountName through oAuth from Microsoft Graph on my Azure AD tenant. My local domain syncs with Azure, and I have selected the sAMAccountName directory extension for syncing. However, when I make my GET request to the Graph REST URI, I get back the correct user object, but I don't get back the onPremisesSamAccountName.
Here is my request:
https://graph.windows.net/myorganization/users/user#domain.com?api_version=1.6
That request returns the user object with a truckload of properties. When I try the following (in the hopes of "$select"ing the field, Microsoft returns the metadata URL--which actually contains the onPremisesSamAccountName property definition.
https://graph.windows.net/myorganization/users/user#somain.com?api-version=1.6&$select=onPremisesSamAccountName
Am I not formatting my query correctly? In the Azure AD portal, I have the following API permissions specified:
You can use Microsoft Graph API to get onPremisesSamAccountName property. Here is the Microsoft Graph explorer.
https://graph.microsoft.com/v1.0/users/{userObjectId}?$select=onPremisesSamAccountName
By the way, the permissions you granted are Microsoft graph api permissions, not Azure AD graph api permissions. Azure AD graph is different from Microsoft Graph. It is recommended to use Microsoft Graph API.
I have an ASP.NET Core WebApi which uses Azure AD Bearer Tokens (passed by the Frontend, acquired using adal.js).
Currently, we are using the Azure AD Graph API and everything works fine.
As recommended by Microsoft, we would like to migrate from Azure AD Graph API to Microsoft Graph.
I changed the audience from https://graph.windows.net to https://graph.microsoft.com both in the API and Frontend. I can successfully acquire a token, which looks almost the same as the old one when decrypted in jwt.io, but when I pass it to the API I get:
Bearer was not authenticated. Failure message: IDX10503: Signature validation failed. Keys tried: 'Microsoft.IdentityModel.Tokens.X509SecurityKey
Did I miss something? As far as I know, it should be possible to sign in using the Microsoft Graph, right?
If I understood correctly, you have configured your API audience as the MS Graph API audience.
You should not do this.
Firstly MS Graph API access tokens are bit special and you should not try to validate them,
secondly because your API is not MS Graph API.
Your front-end should acquire an access token for your API.
This requires you to configure your API audience as either its client id or Application ID URI (or both).
Azure AD allows the front-end to acquire the token using either of those.
The API can then exchange that for an MS Graph API token using the On-Behalf-Of flow.
I'm working on accessing personal documents of users using the API provided by Microsoft Graph, but I am having issue with authentication.
According to this documentation I can simply create an application, set the right scopes (etc.) and then aquire an access token for a given user - this is working perfectly right now.
Querying URLs like https://graph.microsoft.com/v1.0/me/drives works - I get a https://onedrive.live.com drive as a result.
What the API doesn't return is data about a second drive on https://{tenant}-my.sharepoint.com. I have tried accessing this data using the API Endpoint: https://{tenant}-my.sharepoint.com/_api/v2.0 using the Microsoft Graph authentication token. This returns the following error:
{
"error_description": "Unsupported security token."
}
How do I access the API of such an Office 365 OneDrive?
The sharepoint.com/_api/v2.0 API is not a Microsoft Graph API and it doesn't support Converged Auth tokens from the v2 Endpoint.
Accessing SharePoint Drives uses the same API as OneDrive and OneDrive for business:
/v1.0/sites/{siteId}/drives
For example, if you had a team site named "AwesomeTeam" you retrieve a list of drives for that site using:
/v1.0/sites/root/:/teams/AwesomeTeam:/drives
i have an application currently using the Azure AD Graph API. I would like to start migrating the app to Microsoft Graph. However, i would like to reuse the bearer tokens for hitting both the Azure AD Graph API and Microsoft Graph API.
how can i accomplish this? as currently it seems as if the apps must be registered in different portals for the different api's respectively.
it seems as if the apps must be registered in different portals for the different api's respectively
This is not consistent with my experience. I have registered my Application in Azure Active Directory.
Using the Azure portal, I am able to get permissions to both the Microsoft Graph Api and the Windows Azure Active Directory API.
i would like to reuse the bearer tokens for hitting both the Azure AD Graph API and Microsoft Graph API.
You cannot use the same token for both the Azure AD Graph API and Microsoft Graph API.
In my code, I receive an access token via the following call:
AuthenticationResult result = await authContext.AcquireTokenByAuthorizationCodeAsync(
authorizationCode,
redirectUri,
CreateClientCredential(),
resourceString
);
The resourceString parameter is either https://graph.windows.net/ for the AD Graph API, or https://graph.microsoft.com for the Microsoft Graph API.
They are distinct resources, so you must manage two tokens, applying the appropriate token for each API call.
Currently I am referring to this link for generating the token -
Token generation for using OneNote API
Is it possible to use Azure v2.0 authentication principle and use that tokens to access OneNote api's which will ease out process for authentication as single authentication model can be used for both consumer and enterprise apps.
Yes, if you are accessing OneNote Apis from Microsoft Graph endpoint.
Refer to - https://developer.microsoft.com/en-us/graph/docs/authorization/converged_auth for more information on this.
You should use Microsoft Graph APIs - OneNote and Graph APIs are really the same thing under a different interface.