I'm struggling with the MS graph rest api v1.0
The body of the new response gives less attributes then the azure graph rest api.
Is it possible to change the response body so that we can add attributes? For example identities.
identities": [
{
"signInType": "emailAddress",
"issuer": "xxxxx.onmicrosoft.com",
"issuerAssignedId": "xxx#mail.com"
}
]
Is it possible to show this in the GET User response?
https://graph.microsoft.com/v1.0/users/{ID | UPN}
You can get these 3 details in MS graph rest api for beta version not in v1.0 rest api. The V1.0 is shows very less properties because The v1 is supported for production workloads, Microsoft is not going to break the API contract and keep the services behind it up and running. The beta endpoint is where Microsoft makes new things available to get some feedback. Not meant for production workloads.
Note : Microsoft Graph is also more secure and resilient than Azure AD Graph. For this reason, Azure AD Graph has been on a deprecation path since June 30, 2020, and will be retired in the near future as we move all investments to Microsoft Graph
Related
My subscription has preview feature enabled.
I created application in Microsoft Azure.
To access claims preview feature of application edited the URL by adding '?feature.claimseditorpreview=true'
Also added some custom claims to 'Claims (preview)'.
Now I would like to access the preview feature of application's claim using REST api.
I tried to reproduce the same in my environment and got the below results:
You can retrieve the list of claims mapping policy that is applied to a Service Principal/Azure AD Enterprise Application.
To create claims mapping policy, please try the below query in Microsoft Graph Explorer:
POST https://graph.microsoft.com/v1.0/policies/claimsMappingPolicies
{
"definition": [
"{\"ClaimsMappingPolicy\":{\"Version\":1,\"IncludeBasicClaimSet\":\"true\", \"ClaimsSchema\": [{\"Source\":\"user\",\"ID\":\"assignedroles\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/Role\"}, {\"Source\":\"user\",\"ID\":\"userprincipalname\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/RoleSessionName\"}, {\"Value\":\"900\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/SessionDuration\"}, {\"Source\":\"user\",\"ID\":\"assignedroles\",\"SamlClaimType\": \"appRoles\"}, {\"Source\":\"user\",\"ID\":\"userprincipalname\",\"SamlClaimType\": \"https://aws.amazon.com/SAML/Attributes/nameidentifier\"}]}}"
],
"displayName": "Test Claims Policy",
"isOrganizationDefault": false
}
Claims mapping policy will be created like below:
To assign the created policy to a Service principal, execute the below query:
POST https://graph.microsoft.com/v1.0/servicePrincipals/servicePrincipalObjectID/claimsMappingPolicies/$ref
{
"#odata.id": "https://graph.microsoft.com/v1.0/policies/claimsMappingPolicies/PolicyID"
}
A response of 204 will be returned if successful:
To retrieve the claims mapping policy, switch to beta:
GET https://graph.microsoft.com/beta/servicePrincipals/servicePrincipalObjectID/claimsMappingPolicies
Unfortunately, listing Attributes & Claims for an Azure Service Principal is not possible.
Please refer this MsDoc which describes the possible methods on Azure Service Principal.
I am trying to use List SignIns API to get a list of sign-ins for my Service Principal however the API is not returning any results when I try to filter the results by Service Principal id and/or Service Principal Application Id. If I remove the filter, I am able to get the data.
Essentially I am trying to get the data shown in Azure Portal as shown in the screenshot below.
I have tried both Graph Explorer as well as Microsoft.Graph SDK (C#) and in both places I am not getting any result back.
Things I tried:
In Graph Explorer, I tried the following request URL: https://graph.microsoft.com/1.0/auditLogs/signIns?$filter=id eq 'my-service-principal-id' and that did not give any results back.
I even tried https://graph.microsoft.com/beta/auditLogs/signIns?$filter=appId eq 'my-application-id' and still no results.
I tried with both beta and 1.0 version numbers and same results.
I checked the Azure Portal network request in browser and noticed that instead of using graph.microsoft.com, it is using graph.windows.net and is sending the following request:
https://graph.windows.net/tenant-id/activities/getSummarizedServicePrincipalSignIns(aggregationWindow='1d')?$filter=(createdDateTime ge 2021-04-21T13:03:32.608Z and createdDateTime lt 2021-04-28T13:03:32.608Z and (appId eq 'my-application-id' or contains(tolower(appDisplayName), 'my-application-id')))&$top=50&$orderby=createdDateTime desc&source=kds
I also read the documentation for List SignIns API and following caught my eye:
Retrieve the Azure AD user sign-ins for your tenant. Sign-ins that are
interactive in nature (where a username/password is passed as part of
auth token) and successful federated sign-ins are currently included
in the sign-in logs.
I am not sure if what I am trying to accomplish is even possible with Graph API considering I am not getting any results back and Azure Portal is not even using Graph API to get this data.
Any insights into this will be highly appreciated.
This is possible using the 'beta' endpoint - but at this point it only seems to include 'interactive' sign-ins by default. If you add a filter on signInEventTypes it can return other types too:
So for 'User sign-ins (non-interactive)':
https://graph.microsoft.com/beta/auditLogs/signIns?$filter=signInEventTypes/any(t: t eq 'nonInteractiveUser')
For 'Service principal sign-ins':
https://graph.microsoft.com/beta/auditLogs/signIns?$filter=signInEventTypes/any(t: t eq 'servicePrincipal')
For 'Managed identity sign-ins':
https://graph.microsoft.com/beta/auditLogs/signIns?$filter=signInEventTypes/any(t: t eq 'managedIdentity')
For all sign ins (let me know if there's a more concise way!
https://graph.microsoft.com/beta/auditLogs/signIns?$filter=signInEventTypes/any(t: t eq 'interactiveUser' or t eq 'nonInteractiveUser' or t eq 'servicePrincipal' or t eq 'managedIdentity')
https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-all-sign-ins#return-log-data-with-microsoft-graph
Beta API has ServicePrincipalId and ServicePrincipalName, you can filter based on these attributes. This link lists the supported Attributes in $filter. This API supports $filter, $skiptoken and $Top.How ever do note Beta API are subjected to change.
https://learn.microsoft.com/en-us/graph/api/signin-list?view=graph-rest-beta&tabs=http#attributes-supported-by-filter-parameter
Here's a blog about graph.windows.net and graph.microsoft.com
https://developer.microsoft.com/en-us/identity/blogs/microsoft-graph-or-azure-ad-graph/
I want to use the below API to compute Azure APIM analytics and customize the output of it.
But Microsoft document does not cover the API. Can I use this API or I am missing something.
My concerns is how do I know if Microsoft internally change their API or stop supporting them.
(This API gives me the expected result in Postman with valid authorization)
API post -
https://management.azure.com/batch?api-version=2015-11-01
Request Body -
{
"requests": [
{
"url": "/subscriptions{subscription_Name}resourceGroups/{resource_group_name}/providers/Microsoft.ApiManagement/service/{APIM_name}/reports/bytime?api-version=2019-01-01&$filter=timestamp ge 2019-03-25T09:41:34.144Z and timestamp le 2019-04-25T10:41:34.144Z&interval=PT24H",
"httpMethod": "GET",
"name": "resource_Guid",
"requestHeaderDetails": {
"commandName": "Microsoft_Azure_ApiManagement."
}
}
]
}
I'm not sure if /batch API is documented, even though Azure portal does use it a lot I wouldn't recommend using it unless you find public docs. Azure APIM reports API is documented and supported: https://learn.microsoft.com/en-us/rest/api/apimanagement/2019-01-01/reports
How do you get the authentication contact info from azure ad b2c with the microsoft graph, I am looking to retrieve the email address.
I checked the documentation on Microsoft Graph API and could find no mention of how to get the Authentication Contact Info besides using PowerShell (learn.microsoft.com/en-za/azure/active-directory/authentication/…)
Based on this article, there are still some gaps between the Microsoft Graph API and the older Azure AD Graph API, but seems neither will fully retrieve what's required.
As of now, the following with get the Alternate Email field only from the "Authentication contact info" section using the Azure AD Graph API;
Register the Application in Azure AD
In the Azure Active Directory instance;
Register a new application (client_id)
Grant "Read all users' full profiles" permissions to Windows Azure Active Directory
Create a private key (client_secret) for the application
Authentication Flow
Reference: Service to Service Calls Using Client Credentials
Retrieve an access token
Request
POST https://login.microsoftonline.com/<tenant id>/oauth2/token
Payload
{
"client_id": "<client_id>",
"client_secret": "<client_secret>",
"resource": "https://graph.windows.net",
"grant_type": "client_credentials"
}
User Authentication Contact Info
Reference: Basic operations on users
Get user
Request
GET https://graph.windows.net/<tenant_id>/users/<user_id>?api-version=1.6
Headers
{
"Authorization": "Bearer <access_token>"
}
Response
{
...
"otherMails": ["<Alternate Email>"],
...
}
As you mentioned it seems that there is no microsoft Graph API could get the authentication Contact Info Email.
But we could get that information with following API, I capture it with browser. It seems a litte hack.
Get https://main.iam.ad.ext.azure.com/api/UserDetails/{userId}
About how to get the access token, please refer to this blog.
Note: I don't find this API in the Azure official document. Please don't use it for product, you could use it for test.
How can I update the SignInName of an existing user in Azure AD using Microsoft Graph or Azure AD Graph Client.
Thanks!
Looks like it won't be possible to update SignInName through either Microsoft Graph API or Azure Graph API. It may be worth a try using PowerShell if that fits your use case (again this may or may not work). Details about each one below..
Update User SignInName using Microsoft Graph API
This isn't possible because SignInNames collection isn't even
available as part of the user entity in Microsoft Graph yet.
Here is a GitHub issue thread on this topic, look towards the end.
Add signInNames property to User. #91
Update User SignInName using Azure AD Graph API
You would be able to set the User SignInNames collection only at the time of creation of user. See the documentation mentions only POST and GET (no PATCH)
https://msdn.microsoft.com/en-us/library/azure/ad/graph/api/entity-and-complex-type-reference#user-entity
Update User SignInName using PowerShell
This may work out, but I'm not sure about it. Then again, you asked specifically for Microsoft Graph or Azure AD Graph API so your scenario may not be suited for PowerShell.
Set-AzureADUser
You can PATCH the signInNames using the Azure AD Graph API (graph.windows.net) as an update.
PATCH https://graph.windows.net/{tenantId}/users/{userId}?api-version=1.6
Content-Type: application/json
BODY:
{
"givenName": "James Wood",
"signInNames": [
{
"type": "userName",
"value": "jamesWoodUserName"
}
]
}
Or just use GraphBeta sdk.
https://github.com/microsoftgraph/msgraph-beta-sdk-dotnet
> Install-Package Microsoft.Graph.Beta
var users = await graphClient.Users.Request().GetAsync().ConfigureAwait(false);
The email is then under "Identities"
debug-watch