Is it possible to reproduce the steps to "Configure Azure AD Connect cloud sync" from the Azure portal, in another way using an API?
The steps are described at this link:
https://learn.microsoft.com/en-us/azure/active-directory/cloud-sync/tutorial-single-forest#configure-azure-ad-connect-cloud-sync
I would like to automate this process to have no user interaction. Is it possible with the Graph API? Any example?
Thank you Marilee Turscak - MSFT for providing the reference Link.
I don't understand this sentence: "You need to use this application
ID 1a4721b3-e57f-4451-ae87-ef078703ec94. The displayName is the AD
domain url, if used in the portal (for example, contoso.com), but it
may be named something else." What is the application id I should use?
And what is the display name? I get 401 or 403 errors. Is there an
additional step before this?
You have to use the same application ID as its the Application templateID by default which is used to provision entries from active directory to Azure active directory.
But You can use any Display name that you want and Please make sure to have the required permissions as shown below. You can perform the post operation with Graph explorer.
After you have done the above post operation you will get the service principal ID which can be used for further steps mentioned in the document provided by Marilee Turscak - MSFT.
Reference:
How to programmatically configure cloud sync using MS Graph API | Microsoft Docs
Related
I want to delete a service principal (an Azure AD application) from the list of applications of a given customer, so I am query for the list of Service Principals in the tenant with:
https://graph.microsoft.com/beta/servicePrincpials
The issue is that I can see many applications but not the one we are working on. This application is not added manually through the Azure Portal but through an Admin consent dialog shown to the customer to grant the requested permissions to our application to access the Azure AD.
If I copy the object-id from Azure Portal I am able to get the application, or to delete it using the graph api, but I am not able to get it through the list of applications.
Solved: I was not getting the full list of applications. Using "$top=999" I get a huge list of applications and between then the one I am looking for. Also I see I can use filters to get a shorter list filtering by any property (see link) like displayName: https://graph.microsoft.com/beta/servicePrincipals?$filter=displayName eq 'name'
I need clarification for below users graph api,
https://graph.microsoft.com/v1.0/users/
We have synced our on-premise AD with Azure active directory. In my on premise AD we have the custom attribute called “RollNo”. I would like to read that " RollNo” data from above users graph api.
Is this possible to read custom attribute from AD ?
I don't see the rollno in azure AD. But I've created in On-premise AD which is synced with azure AD. Do we have any workaround to get this value?
When configuring Azure AD Connect there is a step that allows you to specify additional attributes that you wish to be replicated to Azure AD.But the custom attributes. name would be changed.
For more detailed information, please refer to the official article: https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-feature-directory-extensions
We're using Azure AD Connect to sync our on-premises Active Directory to Azure AD. We have the free version that comes with the Office 365 business plans.
Azure AD Connect shows the Description field as being synchronized to Azure AD, yet, the field does not appear anywhere.
We're using a third-party service to read data from our user profiles to generate email signatures, but the service cannot read the data as it doesn't "exist" in Azure.
I even tried going into our Azure AD Connect configuration, enabled Directory extension attribute sync and added the Description field for user accounts...but it created a new "description" field with a weird name instead.
Is there something I'm missing ? Do we perhaps need to have Azure AD Premium ?
Thanks for your help people!
Based on the official documentation, the attribute for Description has been synced to Azure AD. You can verify it by open Synchronization Service Manager, and check the properties for the specific user by Metaverse Search.
However, if you need to retrieve the attribute values for specific user, you must use Azure AD Graph API. For your scenario, the third-party service may leverage Azure AD Graph API for retrieving user properties.
Then, if you check the Graph API reference, you can find that Description is not included in the list, which means you can't retrieve the Description attribute from Azure AD.
As a workaround, you can use Directory extension, but the attributes are prefixed with extension_{AppClientId}_. The AppClientId has the same value for all attributes in your Azure AD tenant.
Also, you can submit your requirements to the following website, which collects feedbacks for Azure AD from users.
https://feedback.azure.com/forums/169401-azure-active-directory?query=attribute
I know how to add a co-administrator via the portal, but need a way to add it via PowerShell.
I need this method as I have lost access to the login id, but have the publish setting file so can administrator my virtual machines.
Unfortunately you can't. Azure PowerShell Cmdlets are essentially wrapper over Azure Service Management API and currently the API does not expose any method to add co-admins programmatically.
Azure have rolled out Roll Based Access Control which will allow you to automate the adding of new admins to your Azure Subscription. Intro here: https://azure.microsoft.com/en-us/documentation/articles/role-based-access-control-configure/
You would add a new user as an Owner at the Subscription scope. These operations are available using both PowerShell and REST
I created an empty Azure cloud service and I want to allow other developers to deploy to it. So far the only route I can see is adding the developers as Azure subscription administrators. I would rather give them more specific access to the cloud services only.
No such functionality exist today which will allow you to grant/revoke permissions at the cloud service level. Once a developer is provided access to the subscription, they would have access to all the resources under that subscription.
There's a REST API behind cloud service deployments and all the tools (including Windows Azure Portal and Visual Studio) consume this API for creating deployments. One possible solution would be to build your own solution consuming this API. In this solution you will implement access control based on your requirements so that when your user use this service, they will only see the cloud service they're assigned to and can only manage that cloud service. There's a managed library for consuming this API. You can find more information here: http://www.bradygaster.com/post/getting-started-with-the-windows-azure-management-libraries.
It seems that if the original developer downloads the publish profile from Azure (it's an xml file that with a .PublishSettings extension), you can copy the userPWD from that file, give it to another developer and they can paste it into the password field in the Connection section of the Publish dialog.
The userPWD is a string that looks something like this:
EFFCLfDqDKHlXcA2YDZPvX4BZXWFaobxaLN0aPJd4HCfa8WxlqEkt2yywBsx