Get the groups the current user belongs to.
Briefly about the project:
i am working on a VSTO project for Excel using vb.NET
buttons are provided in Excel for the users.
these are to be assigned on the basis of the AD group
I want to read out the AD groups to which the user currently logged on to the computer belongs.
Are the groups retrieved from the AD cached on the PC.
If yes, it would be very easy to read them, but so far I could not find anything.
If not, how can I check which groups the user belongs to without having to fiddle with passwords?
Related
Is there a way to retrieve a full list of Active Directory groups using the OneLogin API? the /roles and /groups API calls do not return a full list.
When retrieving User details, there is an array for "member_of" that contains the full list of Active Directory groups a specific User is a part of, however, I do not see a way to bring back the full list of Active Directory groups that are available overall.
Thx!
Because AD can contain literally thousands of groups, OneLogin doesn't compile an internal list of these groups for surfacing via the APIs.
Instead, you can use the user mappings to assign users in selected AD groups to roles in OneLogin and then access that information via the API.
What's your use case?
We have E5 account for Office 365. We have issue on SharePoint Online. My issue is that We have created one site collection and in that site collection one page is going to be access by external users. We did all the setting and now we can send email to external users and programmatically we add external user to certain SharePoint Group and this group have access to particular page.
External user is getting email too. Once external user clicked on it, it will take to our tenant and if the external user email is not Microsoft account than he can log-in successfully but it cannot access the resources. I get below error message
Your sign-in was successful but does not meet the criteria to access
this resource. For example, you might be signing in from a browser,
app, or location that is restricted by your admin
How can I solve it.
You will need to edit the conditions on your policy to meet your requirement. You did not list what you currently have so it's hard to say what needs to be done to fix it. You can find your policies under Azure AD in the portal. This post outlines where those settings can be found.
https://blogs.technet.microsoft.com/skypehybridguy/2017/08/31/microsoft-teams-restrict-usage-with-azure-ad-conditional-access/
My goal is to have the user authenticate with Azure AD and then be presented with a drop-down of profiles they want to access. Based on which profile is selected, the user will have different permissions on the site. I'm trying to avoid a user having to have multiple logins to enforce the different permissions per profile.
Can Azure AD handle this or do I need to tie in custom code in a database?
No, Users have one identity and can have a set of roles on an app.
Well, just one role unless you have group-based role assignment available :)
This concept sounds like something you will have to build in your app.
Or you will have to have multiple users registered for this one person.
As you can see my question above, I was wondering if it is possible to retrieve the assigned groups of an Azure Active Directory (AAD) based user via Microsoft GraphAPI.
My situation is, that I have an ASP.NET MVC project with Microsoft Azure enabled. My goal is, that an Azure user can login on my website with it's Azure account.
The idea is, that an azure user is an admin or an user (depending on the azure groups) and depending of this role group, the user can view more or less of my webpage.
For example:
When Peter logs in with his azure account on my webpage, he should only be able to see:
Add new Document
Edit Document
Remove Document
because he is only assigned as "User" in Azure Active Directory.
But when Sabrina logs in with her azure account on my webpage, then she should be able to do the same as Peter, but she also can see:
Manage Products
Add new customer
etc.
because she is been assigned as an admin in Azure Active Directory.
My problem is, that I did not find out how I retrieve the assigned group of an user with Microsoft GraphAPI. The part, which user can see or not after I got the roles is not a big deal.
I already tried this API call:
https://graph.microsoft.com/v1.0/me/
But it seems, that the response of this call does not include the actual assigned group of that user.
Do you think it is possible to retrieve the assigned group of an azure user? Is this even possible? Or do I have to do something else to retrieve these information?
I hope you understand my point and I am also looking forward for any response. Thanks in advance!
Add /memberOf to the URL to receive the groups a user is member of.
https://graph.microsoft.com/v1.0/me/memberOf
Here's a link to the specific graph api - https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/user_getmembergroups
Take a look at this sample application on Github. It does something very similar with a task tracker application, where different users are able to perform different actions based on the group they belong to -
https://github.com/Azure-Samples/active-directory-dotnet-webapp-groupclaims/blob/master/README.md
Also, in cases where a user is a member of too many groups, you get back an overage indicator and have to make a separate call to get all groups. Read about “hasgroups” and “groups:src1” claims here - https://learn.microsoft.com/en-us/azure/active-directory/develop/v1-id-and-access-tokens
According to your system architecture, if some user has too many joined groups, the API https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/user_getmembergroups will return too many groups.
But if the groups with permissions in your system are not too much, you can use this API: https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/user_checkmembergroups to check if the current user is the member of specified groups.
It is not good idea to use this API: https://graph.microsoft.com/v1.0/me/memberOf. Because it returns only the groups that the user is a direct member of, but security group can be member of security group.
Several fields in MOSS profiles are mapped to fields in active directory and we have given the user the ability to modify these.
But when the incremental profile import runs it overwrites these with the old values from active directory.
How do we make it so that AD is updated with the new values from the profile?
Thanks for any suggestions.
From http://blog.seancleaver.com/sean_cleaver/2008/07/sync-ad-users-to-sharepoint---2-way.html
So some of you have requested support to provide 2-Way Synchronization of AD Users between a SharePoint List and Active Directory. The good news is that the AD Provider for Data Synchronization Studio now supports this.
So you can effectively publish your AD Users to an Intranet Site to create a "Staff List" or "Telephone List" and then from this you can now allow your staff to update the personal information stored in the AD themselves by just simply editing the records in SharePoint. Then when the Synchronization occurs all changes are applied to the AD. There are a few limitations you can't create new AD Users this way and you can't delete users from the AD and certain properties are not updateable such as Member-Of etc.
We've given up on an easy way to do this and are writing a scheduled task that gets the recent change info from the users profile and updates AD from that.
Will try to post code once I've got something working.