I am trying to get appRoleAssignedTo for my Azure Tenant, now suppose if I have 10 applications under that tenant I will have to make 10 different calls by passing the servicePrincipal Id for all the 10 applications.
GET /servicePrincipals/{id}/appRoleAssignedTo
Is there a way through which I can get all the appRoleAssignedTo under respective servicePrincipal using just one API call.
Alternatively Microsoft provides a delta call for servicePrincipal, is there a way that the delta returns me the servicePrincipal when appRoleAssignedTo has changed(basically connecting the appRolesAssignedTo to servicePrincipal)
P.S I have tried doing it using $select and $expand and it doesn't work.
https://learn.microsoft.com/en-us/graph/api/serviceprincipal-list-approleassignments?view=graph-rest-1.0&tabs=http
https://learn.microsoft.com/en-us/graph/api/serviceprincipal-delta?view=graph-rest-1.0&tabs=http
Please try with $expand=appRoleAssignedTo in Graph Explorer.
https://graph.microsoft.com/v1.0/servicePrincipals?$expand=appRoleAssignedTo
If you want to use both $select and $expand, the "id" is required.
https://graph.microsoft.com/v1.0/servicePrincipals?$select=id,displayName&$expand=appRoleAssignedTo
The response looks like:
{
"value": [
{
"id": "xxxxxx",
"displayName": "Managed Service",
"appRoleAssignedTo#odata.context": "https://graph.microsoft.com/v1.0/$metadata#servicePrincipals('xxxxx')/appRoleAssignedTo",
"appRoleAssignedTo": []
},
....
]
}
Related
Using Azure AD Premium, Enterprise App & SCIM 2.0 Provisioning Scope - Only assigned Users & Groups
I'm trying to work through the use case below:
SCIM provisioning of users that are assigned to a given AD Group
When a user is added (provisioned) to a group it correctly fires off a PATCH /Groups/{Id} to add member of the group
When a user is removed (deprovisioned) from the group it does not correctly fires a PATCH /Groups/{Id} to remove member of the group
What am I'm doing wrong?
In addition, I wonder which call azure active directory executes to get to know who is currently member of a given group. (I've noticed that every call AAD makes to my SCIM/group service implementation has the excludedAttributes=members as query parameter)
Any suggestions appreciated.
From what I saw, Azure SCIM sends this request to groups endpoint:
{
"schemas": [
"urn:ietf:params:scim:api:messages:2.0:PatchOp"
],
"Operations": [
{
"op": "Remove",
"path": "members",
"value": [
{
"value": "49a5f81e-9f63-4f5e-b3e8-41db044c1af9"
}
]
}
]
}
I use ngrok during the development to see an analyse requests from Azure SCIM integration.
i wanted to add an extended property in Azure Ad which will be accessible across groups in AD.Got this
POST https://graph.windows.net/contoso.com/applications//extensionProperties?api-version=1.21-preview { “name”: “skypeId”, “dataType”: “String”, “targetObjects”: [“User”] }
Wanted to understand 2 things which the document is not clear to me on:-
1.if the "targetObjects" is specified as user will the extended property appear across groups as well as users in an application
2.can this be done directly via azure portal without using the https://graphexplorer.cloudapp.net/ as mentioned in the document
https://msdn.microsoft.com/library/azure/ad/graph/howto/azure-ad-graph-api-directory-schema-extensions#RegisterAnExtension
Does anybody have an idea on this?
if the "targetObjects" is specified as user will the extended property
appear across groups as well as users in an application
You set the "targetObjects" as the user, that means this extended property will be added in the user's attributes and also can appear across groups as well as users in this application.
can this be done directly via the Azure portal
For now, you cannot do this via the Azure portal. You could do this by using Azure AD Graph API(you tried) or Microsoft Graph API, or you can also use AAD PowerShell.
If you persist in doing this via the portal, the B2C portal is suggested for you. You could manually define a custom attribute for the user. For the details, you could read this doc.
Using Microsoft Graph API:
POST https://graph.microsoft.com/v1.0/schemaExtensions
Content-type: application/json
{
"id":"graphlearn_courses",
"description": "Graph Learn training courses extensions",
"targetTypes": [
"Group"
],
"properties": [
{
"name": "courseId",
"type": "Integer"
},
{
"name": "courseName",
"type": "String"
},
{
"name": "courseType",
"type": "String"
}
]
}
For the details, you could read here.
Using AAD PowerShell:
Set-AzureADUserExtension
-ObjectId <String>
-ExtensionName <String>
-ExtensionValue <String>
[<CommonParameters>]
For the details, you could refer to here.
I am trying to get the expiry date of the client secrets for our AAD application. However when I use the following graph request, the passwordCredential and keyCredential fields is blank.
https://graph.windows.net/myorganization/directoryObjects/{ServicePrincipalObjectId}/?api-version=1.6
Is there a way to get this data? I see it in the manifest if I download that, just not in the Odata object
Thank you for your help!
Use this AAD Graph API below:
https://graph.windows.net/{org_domain}/applications/{obj_id}/passwordCredentials
The response will show the list of keys used by your specific AAD Application.
You can derive the expiration date of your key from the endDate field.
{
"odata.metadata": "https://graph.windows.net/{org_domain}/$metadata#Collection(Microsoft.DirectoryServices.PasswordCredential)",
"value": [
{
"customKeyIdentifier": null,
"endDate": "2018-05-07T09:12:13.2177408Z",
"keyId": "{your_key_id}",
"startDate": "2016-05-07T09:12:13.2177408Z",
"value": null
}
]
}
As an alternative to using Graph API you might also consider using Get-AzAdApplication cmdlet together with Get-AzAdAppCredential, which are part of Az PowerShell
https://learn.microsoft.com/en-us/powershell/module/az.resources/get-azadappcredential?view=azps-5.5.0
I have defined custom roles in Azure in the application manifest as follows:
"allowedMemberTypes": [
"User"
],
"displayName": "Admin",
"id": "81e10148-16a8-432a-b86d-ef620c3e48ef",
"isEnabled": true,
"description": "Admins can manage roles and perform all task actions.",
"value": "Admin"
From my MVC application, I would like to query the users found in these roles. With Graph API, I am able to see the custom roles attached to the application but I am unable to query the users attached to these roles. Is it possible with the graph api?
Thanks. Any help is appreciated
We can get the roles which already assign to this application via the Azure Graph REST like below:
GET: https://graph.windows.net/{tenantId}/servicePrincipals/{servicePrincipalid}/appRoleAssignedTo?api-version=1.6
Bearer {accessToken}
Then we can get the filter the result using the id( custom appRole id, eg.81e10148-16a8-432a-b86d-ef620c3e48ef) and principalType(User) to get the specific roles which assign to users.
More detail about entity and complex type of Azure Graph REST you can refer here.
I want to know if there is a way to retrieve the registered domain(s) for a tenant through REST API for Sharepoint/Office365.
Consider this scenario;
I have a tenant named abc.pqr and url for the "my" site(OneDrive) is abc-my.sharepoint.com.
Now when I create a user for this tenant, the UI panel gives the option to select a domain for this account. Available options are;
1) #abc.pqr
2) #abc.onmicrosoft.com
Now, the problem is, if I have a user of this sort >>> testUser#abc.onmicrosoft.com, how do I findout the registered domain for this tenant? Which in my case is abc.pqr.
Is there a way to find this through REST API?
Sounds like what you want to know is the list of verified domains in your Azure Active Directory tenant. (Azure AD is the directory service behind Office 365 and other Microsoft online services.)
The Azure AD Graph API—AAD's REST API—can provide this for you. In your case, the GET request you would want to make is:
https://graph.windows.net/abc.onmicrosoft.com/tenantDetails
Note: you can use either the tenant ID or any verified domain of the tenant instead of abc.onmicrosoft.com. The tenant ID can be obtained from the tid claim in the access token.
The JSON response will include something like this:
"verifiedDomains": [
{
"capabilities": "None",
"default": true,
"id": "0007ABE0983098",
"initial": false,
"name": "abc.pqr",
"type": "Managed"
},
{
"capabilities": "Email, OfficeCommunicationsOnline",
"default": false,
"id": "0007ABE0983098",
"initial": true,
"name": "abc.onmicrosoft.com",
"type": "Managed"
}
]
(There's a useful Quickstart for the Azure AD Graph API that shows how to start playing around with AAD Graph API, and the GraphExplorer.)
If you're using .NET, there is a full sample at https://github.com/AzureADSamples/WebApp-GraphAPI-DotNet. (More samples for other languages and platforms at https://github.com/AzureADSamples.)