I am trying to use the Microsoft Graph Explorer to update a custom attribute I created in B2C named GroupID.
First, I get the id of the user I want to edit using this query:
GET https://graph.microsoft.com/v1.0/{myResourceName}.onmicrosoft.com/users
This returns the following JSON:
{
"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#users",
"value": [
{
"displayName": "User Name",
"surname": "Name",
"givenName": "User",
"id": "ff46335221e1a365",
"userPrincipalName": "user#username.com",
"businessPhones": [],
"jobTitle": null,
"mail": null,
"mobilePhone": null,
"officeLocation": null,
"preferredLanguage": null
}
]
}
Now I'd like to add a value for GroupID for this user. The attribute itself does not appear in the above JSON, presumably because it does not yet have a value assigned.
I tried using this query:
PATCH https://graph.microsoft.com/v1.0/{myResourceName}.onmicrosoft.com/users/ff46335221e1a365
With request body:
{"GroupID": 1234}
But I get a 405 error:
The method or operation is not allowed.
Am I using the wrong query? I tried to follow the guide here.
UPDATE
Attached is a screenshot of the request. In this screenshot, I omitted the {myResourceName}.onmicrosoft.com from the URL. But I've tried both ways and still get the 405 error.
Please see this document:
Extension attributes in the Graph API are named by using the
convention extension_ApplicationClientID_attributename, where the
ApplicationClientID is the Application (client) ID of the
b2c-extensions-app application (found in App registrations > All
Applications in the Azure portal). Note that the Application (client)
ID as it's represented in the extension attribute name includes no
hyphens. For example:
"extension_831374b3bd5041bfaa54263ec9e050fc_loyaltyNumber": "212342"
So the real custom attribute name is extension_{ApplicationClientID}_GroupID.
Go to Azure AD -> App registrations to find the application id of the b2c-extensions-app application.
The {ApplicationClientID} is the application id without hyphens.
PATCH https://graph.microsoft.com/v1.0/users/ff46335221e1a365
{"extension_{ApplicationClientID}_GroupID": 1234}
Related
I have queried the user endpoint using advanced query capabilities. but I didn't get the value of Department field.
This is my query:
https://graph.microsoft.com/v1.0/users?$count=true&$search="displayName:tobias"&ConsistencyLevel=eventual&$select=employeeId,department,jobTitle
The above query shows all info of the user except the info of block of job information.
Using select query for the user above:
{
"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#users(employeeId,department,jobTitle)",
"#odata.count": 1,
"value": [
{
"employeeId": null,
"department": null,
"jobTitle": null
}
]
}
What is the problem about?
Please note that, getting the details of user from Microsoft Graph API returns only few details/properties by default.
Please refer this MsDoc which confirms the same.
Please use $select to select the job details of the user like below:
https://graph.microsoft.com/v1.0/users?$select=employeeId,department,jobTitle
Reference:
How do I retrieve Job Info from Azure AD via MS Graph by DerDani81
I am working in Azure AD B2C to add custom extensions per application. Theses extensions must be returned in the jwt when the login is requested by the application.
So I create the extension on the app using the graph api
POST https://graph.microsoft.com/v1.0/applications/{{appid}}/extensionProperties
{
"name": "name",
"dataType": "String",
"targetObjects": [
"User"
]
}
Then I associate a value for a specific user
PATCH https://graph.microsoft.com/v1.0/users/{{userid}}
{
"extension_{{appid(without dashes}}_name": "1234"
}
Now I go on the app manifest to add the optional claim.
"optionalClaims": {
"idToken": [
{
"name": "extension_{{appid(without dashes}}_name",
"source": "user",
"essential": true,
"additionalProperties": []
}
],
"accessToken": [
{
"name": "extension_{{appid(without dashes}}_name",
"source": "user",
"essential": true,
"additionalProperties": []
}
],
"saml2Token": []
},
Save but the claim never appear on the jwt token.
I also tried using the answer of this post but didn't work either.
The problem is you’ve used Optional claims setup, which works for AAD but not AAD B2C.
Follow this: https://learn.microsoft.com/en-us/azure/active-directory-b2c/user-flow-custom-attributes?pivots=b2c-user-flow
If you want to select your custom attribute through the Azure Portal - AAD B2C - User Attributes blade, and the attribute was created via Graph API, you have to recreate it in the Portal for it to reconcile.
You would also need to target the b2c-extensions-app AppId when defining the attribute with Graph API.
I tried to reproduce the same in my environment and got the claims successfully
As Jas Suri - MSFT commented, this will only work if you are adding optional claims to Azure AD application.
I created the extension attribute via Graph API like below:
I associated the above extension attribute to a specific user like below:
Please check whether that extension attribute is visible in optional claims UI or not and add like below:
When you check the manifest, it will be added automatically like below:
I generated the JWT token using auth-code flow via Postman like below:
After decoding the JWT token (ID-Token), I got the claims successfully like below:
I am generating API Key for an App Insight. I am using the URL
"https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Insights/components/{resourceName}/ApiKeys"
I don't have any clear documentation and I found this from the MS SDK:
https://github.com/Azure/azure-sdk-for-net/blob/master/sdk/applicationinsights/Microsoft.Azure.Management.ApplicationInsights/src/Generated/APIKeysOperations.cs
However, when I try to generate by mentioning a "name", an error comes in response:
{
"code": "The API Key needs to have a Role",
"message": "The API Key needs to have a Role",
"innererror": {
"diagnosticcontext": "e1f66da1-9247-459e-a519-6426fa1449d1",
"time": "2019-09-20T07:48:20.2634617Z"
}
}
My POST body is as following:
{
"name": "asimplekeyname"
}
Please help if someone has used this specific API.
You need to include the following properties in the body.
{
"name":"test3",
"linkedReadProperties":[
"/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/microsoft.insights/components/<appinsight-name>/api",
"/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/microsoft.insights/components/<appinsight-name>/agentconfig"
],
"linkedWriteProperties":[
"/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/microsoft.insights/components/<appinsight-name>/annotations"
]
}
The three properties correspond the ones in the portal -> your appinsight -> API Access -> Create API key.
api - Read telemetry
agentconfig - Authenticate SDK control channel
annotations - Write annotations
You need to select at least one of them, inculde in the request body.
For example, you just select the first one as below.
The body should be:
{
"name":"test3",
"linkedReadProperties":[
"/subscriptions/<subscription-id>/resourceGroups/<resource-group-name>/providers/microsoft.insights/components/<appinsight-name>/api"
],
"linkedWriteProperties":[]
}
I have tried to get custom attributes created in Active directory using Microsoft graph. I am able to get attributes by their names using this query in Microsoft Graph
https://graph.microsoft.com/v1.0/me?$select=Department
But I'm not able to get some attributes which are not their by default (which are customly created) using microsoft graph. For an example, if I put "employeeId", the same query returns
{"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#users(employeeId)/$entity"}
Interestingly, I can get the employeeId using Azure AD graph which is now old school. (below query)
https://graph.windows.net/me/employeeId
Above query returns me the following Jason
{
"odata.metadata": "https://graph.windows.net/myorganization/$metadata#Edm.String",
"value": "38XXX"}
After some googling, I've found that there are extension attributes which are created using Azure AD connect which will create a Schema Extension App in Azure and we can get them using
extension_{appID}_employeeId
I can't find any Schema Extension App in my Azure Portal and I've tried some Powershell commands too. Our organization don't use Azure B2C AD. What I need is
A way to find AppId of Schema Extension App in Azure
Or an alternative way to get those custom attributes
A way to find AppId of Schema Extension App in Azure
If you want to find the AppId of Schema Extension App, you could use the MS graph api below.
GET https://graph.microsoft.com/beta/applications?$filter=displayName eq 'Tenant Schema Extension App'
For more details about required permission etc, refer to this similar issue.
Eventually, I've found the Tenant Schema Extension AppID buy running below query in Microsoft Graph Explorer
Note : Use Beta for Graph API version
https://graph.microsoft.com/beta/me
Which returned me a lengthy Json with below output
"userPrincipalName": "example#abc.com",
"externalUserState": null,
"externalUserStateChangeDateTime": null,
"userType": "Member",
"extension_{appid}_extensionAttribute3": "XXX",
"extension_{appid}_extensionAttribute2": "XXX",
"extension_{appid}_extensionAttribute1": "XXX",
"extension_{appid}_employeeID": "XXXXXX",
Additionally, the below query returned the extension attributes even without the appid (you should use beta version)
https://graph.microsoft.com/beta/me?$select=UserPrincipalName,onPremisesExtensionAttributes
Which returned the below Json
{
"#odata.context": "https://graph.microsoft.com/beta/$metadata#users(userPrincipalName,onPremisesExtensionAttributes)/$entity",
"userPrincipalName": "xxxx#xxx.com",
"onPremisesExtensionAttributes": {
"extensionAttribute1": "XXX",
"extensionAttribute2": "XXX",
"extensionAttribute3": "XXX",
"extensionAttribute4": null,
"extensionAttribute5": null,
"extensionAttribute6": null,
"extensionAttribute7": null,
"extensionAttribute8": null,
"extensionAttribute9": null,
"extensionAttribute10": null,
"extensionAttribute11": null,
"extensionAttribute12": null,
"extensionAttribute13": null,
"extensionAttribute14": null,
"extensionAttribute15": null
}
}
Using the extension API documented here:
https://msdn.microsoft.com/en-us/library/azure/ad/graph/howto/azure-ad-graph-api-directory-schema-extensions
in conjuction with the B2C Graph Client sample:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet
I created a custom attribute via the AD Graph API for directory schema extensions using this API:
POST
https://graph.windows.net/contoso.onmicrosoft.com/applications/<applicationObjectId>/extensionProperties?api-version=1.6
{
name: "OrgRoleId",
dataType: "String",
targetObjects: [
"User"
]
}
(Note I changed the API version to 1.6).
The API created custom attributes appear using the B2CGraphClient sample and has the same data as those registered via the Azure portal for B2C.
However, these API created custom attributes don't appear in the Azure portal 'User attributes' blade for the tenant, while those custom attributes created via the Azure portal for the B2C tenant do.
Note that I can successfully read and write these extension values for users (via the Graph API). I just cannot put them into claims because they don't appear on the 'User attributes' blade nor the policy claims blade in the Azure portal, and therefore they are not added as claims to the token.
What I am missing/doing wrong?
Output from B2C.exe Get-extension-attribute <b2c-extensions-app objectId>. *_Test1 appears (portal created), while *_UserRoleId does not (API created):
{
"odata.metadata": "https://graph.windows.net/<tenant_id>/$metadata#directoryObjects/Microsoft.DirectoryServices.ExtensionProperty",
"value": [
{
"odata.type": "Microsoft.DirectoryServices.ExtensionProperty",
"objectType": "ExtensionProperty",
"objectId": "f58bc813-632c-486b-bff1-61695eeab691",
"deletionTimestamp": null,
"appDisplayName": "",
"name": "extension_<object_id>_Test1",
"dataType": "String",
"isSyncedFromOnPremises": false,
"targetObjects": [
"User"
]
},
{
"odata.type": "Microsoft.DirectoryServices.ExtensionProperty",
"objectType": "ExtensionProperty",
"objectId": "5e69b2d9-1ab0-463f-a231-5c188e92b4a1",
"deletionTimestamp": null,
"appDisplayName": "",
"name": "extension_<object_id>_UserRoleId",
"dataType": "String",
"isSyncedFromOnPremises": false,
"targetObjects": [
"User"
]
}
...
When you add an extension attribute through the portal, it is created in the directory and owned by the b2c-extensions-app application and it is also added to a tenant-wide policy. That is what allows you to use them in application policies as you create them.
When you create an extension attribute using Graph API, it is not added to the policy and usually created on an application other than b2c-extensions-app. You can use these properties directly in custom policies, but they will not appear in the portal and cannot be used in the policies created through the portal.
It is a best practice to just create the extension properties through the portal so they are available for all policies. This allows customers to mix and match custom policies with built-in b2c user flows.