Is there an API for editing/adding users/user groups to a project's security groups in Azure DevOps? For example, create a new security group under project and add members under it?
Create a group and add members under this new group are separate steps. As of now, we have not provide one api that you can achieve them at once.
(1) To create a new user group under project level:
POST https://vssps.dev.azure.com/{organization}/_apis/graph/groups?scopeDescriptor={scopeDescriptor}&api-version=6.1-preview.1
Request body:
{
"displayName": "{group name}",
"description": "{The description of this group}"
}
Notes:
The only trouble here is getting scopeDescriptor of the project.
Since you are trying to add group under Project level,
scopeDescriptor is a necessary parameter of this api.
a. Please firstly use this api to retrieve the id of the project that you would like to add the group to.
GET https://dev.azure.com/{organization}/_apis/projects?api-version=6.0
b. Then calling this Descriptors - Get api to get the corresponding scopeDescriptor.
GET https://vssps.dev.azure.com/{organization}/_apis/graph/descriptors/{storageKey}?api-version=5.0-preview.1
Please replace storageKey with project Id since we need to
get the scope descriptor for a project. The content of Value
property is what we are looking for:
Please copy the "descriptor" value into a txt file from the response body after you create a new group successfully, it is the important parameter for next steps.
(2) Adding a member into this new group, please refer to this api:
POST https://vssps.dev.azure.com/{organization}/_apis/graph/users?groupDescriptors={xxxxx}&api-version=6.1-preview.1
Request body:
{
"principalName": "{user' account address}"
}
Notes:
Here please input the descriptor value you copied from previous api's response body, as the value of groupDescriptors parameter.
For request body, just input the user's account address is ok.
Related
I am trying to get a subscription by ID from Microsoft Graph REST. If I list the subscriptions using GET /subscriptions, things are working fine and I am able to list all subscriptions. But if I take a subscription id from the list and try to get the details using GET /subscriptions/{id}, I am getting the following error:
{
"error":
{
"code":"ExtensionError",
"message":"There was an error processing a storage extension.",
"innerError":
{
"date":"2021-10-12T06:59:47",
"request-id":"ffa4f181-148d-49ed-8c9d-f551f6ddd6f0",
"client-request-id":"ffa4f181-148d-49ed-8c9d-f551f6ddd6f0"
}
}
}
Any ideas on where I might be going wrong?
PS: I am trying to get an individual subscription because the /subscriptions route does not provide the clientState property which is required for me.
When I route to the same /subscription got the #odata.context link.
I open the same link and search for clientState and got its type but not its value.
Note: the clientState property value is not returned for security purposes.
refer this github
Note : Client State is not set for the List Subscription on purpose by design, because subscription collections could be listed by say some other user (example tenant admin using Subscription.Read.All). It is not desirable to share this Client state information through the Listing API for that user who is not the creator of the subscription.
Reference : https://github.com/microsoftgraph/microsoft-graph-docs/issues/5248
We are developing a PowerAutomate Flow to automate the process of inviting external users to a SharePoint Site.
Below are the steps being followed so far
Created an MS Form for an external user to register
Passing the response**(Email)** from the form to the flow
Adding the user to a SharePoint Group using email parameter and sending an email invite to the External User(Requirement)
I have been able to get to point no 2 , However I have been experiencing challenges achieving point no 3
Came across different articles online for adding a guest users , However most of them talk about adding the guest to Azure AD as shown below
https://medium.com/southworks/adding-a-guest-to-an-office-365-sharepoint-site-with-javascript-fa7604ad8678
https://laurakokkarinen.com/how-to-build-a-guest-user-self-service-registration-for-office-365-with-azure/
https://www.timlinenterprises.com/how-to-invite-external-users-using-microsoft-flow-and-microsoft-graph-api/
Also checked a few articles for running PowerShell commands from Flow , However this approach doesn't look straightforward either
The below article works only for internal users
https://www.c-sharpcorner.com/article/add-the-users-to-the-sharepoint-groups-using-microsoft-flow/
The end goal here is to invite external user to a SharePoint Site once the user registers himself through a registration form (MS Form)
Would appreciate if anyone could help me out in achieving this.
Thanks in advance
Before inviting the user to SharePoint you must add him to Azure AD. So you will need to configure an HTTP action to invite the user first.
If you are using SharePoint Modern Sites (those who have Microsoft 365 groups associated), you need to create a HTTP action to add the guest to the group:
HTTP Action Configuration Here
NOTE: HTTP will not accept "#" sign directly, so you need to put it into a "Compose" or "Variable" and add it as per my screenshot.
In the URI you have the Group ID from Azure AD.
In the Body it's the guest user ID
You will need to register and Azure AD App to use for the HTTP action and give it the following permissions:
Graph -> Application -> GroupMember.ReadWrite.All, Group.ReadWrite.All and Directory.ReadWrite.All
https://learn.microsoft.com/en-us/graph/api/group-post-members?view=graph-rest-1.0&tabs=http#permissions
Use the App ID and Secret to connect the HTTP action.
This is my solution to add Guest Users to Private Channels in MS Teams with PowerAutomate.
Step0 - Register the domain of the Guest Users in your AD account as a valida Guest Domain
Step1 - User a registration form (MS Forms)
Step2 - Create a Trigger Process in MS PowerAutomate to receive the Form Data. I like to create small/short flows to only capture and validate form data, and then call a separate Flow / RestService. This makes your solution a little bit more decoupled and reusable. (Imagine replacing the Form with a web app form or mobile app form in the future).
Create a second HTTP request trigger flow receiving the Form data (optional way to setup multi-flow solution)
Step3 - Create a Private Channel in teams via GrapAPI
GraphAPI - POST https://graph.microsoft.com/v1.0/teams/<teams_id>/channels
POST BODY:
{
"membershipType": "private",
"displayName": "<e.g. channel name from form data>",
"description": "<e.g. description from form data>",
"members": [
{
"#odata.type": "#microsoft.graph.aadUserConversationMember",
"user#odata.bind": "https://graph.microsoft.com/v1.0/users('owner.user#mydomain.com')",
"roles": [
"owner"
]
}
],
"#odata.type": "#Microsoft.Graph.channel"
}
Step4 - Call GraphAPI to retrieve the Guest User Details
GraphAPI: GET https://graph.microsoft.com/v1.0/users?$filter=mail eq 'guest.user#email.com'
I have added this in a loop - since I had many members who had to be added - and I also included a condition check to check if the domain is indeed valid
Now you can assign the output (or portions of the output) to some variables
Step5 - Retrieve the ID value from the step above (Step4). This is the value that must be used to add the new guest member.
Retrieve the ID from the Step4 output
Also set a variable to the account type - which should (MUST BE) be "guest"
Now - Add guest users to the private teams channel
Step6 - Call GraphAPI to add guest members
GraphAPI: POST https://graph.microsoft.com/v1.0/teams/<team_id>/channels/<channel_id>/members
Post Body:
The role must be "guest" for guest account
But valid options for other types of access can be
owner
member
guest
Microsoft documentation (HERE) states roles must be owner or empty
This did not work so well for me.
Use guest
{
"#odata.type": "#microsoft.graph.aadUserConversationMember",
"roles": [
"#{variables('membership_type')}"
],
"user#odata.bind": "https://graph.microsoft.com/v1.0/users('#{variables('principal_user')}')"
}
Bonus Step
Now you can catch all responses from the previous steps and respond back with an HTTP Request/Response connector.
A 200 response on successful executions
A non-200 response on failed executions (or how ever you desire)
To configure exception handling or failure handling responses do this below
I have tried to get team details using DevOps API, And I can get it but unable to get team Avtar/image, In response there is only text information, no descriptor available
I am using this way to get it..
https://learn.microsoft.com/en-us/rest/api/azure/devops/core/teams/get?view=azure-devops-rest-6.0
Can you please guide me how can I get team Avtar/image ???
How to get team avtar from DevOps api
In the security of Azure Devops, subjectDescriptor is user's SID. It used as identification when operating some security control. This parameter can uniquely identify the same graph subject across both Accounts and Organizations.
To get it, just use the following API:
GET https://vssps.dev.azure.com/{org name}/_apis/graph/users?api-version=5.1-preview.1
From its response body, you can get the descriptor value of corresponding user.
Next, you can pass the corresponding descriptor value as subjectDescriptor into REST API Avatars - Get:
GET https://vssps.dev.azure.com/{organization}/_apis/graph/Subjects/{subjectDescriptor}/avatars?api-version=6.0-preview.1
In addition, the return result of above REST API is content of the image, in order to get the image of the avatar, we need provide the parameter format=png:
Update:
this api for user avtar... i want to get project avtar
To get the project avtar, we need to get the subjectDescriptor of the project. We could use the REST API:
https://dev.azure.com/{organization}/_apis/graph/descriptors/{Teams Id}?api-version=5.0-preview.1
To get the Teams Id, we could use the Teams - Get All Teams:
GET https://dev.azure.com/{organization}/_apis/teams?api-version=5.1-preview.1
Then get the Id of the descriptor for the teams project:
Now, we could get the project avtar:
Use Subject Query from Azure DevOps API Graph
Ref: https://learn.microsoft.com/en-us/rest/api/azure/devops/graph/subject%20query/query?view=azure-devops-rest-6.0
Define the body like this:
{
"query": "Your Group Name",
"subjectKind": [ "Group" ]
}
The descriptor is at the end of each item in a result.
Then use it in belov request to get avatar
https://dev.azure.com/(Organization)/_apis/GraphProfile/MemberAvatars/(descriptor)
Context
I am willing to get a resource details with the Azure REST API. And more particularly, I want to get the IAM associated with a resource.
Problem
So, I searched in the doc reference and found that endpoint: https://learn.microsoft.com/en-us/rest/api/resources/resources/get which provides an identity response attribute that meets my needs.
However, I can't find any information about the required path parameter parentResourcePath. What does that parameter mean and how can I get its value for a specific resource ?
Also, when I tried going through the resources group path, I can get a path to the resource details but without the parentResourcePath parameter, and the response doesn't include the identity attribute.
Finally, am I going the right way (using GET resource API) ? And if so, where can I find that parentResourcePath value ?
Actually, you have a better choice - Resources - Get By Id.
The /subscriptions/{subscriptionId}/resourcegroups/{resourceGroupName}/providers/{resourceProviderNamespace}/{parentResourcePath}/{resourceType}/{resourceName} in the api Resources - Get named resourceId which used in the Resources - Get By Id.
But if you combinate the properties manually, it is not easy, Azure has many different resource providers, resourcetype.
Generally, you could find the resourceId in your resource in the portal -> Properties. Also, the response of this API will include the identity which you need.
Sample:
Get a web app resource.
The resourceId is like /subscriptions/xxxxxxx/resourceGroups/joywebapp/providers/Microsoft.Web/sites/joywebapp2.
You can click Try it in the doc to try the api.
Response:
Well I made it throught the Role assignment list for scope endpoint, giving the subscription/resourcegroup/resource in the scope. And the output contains a principalId attribute that seems to point to a user or group or service principal.
Ref: https://learn.microsoft.com/en-us/rest/api/authorization/roleassignments/listforscope
I need to be able to filter the templates that my organization has in docusign after I make a getTemplates API call. Right now we are filtering by folder name, but this solution is not ideal. Templates can easily get moved and the folders are created by the individual user not by organization, so every user in our organization would have to create the same folder structure.
Is there a way to add a custom data to a template? Ideally, this field would be returned with the JSON Response from DocuSign. Something like:
JSON Response from DocuSign
{
"envelopeTemplates": [
{
"allowMarkup": "sample string 30",
... other standard template properties ...
"customMetaData": {
"foo": "bar" // what ever the user wants to add here
}
}
]
}
Or does anyone have a better idea for filtering templates?
There are two possible ways to add the metadata to the template
TemplateCustom Fields let you specify metadata that gets associated at the Template level. This data isn't visible to recipients; it's just extra metadata that you can associate with an template and query later (via API). See here for more info.
Document Custom Fields let you specify metadata that gets associated at the Document level. This data isn't visible to recipients in any way; it's just extra metadata that you can associate with a specific Document and query later (via API). See here for more info.
It is possible to add custom data to a given template by adding a "Custom Field". See here how to Add Custom Document Fields to a Template Document