I have an enterprise app used to send claims to an on-prem ADFS.
I need to send the group names my Guest users belong to. I know that OOTB you can only send the Gpoup ID.
As suggested in other posts I can use the Graph API to get the group name, but how can I then send this as claim?
Unfortunately, it's only possible to get the object ids as of right now. This may be implemented in the future, however, in order to get the group names you will need to have some sort of service that makes calls to the Microsoft graph utilizing the ID.
Please raise the UserVoice or vote for similar uservoice
Related
I have azure devops projects which contains a groups called "Project Administrators" . I am adding AAD members, AAD group to this Team Group.
Members added as type " aad user"
Group added as type "user"
Using Rest API "https://vsaex.dev.azure.com//_apis/GroupEntitlements//members" I am able to retrieve all AAD members. But not AAD group. How Can I fetch AAD group?
Can someone help me?
Case1
If you want to get specific group from your account, make use of below Rest API call:
GET https://vssps.dev.azure.com/{organization}/_apis/graph/groups/{groupDescriptor}?api-version=6.0-preview.1
Refer this link to know more in detail.
Case2
If you want group entitlements of specific group in your account, make use of below Rest API call:
GET https://vsaex.dev.azure.com/{organization}/_apis/groupentitlements/{groupId}?api-version=6.0-preview.1
Refer this link to know more in detail.
Case3
If you want to get list of all groups present in your current scope(account), make use of below Rest API call:
GET https://vssps.dev.azure.com/{organization}/_apis/graph/groups?api-version=6.0-preview.1
Refer this link to know more in detail.
Case4
If you want to get list of all group entitlements in your account, make use of below Rest API call:
GET https://vsaex.dev.azure.com/{organization}/_apis/groupentitlements?api-version=6.0-preview.1
Refer this link to know more in detail. Please find this reference if it is helpful.
Have been using Azure for Single Sign On.
For group claims, during the assertion we see only the security group object ID during the response.
e4feedb1-df0e-46ff-8a02-e63474015610
Is it possible to get Group name here in response instead of groups Object ID
If (and only if) the groups in question are groups which have been synced from on-premises AD, you can configure the groups claim to include the on-premises sAMAccountName or the on-premises SID.
Note: Including the display name is not supported. (Display names are not unique, and in most organization, any user is able to create and manage their own groups, making any sort of authorization decision based on group display names a very risky proposition.)
To issue group can be done both for gallery or non-gallery (i.e. custom) SAML apps (i.e. under Enteprise apps), through the app registration in the Azure portal (App registrations > Token configuration), or directly on the app registration's Application object by updating the optionalClaims property (e.g. via the manifest editor or through Microsoft Graph).
https://learn.microsoft.com/azure/active-directory/hybrid/how-to-connect-fed-group-claims
I'm afraid that it's only supported to get the object ids currently.
You need to call Microsoft Graph to get the Group name.
If you do need this feature, upvote this post on UserVoice and it may be implemented in the future.
A similar question which is answered by Microsoft Engineer here.
I have some doubts regarding the custom connector we are trying to build for docusign : -
Regarding the license plan that need to be bought by the customers who will be granting access for our connector to collect data from their docusign organization account. I am looking at the link https://www.docusign.com/products-and-pricing. API access support is mentioned in only the advanced solution. So I was wondering whether only we need to have "Advanced solutions plan with APIs support" plan or all our customers need to API access support in order to fetch their data.
As per the documentation, to make the REST API calls we need two fields 'base_uri' and 'account_id' (https://developers.docusign.com/esign-rest-api/guides/authentication/user-info-endpoints). Now, the response of userInfo API call gives an array of accounts and its respective fields. My doubt is, if multiple authenticated users (more than one accounts) are returned in this array but all are part of same organization, will they all have different account_ids. Main concern here is, will there be several Base Paths (https://developers.docusign.com/esign-rest-api/guides/authentication/user-info-endpoints#form-your-base-path) to make API calls?
2a. Further question is, what is the significance of 'is_default' field?
Is this related to main account (if is_default is true) using which we will create our Base Path?
Since this is a tech/engineering forum I'm going to answer only question #2 as question #1 is more of a business/sales question.
The reason you may get multiple accounts is that an authenticated user in DocuSign can be a member of multiple accounts. That said, it's the same user. Meaning, say foobar#blah.com has an account 123 with company X and account 456 with his school, then it's possible that when foobar#blah.com authenticates (With the same password!) to DocuSign we have a list of accounts associated with that user. We give you all of them when you make the API call. The default one is the main one that you would see when you log into our web app. You can decide yourself as the user which one is the default. Users who log into our web-app then see an option at the top-right to change accounts.
and yes, every API call is associated with a specific account. So when you construct the urls for your API - you do need to know which account for this user you are making the API call for. Your application can decide how to handle this.
Hope this helps.
As you can see my question above, I was wondering if it is possible to retrieve the assigned groups of an Azure Active Directory (AAD) based user via Microsoft GraphAPI.
My situation is, that I have an ASP.NET MVC project with Microsoft Azure enabled. My goal is, that an Azure user can login on my website with it's Azure account.
The idea is, that an azure user is an admin or an user (depending on the azure groups) and depending of this role group, the user can view more or less of my webpage.
For example:
When Peter logs in with his azure account on my webpage, he should only be able to see:
Add new Document
Edit Document
Remove Document
because he is only assigned as "User" in Azure Active Directory.
But when Sabrina logs in with her azure account on my webpage, then she should be able to do the same as Peter, but she also can see:
Manage Products
Add new customer
etc.
because she is been assigned as an admin in Azure Active Directory.
My problem is, that I did not find out how I retrieve the assigned group of an user with Microsoft GraphAPI. The part, which user can see or not after I got the roles is not a big deal.
I already tried this API call:
https://graph.microsoft.com/v1.0/me/
But it seems, that the response of this call does not include the actual assigned group of that user.
Do you think it is possible to retrieve the assigned group of an azure user? Is this even possible? Or do I have to do something else to retrieve these information?
I hope you understand my point and I am also looking forward for any response. Thanks in advance!
Add /memberOf to the URL to receive the groups a user is member of.
https://graph.microsoft.com/v1.0/me/memberOf
Here's a link to the specific graph api - https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/user_getmembergroups
Take a look at this sample application on Github. It does something very similar with a task tracker application, where different users are able to perform different actions based on the group they belong to -
https://github.com/Azure-Samples/active-directory-dotnet-webapp-groupclaims/blob/master/README.md
Also, in cases where a user is a member of too many groups, you get back an overage indicator and have to make a separate call to get all groups. Read about “hasgroups” and “groups:src1” claims here - https://learn.microsoft.com/en-us/azure/active-directory/develop/v1-id-and-access-tokens
According to your system architecture, if some user has too many joined groups, the API https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/user_getmembergroups will return too many groups.
But if the groups with permissions in your system are not too much, you can use this API: https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/user_checkmembergroups to check if the current user is the member of specified groups.
It is not good idea to use this API: https://graph.microsoft.com/v1.0/me/memberOf. Because it returns only the groups that the user is a direct member of, but security group can be member of security group.
Most of the posts I've read online about this are about a year old, or don't answer my question specifically. I know through the graph API you can view contacts and users, and you can add contacts and users, but when I've viewed the contacts and users through the graph API, they don't match what's in my global address list exactly. So I believe that they're not the same thing.
Also, a lot of the posts I've read asking questions similar to this have said adding users to the Global Address List is not supported through the Graph API and must be done programmatically through powershell or something like that. These answers though were posted around a year and a half ago. So I'm wondering if this still isn't possible through the graph API.
So firstly I'd like to understand why you indicate that the Global Address List is different from what you can get back from Graph API. As far as I know these should be identical, so please indicate where you are seeing differences. Also Azure AD PowerShell v2 calls through Graph.
As for updating the global address list, this is mostly possible through Graph API. If you are trying to add new users to your directory, you can POST on http://graph.microsoft.com/v1.0/users. Please see https://graph.microsoft.io/en-us/docs/api-reference/v1.0/resources/users and https://graph.microsoft.io/en-us/docs/api-reference/v1.0/api/user_post_users. There are also PowerShell cmdlets for this. If you are trying to add organizational contacts, currently this is not supported through Graph API or through Azure AD PowerShell. Organizational contacts may be queried (currently only available in preview by doing GET https://graph.microsoft.com/beta/contacts), but adding org contact is only possible through creation in on-premises AD and synchronization though AD Connect OR via Exchange experiences (like Office portals or Exchange PowerShell).
Personal contacts may also be fetched and added through GET and POST https://graph.microsoft.com/v1.0/me/contacts respectively.
Hope this helps,
At present, it is not possible to add the users to Global Address List. We are only to add the person contacts to the root Contacts folder or to the contacts endpoint of another contact folder( refer here).
You can try to submit the feedback from here if you want the Microsoft Graph to support this feature.