I am listing users from SharePoint into custom database table for use in custom application. While adding these users to custom database we need the user Id from Azure Active Directory (not user ID from SharePoint).
So based on email of user from SharePoint I search the user in Azure AD and get the ID.
For some users I see that Mail field from Graph User object is null but has User Principal Name field filled with email. And for other users has both Mail and User Principal Name filled.
What is the reason Mail field for users is null? Which field should I rely on as email value?
Thank you!
What is the reason Mail field for users is null?
That value is for Guest User only. When you would add a guest user on your tenant there is a field with Email address which has shown below would treated as mail when you get user list using Microsoft Graph API then you would see that email value.
PostMan Test:
Which field should I rely on as email value?
You can rely on userPrincipalName which is User name on azure portal that is mandatory property. Once you set it that would be treated as userPrincipalName which you can be used for any scenario where you need tenant user email for example user login on portal
See the screenshot:
Hope that would help.
userPrincipalName may not equal email, for example, "xxx_xxx.com#EXT##xxx.xxx.com"
Related
I have to create multiple users in Azure AD B2C which only differs in a custom user claim.
Eg : I have an email 'test#gmail.com' and also I have created a custom user attribute called as 'Project' and then added this attribute in SignIn/SignUp user flow.
What I need is
1) To register the given email with differs in Project.
ie;
User 1
email : 'test#gmail.com',
project : 'Project1'
User 2
email : 'test#gmail.com',
project : 'Project2'
In the sign up flow I can create a user and can provide the specified attribute. But it doesn't allow me to create another account with the same email.
2) At the time of login user need to provide the 'Project' as a second step of authorization.
Any help would be highly appreciated. Thanks in advance.
You can’t have two users with the same logon identifier. You could store the Project as an extension attribute, which would instead be a list.
I want to know the email address of a user to send an email.
On my application, people can sign up with social accounts (google/facebook/Microsoft) or local accounts.
When creating a local account we use the email.
I found this info about how email is stored.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-reference-policies
Email address storage: An email address can be required as part of a user flow. If the user authenticates with a social identity
provider, the email address is stored in the otherMails property. If a
local account is based on a user name, then the email address is
stored in a strong authentication detail property. If a local account
is based on an email address, then the email address is stored in the
signInNames property. The email address isn't guaranteed to be
verified in any of these cases. A tenant administrator can disable
email verification in the basic policies for local accounts. Even if
email address verification is enabled, addresses aren't verified if
they come from a social identity provider and they haven't been
changed. Only the otherMails and signInNames properties are exposed
through the Active Directory Graph API. The email address in the
strong authentication detail property is not available
Not sure why the field "Mail" on the user is not being used... but using GraphApi:
I make a GET: https://graph.microsoft.com/v1.0/Users?$select=displayName,mail,otherMails,signInNames
Some emails appear on "mail", others on the array of "otherMails", and "singInNames" can't be selected :( doesn't show any info, so are some users that I can't get the info about the email.
How can I solve this? Only using Azure AD Graph instead of Microsoft Graph API, since on that API signInNames are returned?
Isn't there any way of storing the emails always on the same property? Or at least one that I have access on Microsoft Graph API? Using Custom policies only with Claims transformation?
In the Microsoft Graph API you can use:
GET: https://graph.microsoft.com/v1.0/Users?$select=displayName,mail,identities,otherMails
You can find the email of a local account in the identities collection.
In the BETA version of the Graph API (graph.microsoft.com/beta) the identities and otherMails properties are also returned without a $select, in the v1.0 version only when specified in the $select.
I managed to get the email for a Azure B2C user through the following Microsoft Graph API call:
https://graph.microsoft.com/v1.0/users?$select=identities
You need to collect the email addresses from different places such as mail, otherMails and signInNames through AD Graph API. signInNames is NOT available in Microsoft Graph API.
Note that in the case where users sign in with username + email validation, there is no way to retrieve the email used.
Or you could add a custom attribute in custom policy, where you can require users to type in their email address. After that, you could use AD Graph to get the custom attribute (A sample here).
The Microsoft Graph is the successor of the old Windows Graph. The Microsoft Graph doesn't support the signInNames property for Users object anymore. One has to filter on identities instead. However identities isn't part of the default property set of the User object so one has to select it. Once that's done, one can filter on identities using an any clause.
Note that filtering on issuerAssignedId can only be done when both issuerAssignedId and issuer are used in the filter clause.
GET: https://graph.microsoft.com/v1.0/Users?$select=id,identities&filter=identities/any(c:c/issuerAssignedId eq '{email}' and c/issuer eq '{issuer}')
I have 2 questions:
As per the client requirement, while Sign Up using Azure B2C UI flow (signInNames – Type is userName), user should get suggestions for username once they entered some value in username field(on the basis of existing usernames in B2C AD).
How we can achieve this functionality?
Note: I am using B2C built in Sign Up policy.
Other requirement is that multiple user can have same Email Id (as we are already using signInNames – Type : userName ).
So once user enters the email Id and if that email Id is already associated with other username(s), we need to populate the list of usernames associated with the email. How we can achieve this functionality?
Any help is very much appreciated, I actually got stuck so please offer any suggestion.
You mean the "email address" property, right, not the actual email messages? If so, you should be able to use the /users endpoint: https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/user_get
What is the resource you want to access via the access token ? If resource is https://graph.windows.net/,you could use Azure AD Graph API to get the email information of the signed-in user :
GET https://graph.windows.net/me?api-version=1.6
Authorization: Bearer yourAccessToken
If resource is https://graph.microsoft.com/,you could use Microsoft Graph API to get the email information of the signed-in user:
Get https://graph.microsoft.com/v1.0/me
Authorization: Bearer yourAccessToken
In response you could check UserPrincipalName claim value which is an email address that can receive emails.
For the username suggestion part, if you are talking about when you fill out the username form field and the chrome/IE box pops up above, that is cached at the client and you can't do that. If you are talking about the user tries to register with a username that is already taken and you want to give them suggestions you may, but I doubt it, be able to do it in a custom policy. More than likely, however, you would need to use a custom web application to do that as that is more of an advanced sign in journey.
The second part of your requirements would also need to be fulfilled within a custom web application as well, you can retrieve and access AD items within the custom user journey's but again this is more of an advanced sign in journey.
In this link: https://msdn.microsoft.com/en-us/library/azure/ad/graph/api/users-operations there is a field called mailNickname which adds email alias for a user in active directory.
My organization uses this. So, 1 user will have 2 mail IDs (code#company.com and alias#company.com)
How do I get the alias list of a user through an API from the azure active directory?
We have implemented a web app with Single Sign On and the above problem leads to the same user creating 2 different accounts and both are not connected.
Any help is appreciated.
You are mixing user alias with list of user e-mail addresses. E-mail alias is unique value which identifies user mailbox, it is not necessary part of its e-mail, usually it is. It is name used when user is accessing its mailbox with POP or IMAP.
E-mail addresses what you call aliases is collection of e-mail addresses stored in proyAddresses: https://msdn.microsoft.com/en-us/library/azure/ad/graph/api/entity-and-complex-type-reference#user-entity
You should not use e-mail as a property to identify a user but userPrincipalName (UPN) as this is a value which is being used to identify a user. UPN is usually same as e-mail but again - it doesn't have to be.
User UPN however might also change. It can do this and it happens, so if you want to store this information somewhere, instead of the UPN obtain user's objectId and store it.
If you are implementing SSO based on Azure AD you should use library like ADAL.NET - it is handling all these operations for you: https://learn.microsoft.com/en-us/azure/active-directory/active-directory-authentication-libraries
I have 2 users in Azure AD
Microsoft Account user
Microsoft Azure Active Directory user
User 2 always works in Graph API calls but not the user 1.
https://graph.windows.net/tenantid/users/testmail#hotmail.com?api-version=2013-04-05
(Email actually is url encoded as testmail%40hotmail.com).
This gives the following error
"{\"odata.error\":{\"code\":\"Request_ResourceNotFound\",\"message\":{\"lang\":\"en\",\"value\":\"Resource 'testmail#hotmail.com' does not exist or one of its queried reference-property objects are not present.\"}}}"
Does anyone know how to fix this?
Edited:
Things I figured out trying to fix this. I am using UserPrincipal name in the query above(..users/testmail#hotmail.com?..). For built-in domain accounts userPricipal name is testmail#domain.com(this works) but for a Microsoft account userPrincipal name is testmail_hotmail.com#EXT##domain.com. This was given in the all users list (https://graph.windows.net/tenantid/users?api-version=2013-04-05). But even when I changed the query to '..users/testmail_hotmail.com#EXT##domain.com?..' ofcourse after url encoding(testmail_hotmail.com%23EXT%23%40domain.com), still it does not work. Objectid always works though for all accounts(..users/objectId?..) .
Also tried otherMails. May be the api is wrong as otherMails is an array. "https://graph.windows.net/tenantId/Users?$filter=otherMails eq 'testmail%40hotmail.com'&api-version=2013-04-05"
So the question still remains. if only email is available for an MS account(not objectid) when making the call, how to get user details?
You are missing your domain in the URL you posted. It should be
https://graph.windows.net/[your Azure AD domain]/users
To get the email address for a user you need to add the object Id of the user in the request URL. So, for example, to get an Azure AD user it would be like this:
https://graph.windows.net/[your Azure AD domain]/users/[object ID of user]/mail
For users in the directory sourced from a Microsoft Account, the mail property is null. So, you will have to look in the otherMails property like this:
https://graph.windows.net/[your Azure AD domain]/users/[object ID of user]/otherMails
If you want to access the full user account using a user's UPN, you can do that for users sourced from Azure AD. For example, for a tenant domain contoso.com and a user with a UPN johndoe#contoso.com, the query would look like this:
https://graph.windows.net/contoso.com/users/johndoe#contoso.com
This doesn't work for users sourced from Microsoft Accounts. For these accounts, the UPN contains characters (#, . for example) that break the query. You can filter by the UPN though using the naming convention that is used for users sourced from Microsoft Accounts. Suppose you have a user whose email is jayhamlin#yahoo.com in your directory. The UPN would be something like jayhamlin_yahoo.com#EXT##contoso.com. So, you could use a filter and look for the first part of the UPN like this:
https://graph.windows.net/contoso.com/users?api-version=2013-11-08&$filter=startswith(userPrincipalName, 'jayhamlin_yahoo')
You can easily explore the Graph API and object properties for your directory using https://graphexplorer.cloudapp.net.
That filter can work, but you could also filter on otherMails. Your original query didn't work because otherMails is a multi-valued property- so you need to use "any":
https://graph.windows.net/tenantId/users?api-version=1.5&$filter=otherMails/any(x:startswith(x,'testmail#hotmail.com'))
When are you using this lookup? Is it once the user has signed in or for some people picking scenario?
Cheers,