I have registered app in Azure. I https://graph.microsoft.com/v1.0/users to get userinfo.
Is there any option to get all info about user? And see what data can I get in JSON reponse?
Now when I use https://graph.microsoft.com/v1.0/users I get only couple information like:
{
"aio": "kjaldjsfhkjsadhflkdhsafkjadhsfa",
"amr": "[\"pwd\"]",
"family_name": "Picasso",
"given_name": "Pablo",
"ipaddr": "11.12.113.144",
"name": "Pablo Picasso",
"oid": "234234-2343-4343-43434-2342342",
"onprem_sid": "234234234-23-423-4-234-2-34-234",
"sub": "234233q45rtferfwverfwgw45grfg45g45",
"tid": "sdfkjgasdhjfgasjdhfgashjdfgasdhjf",
"unique_name": "pablo.picasso#company.com",
"upn": "pablo.picasso#company.com",
"uti": "kajshdfkljahsdfkjahsdkjfahsd",
"ver": "1.0"
}
Actually I'm looking for username. We can login to Windows using shortcut or email. So if user name is Pablo Picasso user can login with username PaPi. And I'm looking for that.
Considering, you already know how to get token. Now see below example
If you want to fetch employeeId or identities or officeLocation using Microsoft Graph API.
try following way:
Request:
https://graph.microsoft.com/v1.0/users?$select=employeeId ,identities ,officeLocation
Response:
{
"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#users(employeeId,identities,officeLocation)",
"#odata.nextLink": "https://graph.microsoft.com/v1.0/users?$select=employeeId+%2cidentities+%2cofficeLocation&$skiptoken=X%27445370740",
"value": [
{
"employeeId": 0200010000001C3A54696E614068616E,
"officeLocation": Redmond, Usa,
"identities": [
{
"signInType": "userPrincipalName",
"issuer": "someEmail.onmicrosoft.com",
"issuerAssignedId": "tenant.onmicrosoft.com"
}
]
}
}
See the screen shot below:
Please refer to Official document if you need more details.
Thanks Md Farid Uddin Kiron
My workaround with all fields (without mailboxSettings because get error 403 access denied)
https://graph.microsoft.com/v1.0/me?$select=aboutMe,accountEnabled,ageGroup,assignedLicenses,assignedPlans,birthday,businessPhones,city,companyName,consentProvidedForMinor,country,createdDateTime,creationType,deletedDateTime,department,displayName,employeeId,faxNumber,givenName,hireDate,id,identities,imAddresses,mailNickname,mobilePhone,mySite,officeLocation,onPremisesDistinguishedName,onPremisesDomainName,onPremisesExtensionAttributes,onPremisesImmutableId,onPremisesLastSyncDateTime,onPremisesProvisioningErrors,onPremisesSamAccountName,onPremisesSecurityIdentifier,onPremisesSyncEnabled,onPremisesUserPrincipalName,otherMails,passwordPolicies,passwordProfile,pastProjects,postalCode,preferredDataLocation,preferredLanguage,preferredName,provisionedPlans,proxyAddresses,refreshTokensValidFromDateTime,responsibilities,schools,showInAddressList,skills,signInSessionsValidFromDateTime,state,streetAddress,surname,usageLocation,userPrincipalName,userType,interests,isResourceAccount,jobTitle,lastPasswordChangeDateTime,legalAgeGroupClassification,licenseAssignmentStates,mail
Related
The OneLogin OpenID Connect Scopes Documentation for the profile scope shows that there is a picture available but with this disclaimer:
Note, these claims are returned if OneLogin has the information available.
In testing, I never get picture back when testing with a user that has a profile photo set. What I get has these attributes only:
{
"id_token": "",
"token_type": "Bearer",
"scope": "openid profile",
"profile": {
"sub": "",
"email": "",
"preferred_username": "",
"name": "",
"updated_at": 1614904145,
"given_name": "",
"family_name": "",
"sid": ""
},
"expires_at": 1615761073
}
Any tips on how to get the additional fields from OneLogin would be appreciated. Thx!
I reached out to OneLogin's dev support and I got a response in a few hours. I have verified that this works, here it is:
You should add a parameter to your OIDC app and map it to the field "Profile Picture" and then include the params scope in your ODIC call. (fro more details on scopes see https://developers.onelogin.com/openid-connect/scopes)
Note - what you get back is the URL of an image and it is not a binary blob of the actual photo.
we use Microsoft.Graph dll (v. 1.20.0). When using in Global environment everything works fine. Now I have tried to make same calls in German environment but every call ends with exception: [Code: InvalidAuthenticationToken, Message: Access token validation failure]. I have tried these endpoints: Me, Domains, Subscriptions.
On my side only device auth url and graphApi url has changed . I authorize via device authentication on https://login.microsoftonline.de/. Then bearer token is get from https://graph.microsoft.de. The user I authorized with is administrator for subscriptionId (see code below)
Code is something like this:
var http = new Microsoft.Graph.HttpProvider();
var credentials = new Microsoft.Azure.TokenCloudCredentials(subscriptionId, accessToken);
Microsoft.Graph.IAuthenticationProvider provider = new AuthenticationProvider(credentials);
var graphClient = new GraphServiceClient(provider, http);
var me = await graphClient.Me.Request().GetAsync(); // ERROR
It looks to me that error is not related to invalid token. I have read that some API endpoints are not yet supported in German cloud. Maybe this is the cause...
Any ideas what to try?
Thank you.
Decoded (and blinded) token:
{
"typ": "JWT",
"nonce": "4GrWG3nKdEoekxxxxxxxxxxxpyXQ5yky7_HTAg",
"alg": "RS256",
"x5t": "J1XZUkznV-JEe-xxxxxxxxxxxxx",
"kid": "J1XZUkznV-JEe-xxxxxxxxxxxxx"
}.{
"aud": "https://graph.microsoft.de",
"iss": "https://sts.microsoftonline.de/146e589e-f5c2-4dd2-95dd-a94c3ffa00f8/",
"iat": 1575010843,
"nbf": 1575010843,
"exp": 1575014743,
"acr": "1",
"aio": "ASQA2/8FAAAApfed4j4xxxxxxxxxxxxxxxxxxMd4v7aEsASSm8LxIElw=",
"amr": [
"pwd"
],
"app_displayname": "Microsoft Azure CLI",
"appid": "04b07795-xxxx-xxxx-xxxx-02f9e1bf7b46",
"appidacr": "0",
"ipaddr": "XX.XX.XX.XX",
"name": "Chuck Norris",
"oid": "bc7a9fcf-xxxx-xxxx-xxxx-557ce18e4fd6",
"platf": "14",
"puid": "10032XXXXXXXXXD1DB9",
"scp": "AuditLog.Read.All Directory.AccessAsUser.All Group.ReadWrite.All User.ReadWrite.All",
"signin_state": [
"kmsi"
],
"sub": "hq-v5yL38qnRxxxxxxxxxxxxufB-I-17BNqy-Rp0",
"tid": "146e589e-xxxx-xxxx-xxxx-a94c3ffa00f8",
"unique_name": "chuck#norris.onmicrosoft.de",
"upn": "chuck#norris.onmicrosoft.de",
"uti": "CgOXXXXXX2k-XXXXXXXXXXX",
"ver": "1.0",
"xms_tcdt": 1495192142
}.[Signature]
answer to this was simple, my fault. Token is OK, from Germany cloud as it should be. Problem was in that GraphServiceClient was using default baseUrl (https://graph.microsoft.COM/v1.0) and it was not talking with German cloud https://graph.microsoft.DE/v1.0.
I want to build a SAAS Service for Azure marketplace using single-sign-on.
I have read this document Microsoft identity platform access tokens, but can not find anything relate to User's Organization.
Is there any way to get user's Organization name?
For now I only can parser from email.
You can call MS Graph API to get the user's organization details: https://learn.microsoft.com/en-us/graph/api/organization-get?view=graph-rest-1.0&tabs=http.
The endpoint is at https://graph.microsoft.com/v1.0/organization
Sample response:
{
"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#organization",
"value": [
{
"assignedPlans": [
{
"assignedDateTime": "datetime-value",
"capabilityStatus": "capabilityStatus-value",
"service": "service-value",
"servicePlanId": "servicePlanId-value"
}
],
"businessPhones": [
"businessPhones-value"
],
"city": "city-value",
"country": "country-value",
"countryLetterCode": "countryLetterCode-value",
"displayName": "displayName-value"
}
]
}
You can call this endpoint even with the basic User.Read permission.
In an application in my trial Azure AD tenant, I want to modify my API permissions via the Graph API. I am able to GET the application's requiredResourceAccess in the Graph Explorer (https://developer.microsoft.com/en-us/graph/graph-explorer#) via https://graph.microsoft.com/beta/applications/{app object ID}/requiredResourceAccess, but I am not able to modify or delete these values, or even GET specific resources. Here's my GET result:
{
"#odata.context": "https://graph.microsoft.com/beta/$metadata#applications('{app object id}')/requiredResourceAccess(resourceAccess)",
"value": [
{
"resourceAppId": "00000003-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "{id}",
"type": "Scope"
},
{
"id": "{id}",
"type": "Scope"
}
]
}
]
}
When trying to specify the resourceAppId above, I get an error about how segment 'requiredResourceAccess' refers to a segment, so this must be the last part of the request URI besides filters.
And when I try to delete, I get the error 'Specified HTTP method is not allowed for the request target.'
I can modify the API permissions via the Microsoft Azure Portal of course, but can you please let me know if there is a way to add or remove API permissions via the Microsoft Graph API?
You could use this API Update application, refer to my request sample as below.
Sample:
Request URL:
PATCH https://graph.microsoft.com/beta/applications/{App Object ID}
Request body:
{
"requiredResourceAccess": [
{
"resourceAppId": "00000002-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "311a71cc-e848-46a1-bdf8-97ff7156d8e6",
"type": "Scope"
}
]
},
{
"resourceAppId": "00000003-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "863451e7-0667-486c-a5d6-d135439485f0",
"type": "Scope"
}
]
}
]
}
If you want to delete the API permissions, just specify the requiredResourceAccess as below.
{
"requiredResourceAccess": []
}
Note: This API is a Beta version, I don't recommend you to use it in the production environment. Also, when we update the API permissions via this API, it just adds the permissions to this application, it will not consent the permissions for the application.
I'm trying to get Azure Functions working with IoT Hub messages, and on message adding a row to an Excel file.
I tried with setting Excel integration as output, which wasn't working, so I changed and tried with Excel input.
When I try this, I get the following failure in the console.
The graph token has no scopes. Ensure your application is properly configured to access the Microsoft Graph.
What is the correct way to get the credentials working with my Microsoft account? Note that I'm trying to connect with my account and not end-user's account, which is mentioned in all the tutorials/documentation.
I'm using a personal Microsoft account and not Org account, in case that is important.
Here is my function.json.
{
"bindings": [
{
"type": "eventHubTrigger",
"name": "IoTHubMessages",
"direction": "in",
"eventHubName": "samples-workitems",
"connection": "home-auto_events_IOTHUB",
"cardinality": "many",
"consumerGroup": "$Default"
},
{
"type": "excel",
"name": "inputTable",
"path": "Documents/Test.xlsx",
"worksheetName": "Sheet1",
"tableName": "Table1",
"identity": "ClientCredentials",
"direction": "in"
}
]
}
Here is the default index.js from the template.
module.exports = function (context, IoTHubMessages) {
context.log(`JavaScript eventhub trigger function called for message array: ${IoTHubMessages}`);
IoTHubMessages.forEach(message => {
context.log(`Processed message: ${message}`);
});
context.done();
};
Questions:
What else can I try to get the authentication working? Any ideas on what is going wrong? I'm not even sure if I'm using this correctly.
How to debug this? I can't seem to figure out how to get any more information on the failure then what is shown in the web console.
TL;DR;
The workaround is to generate the tokens on your own and then make the rest subscription call to the graph api from your Azure Function.
Most probably the token you're acquiring does not contain a scp claim but roles instead.
{
"typ": "JWT",
...
"alg": "RS256",
...
}.{
"aud": "https://graph.microsoft.com",
"iss": "https://sts.windows.net/<tenantId>/",
...
"app_displayname": "change notification app",
...
"roles": [
"User.ReadWrite.All"
],
...
"ver": "1.0",
...
}.[Signature]
please take a look at what the Webhook Azure Function binding is expecting from here
There are other users facing the same issue as you can see from here too,
what makes me think this extension could be outdated/under-development.