I'm able to create app id using Graph API but app secret/password is not generated with it. I need a way to generate/set a password using APIs.
Am I missing something?
You could create the password via Azure AD Graph API, you can test it in the AAD Graph Explorer.
My test sample:
Request URL:
PATCH https://graph.windows.net/{tenant id}/applications/{application object id}?api-version=1.6
Request body:
{
"passwordCredentials": [{
"endDate": "2020-08-12T02:54:44.2530506Z",
"keyId": "77fe4bf5-5d04-4a62-abc2-f064a9213d3f",
"startDate": "2019-08-12T02:54:44.2530506Z",
"customKeyIdentifier": "dGVzdA==",
"value": "XnkNIsT+cScOYeYJayQ4WNmp9tgAqw5z773uI9WQtAw="
}]
}
For more details about the request body, refer to this link - PasswordCredential.
Note: In the AAD Graph Explorer, when you send the request, the progress bar will never finish, but actually it works, you could check the result in the portal -> Azure Active Directory after a while.
Besides, there is also a Beta api in Microsoft Graph - Update application, I have not tested it, so I am not sure if it works. It is a Beta version, even if it works, I don't recommend you to use it in the production environment.
Are you following the correct API link?
Create User
It is easy to create Azure AD users using the Microsoft Graph REST. Here is a code sample for your reference:
POST https://graph.microsoft.com/v1.0/users
Authorization: Bearer {token}
Content-type: application/json
{
"accountEnabled": true,
"displayName": "Sajee",
"mailNickname": "Sinna",
"userPrincipalName": "upn-value#tenant-value.onmicrosoft.com",
"passwordProfile" : {
"forceChangePasswordNextSignIn": true,
"password": "password-value"
}
}
Related
I am trying to make a POST request to the Microsoft Graph Search API endpoint https://graph.microsoft.com/v1.0/search/query using a token obtained from a managed identity with the "Sites.Read.All" permission on the Microsoft Graph API.
However, I am receiving a 401 Unauthorized response. What could be causing this issue?
The problem was in what Oxymoron suggested, "roles" was missing in the bearer token. The solution was to change resource="https://graph.microsoft.com/" to "https://graph.microsoft.com" (without the slash) when requesting the token from the AAD.
Also apparently only delegated permissions work right now on v1.0 Graph Search (Source: https://learn.microsoft.com/en-us/graph/api/search-query?view=graph-rest-1.0).
The request does work in the Beta version:
POST https://graph.microsoft.com/beta/search/query
Content-Type: application/json
{
"requests": [
{
"entityTypes": [
"listItem"
],
"query": {
"queryString": "contoso"
},
"region": "NAM"
}
]
}
I am working in Azure AD B2C to add custom extensions per application. Theses extensions must be returned in the jwt when the login is requested by the application.
So I create the extension on the app using the graph api
POST https://graph.microsoft.com/v1.0/applications/{{appid}}/extensionProperties
{
"name": "name",
"dataType": "String",
"targetObjects": [
"User"
]
}
Then I associate a value for a specific user
PATCH https://graph.microsoft.com/v1.0/users/{{userid}}
{
"extension_{{appid(without dashes}}_name": "1234"
}
Now I go on the app manifest to add the optional claim.
"optionalClaims": {
"idToken": [
{
"name": "extension_{{appid(without dashes}}_name",
"source": "user",
"essential": true,
"additionalProperties": []
}
],
"accessToken": [
{
"name": "extension_{{appid(without dashes}}_name",
"source": "user",
"essential": true,
"additionalProperties": []
}
],
"saml2Token": []
},
Save but the claim never appear on the jwt token.
I also tried using the answer of this post but didn't work either.
The problem is you’ve used Optional claims setup, which works for AAD but not AAD B2C.
Follow this: https://learn.microsoft.com/en-us/azure/active-directory-b2c/user-flow-custom-attributes?pivots=b2c-user-flow
If you want to select your custom attribute through the Azure Portal - AAD B2C - User Attributes blade, and the attribute was created via Graph API, you have to recreate it in the Portal for it to reconcile.
You would also need to target the b2c-extensions-app AppId when defining the attribute with Graph API.
I tried to reproduce the same in my environment and got the claims successfully
As Jas Suri - MSFT commented, this will only work if you are adding optional claims to Azure AD application.
I created the extension attribute via Graph API like below:
I associated the above extension attribute to a specific user like below:
Please check whether that extension attribute is visible in optional claims UI or not and add like below:
When you check the manifest, it will be added automatically like below:
I generated the JWT token using auth-code flow via Postman like below:
After decoding the JWT token (ID-Token), I got the claims successfully like below:
I have a POST request that I am using to create a relying party application for my Azure AD Tenant.
POST
https://graph.microsoft.com/beta/{{tenant_id}}/applications
Headers:
Authorization: {{graph_access_token}}
Content-Type: application/json
Body:
{
"displayName": "JWT.MS 8",
"requiredResourceAccess": [
{
"resourceAppId": "00000003-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "5b567255-7703-4780-807c-7be8301ae99b",
"type": "Role"
}
]
},
{
"resourceAppId": "00000002-0000-0000-c000-000000000000",
"resourceAccess": [
{
"id": "311a71cc-e848-46a1-bdf8-97ff7156d8e6",
"type": "Scope"
},
{
"id": "6234d376-f627-4f0f-90e0-dff25c5211a3",
"type": "Scope"
}
]
}
],
"signInAudience": "AzureADandPersonalMicrosoftAccount",
"web": {
"redirectUris": [
"https://jwt.ms/"
],
"implicitGrantSettings": {
"enableIdTokenIssuance": true,
"enableAccessTokenIssuance": true
}
}
}
I receive a 201 created response for this application.
When I attempt to use this relying party via the authorize endpoint using an implicit flow I get the following error:
https://{{TenantName}}.b2clogin.com/{{TenantName}}.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1A_TEST_SIGNIN_LATEST&client_id=f7d77147-383f-4da0-9ca4-5da5628574a4&nonce=defaultNonce&redirect_uri=https%3A%2F%2Fjwt.ms%2F&scope=openid&response_type=id_token&prompt=login
AADB2C90018: The client id 'f7d77147-383f-4da0-9ca4-5da5628574a4'
specified in the request is not registered in tenant
'{{TenantName}}.onmicrosoft.com'.
In the Azure Portal I see that the API permissions are not granted.
How should the application be changed via the Graph API so that the relying application can be seen as registered in B2C?
The URL request is correct
https://{{TenantName}}.b2clogin.com/{{TenantName}}.onmicrosoft.com/oauth2/v2.0/authorize?p=B2C_1A_TEST_SIGNIN_LATEST&client_id=f7d77147-383f-4da0-9ca4-5da5628574a4&nonce=defaultNonce&redirect_uri=https%3A%2F%2Fjwt.ms%2F&scope=openid&response_type=id_token&prompt=login
But an Azure AD B2C application should be created using the Azure AD B2C blade of the Azure Portal. You need to register your application by going to Azure AD B2C tenant and search for Azure AD B2C on Azure portal to register applications instead of going to normal Azure AD application registration page.Otherwise it become fault app and you then recieve
AADB2C90018: The client id 'f7d77147-383f-4da0-9ca4-5da5628574a4'
specified in the request is not registered in tenant
'{{TenantName}}.onmicrosoft.com'.
If you have registered the application on Azure AD then delete those and register application on Azure AD B2C.
Reference : https://learn.microsoft.com/en-us/answers/questions/73443/the-client-id-39039-specified-in-the-request-is-no.html
The following steps will allow someone to create a relying party application for Azure AD B2C via Graph API:
The application that is used to retrieve the token requires the following permissions:
https://graph.microsoft.com/Application.Read.All
https://graph.microsoft.com/Application.ReadWrite.All
https://graph.microsoft.com/Application.ReadWrite.OwnedBy
https://graph.microsoft.com/DelegatedPermissionGrant.ReadWrite.All
The POST applications request is in the question above.
The next step is to create a service principal for that application.
POST https://graph.microsoft.com/beta/{{tenant_id}}/servicePrincipals
Headers:
Authorization: {{graph_access_token}}
Content-Type: application/json
Body
{
"appId": "{{app_appId}}"
}
Where the {{app_appId}} is the appId taken from the response of POST /applications
The next request is granting the oauth2 permissions.
POST https://graph.microsoft.com/beta/{{tenant_id}}/oauth2PermissionGrants
Header:
Authorization: {{graph_access_token}}
Content-Type: application/json
Body:
{
"clientId": "{{service_principal_id}}",
"consentType": "AllPrincipals",
"expiryTime": "2030-05-12T00:00:00.9831598Z",
"principalId": null,
"resourceId": "{{graph_app_id}}",
"scope": "openid offline_access"
}
Where the {{service_principal_id}} is the id from the POST /servicePrincipals response.
Where the {{graph_app_id}} is the id of the service principal with the displayName of "Microsoft Graph". This can be retrieved by the following request:
GET https://graph.microsoft.com/beta/{{tenant_id}}/servicePrincipals?$filter=startswith(displayName,'Microsoft Graph')
Header:
Authorization: {{graph_access_token}}
Content-Type: application/json
Which API should I call on Azure B2C to create a CONSUMER user? Apparently this one is going away...
Here is the correct example and doc.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/manage-user-accounts-graph-api
https://learn.microsoft.com/en-us/graph/api/user-post-users?view=graph-rest-1.0&tabs=http#example-2-create-a-user-with-social-and-local-account-identities
Do not use forceChangePassword=true unless using User Flows V1 (deprecated). You must always set password expiry policy to never.
Use this Microsoft Graph Api.
here is a sample request
POST https://graph.microsoft.com/v1.0/users
Content-type: application/json
{
"accountEnabled": true,
"displayName": "displayName-value",
"mailNickname": "mailNickname-value",
"userPrincipalName": "upn-value#tenant-value.onmicrosoft.com",
"passwordProfile" : {
"forceChangePasswordNextSignIn": true,
"password": "password-value"
}
}
To add users to our Azure Organization, we go to this page https://portal.azure.com/#blade/Microsoft_AAD_IAM/UsersManagementMenuBlade/AllUsers and then create or invite a new user.
Is it possible to do it via a REST API? I looked into their REST API docs https://learn.microsoft.com/en-us/rest/api/apimanagement/ but I couldn't find this information anywhere.
You can do this using Azure Graph API. In this link you can find an example for creating a user using the Graph API and here is the quick start guide for this API.
Basically, it looks like follows:
POST https://graph.windows.net/myorganization/users?api-version
Authorization: Bearer {token}
Content-type: application/json
{
"accountEnabled": true,
"displayName": "Alex Wu",
"mailNickname": "AlexW",
"passwordProfile": {
"password": "Test1234",
"forceChangePasswordNextLogin": false
},
"userPrincipalName": "Alex#a830edad9050849NDA1.onmicrosoft.com"
}
You can find the Grprah API reference to create users here. The Graph API quick-start can help you with sample codes on how to do it.
You would need to make sure that you have user creation rights in azure AD where you are trying to create users. generally, our account must have user account administrator role or global admin role in the directory.