During the creation of a batch of users in Azure AD by using the Graph API version 1.0 I receive the followiing error message:
Property has an invalid value
As you can see, there is not property name in the message, so I can't understand the real problem. What I can say is that those users have no particular conditions among the all others successfully created.
Any ideas?
Update 1:
As people asked, below are the post data. Since there is sensitive data, I have to changed names and som other personal data:
POST https://graph.microsoft.com/v1.0/users
And the JSON payload:
{
"accountEnabled": false,
"country": "BR",
"displayName": "Jane Sagan",
"givenName": "Jane",
"mailNickname": "jane.sagan",
"otherMails": [
"jane.sagan.#gmail.com"
],
"passwordProfile": {
"forceChangePasswordNextSignIn": false,
"password": "J#n3Sa8aN"
},
"surname": "Sagan",
"usageLocation": "BR",
"userPrincipalName": "jane.sagan#university.br",
"userType": "Member"
}
The property "otherMails" doesn't support the format "jane.sagan.#gmail.com".
Username cannot end with '.' in O365. You can have a try (create a user whose username ends with '.') in O365 portal to verify it.
Related
I am accessing a Share-point list using the MS graph API endpoint:
https://graph.microsoft.com/v1.0/sites/{site-id}/lists/{list-id}/items?expand=fields
I am getting the list items just fine, but I also want to get the user information attached in each field. The data item returned looks like this:
{
...other properties,
"fields": {
"#odata.etag": "\"eTag,1\"",
"id": "1",
"ContentType": "Item",
"Title": "<Some Title>",
"Modified": "<modified dateTime>",
"Created": "<created dateTime>",
"AuthorLookupId": "12",
"EditorLookupId": "12",
"_UIVersionString": "1.0",
"Attachments": false,
"Edit": "",
"LinkTitleNoMenu": "<num>",
"LinkTitle": "<num>",
"ItemChildCount": "0",
"FolderChildCount": "0",
"_ComplianceFlags": "",
"_ComplianceTag": "",
"_ComplianceTagWrittenTime": "",
"_ComplianceTagUserId": "",
"Status_Name": "<status_name>",
"Title0": "<some_title>",
"Dept": "Dept A",
"Emp_LeadLookupId": "200", //This is the user whose details I need(email-id)
"Quality_Approver": "<some_user>"
}
}
How do I get the user's details as well and not just a LookupId, OR how can I use the look up ID to get the said user's information?
I searched above and beyond but didn't find anything relevant. Any help is greatly appreciated!
Currently Microsoft Graph is not support the function of finding users through the lookup column.
The OneLogin OpenID Connect Scopes Documentation for the profile scope shows that there is a picture available but with this disclaimer:
Note, these claims are returned if OneLogin has the information available.
In testing, I never get picture back when testing with a user that has a profile photo set. What I get has these attributes only:
{
"id_token": "",
"token_type": "Bearer",
"scope": "openid profile",
"profile": {
"sub": "",
"email": "",
"preferred_username": "",
"name": "",
"updated_at": 1614904145,
"given_name": "",
"family_name": "",
"sid": ""
},
"expires_at": 1615761073
}
Any tips on how to get the additional fields from OneLogin would be appreciated. Thx!
I reached out to OneLogin's dev support and I got a response in a few hours. I have verified that this works, here it is:
You should add a parameter to your OIDC app and map it to the field "Profile Picture" and then include the params scope in your ODIC call. (fro more details on scopes see https://developers.onelogin.com/openid-connect/scopes)
Note - what you get back is the URL of an image and it is not a binary blob of the actual photo.
I have a requirement to check if logged in user is tenant admin or not using MS graph api. I tried below https://graph.microsoft.com/v1.0/me/ and get below response and there is nothing related to roles in below response. How to determine whether the below "id" is tenant Admin or not?
{
"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#users/$entity",
"businessPhones": [],
"displayName": "",
"givenName": "",
"jobTitle": null,
"mail": "",
"mobilePhone": null,
"officeLocation": "",
"preferredLanguage": ,
"surname": "",
"userPrincipalName": "",
"id": "Guid"
}
You can use Get https://graph.microsoft.com/v1.0/me/memberOf to implement your requirement.
If the first item of the value in the api response data is Company Administrator, the logged in user is admin. If not, the user is not admin (shown as below screenshot).
In Activate Membership API (https://developers.docusign.com/orgadmin-api/reference/Users/Users/activateMembership) one of path parameter is MembershipId.
However I have not found any endpoints that returns responses with MembershipId.
The closest guess could be calling GetUserProfile that has Memberships as parameter, but response does not contain Membership ID:
"memberships": [
{
"email": "xxxxxx#example.com",
"account_id": "xxxxxxx-....",
"external_account_id": "1234546",
"account_name": "1234546",
"is_external_account": false,
"status": "activationSent",
"permission_profile": {
"id": 11111111,
"name": "DocuSign Viewer"
},
"created_on": "2020-02-20T12:37:02.757",
"groups": [...],
"is_admin": false
}
]
Am I overlooking something?
Try this:
GET /v2.1/accounts/{accountId}/users/{userId}
The UserInfo section of the response should include the membershipId
I'm using the Microsoft Graph Users API to validate a list of user names or email addresses against our ActiveDirectory. The name search:
https://graph.microsoft.com/v1.0/me/people/?$search=john.smith
returns additional data such as officeLocation and jobTitle. But if I use the email search:
https://graph.microsoft.com/v1.0/users/john.smith#company.com
these additional fields are empty. I've enabled these API permissions in Azure:
People.Read
User.Read
User.ReadBasic.All
email
Do I need additional permissions to get the same data?
Update: I tried this in https://developer.microsoft.com/en-us/graph/graph-explorer as suggested below and it works, but Graph Explorer comes with these permissions by default which can't be disabled:
Calendars.ReadWrite
Contacts.ReadWrite
Directory.Read.All
Files.ReadWrite.All
Mail.ReadWrite
Notes.ReadWrite.All
openid
People.Read
Sites.ReadWrite.All
Tasks.ReadWrite
User.ReadBasic.All
User.ReadWrite
Update 2: I'm using Python 3.7 so I borrowed device_flow_session() from https://github.com/microsoftgraph/python-sample-console-app/blob/master/helpers.py#L25. The data I get back from https://graph.microsoft.com/me/people/?$search=John.Smith looks like:
{
"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#users("XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX")/people",
"value": [{
"id": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX",
"displayName": "John Smith",
"givenName": "John",
"surname": "Smith",
"birthday": "",
"personNotes": "",
"isFavorite": False,
"jobTitle": "Software Engineer",
"companyName": "Company",
"yomiCompany": "",
"department": "Fish",
"officeLocation": "London",
"profession": "",
"userPrincipalName": "John.Smith#company.com",
"imAddress": "sip:John.Smith#company.com",
"scoredEmailAddresses": [{
"address": "John.Smith#company.com",
"relevanceScore": -6.0991198031917175,
"selectionLikelihood": "notSpecified"
}
],
"phones": [],
"postalAddresses": [],
"websites": [],
"personType": {
"class": "Person",
"subclass": "OrganizationUser"
}
}
]
}
Whereas the data from https://graph.microsoft.com/users/John.Smith#company.com is:
{
"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#users/$entity",
"businessPhones": [],
"displayName": "John Smith",
"givenName": "John",
"jobTitle": None,
"mail": "John.Smith#company.com",
"mobilePhone": None,
"officeLocation": None,
"preferredLanguage": None,
"surname": "Smith",
"userPrincipalName": "John.Smith#company.com",
"id": "XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX"
}
Based on my test, I found that the information obtained by these two APIs came from different places.
"officeLocation" returned from /me/people seems to be maintained in SharePoint. You can sign in https://apc.delve.office.com/?u=3df5295a-e4b1-46fe-8969-e715ccd11077&v=editprofile to check it.
"officeLocation" returned from /me or /users/{id | userPrincipalName} is maintained in Azure AD. So you can check it in Azure AD -> Users.
After I update the "Office" in Azure AD, I query with the two endpoints. But they gave me two different result. One (/me/people) is old and the other one (/users/{id | userPrincipalName}) is new. Maybe this will take some time to synchronize. Or maybe they won't sync.
I also test it in Microsoft Graph Explorer. And the "officeLocation"s are different as well. So I'm not sure why Microsoft Graph Explorer works fine for you. But you can dig it along with my ideas.
I hope my findings will be helpful to you.
Each "service" in the Graph (Active Directory, Exchange, SharePoint, etc.) make decisions on the data to return by default in calls. These decisions are made to best suit Microsoft in running the service, not necessarily what callers need. ;) I suggest adding the $select parameter to specify the attributes you require.
From https://learn.microsoft.com/en-us/graph/query-parameters#select-parameter:
Important: In general, we recommend that you use $select to limit the
properties returned by a query to those needed by your app. This is
especially true of queries that might potentially return a large
result set. Limiting the properties returned in each row will reduce
network load and help improve your app's performance.
In v1.0, some Azure AD resources that derive from directoryObject,
like user and group, return a limited, default subset of properties on
reads. For these resources, you must use $select to return properties
outside of the default set.