When I attempt to retrieve the sAMAccountName from Azure AD via Microsoft Graph and oAuth, the attribute is not returned.
I am trying to retrieve the onPremisesSamAccountName through oAuth from Microsoft Graph on my Azure AD tenant. My local domain syncs with Azure, and I have selected the sAMAccountName directory extension for syncing. However, when I make my GET request to the Graph REST URI, I get back the correct user object, but I don't get back the onPremisesSamAccountName.
Here is my request:
https://graph.windows.net/myorganization/users/user#domain.com?api_version=1.6
That request returns the user object with a truckload of properties. When I try the following (in the hopes of "$select"ing the field, Microsoft returns the metadata URL--which actually contains the onPremisesSamAccountName property definition.
https://graph.windows.net/myorganization/users/user#somain.com?api-version=1.6&$select=onPremisesSamAccountName
Am I not formatting my query correctly? In the Azure AD portal, I have the following API permissions specified:
You can use Microsoft Graph API to get onPremisesSamAccountName property. Here is the Microsoft Graph explorer.
https://graph.microsoft.com/v1.0/users/{userObjectId}?$select=onPremisesSamAccountName
By the way, the permissions you granted are Microsoft graph api permissions, not Azure AD graph api permissions. Azure AD graph is different from Microsoft Graph. It is recommended to use Microsoft Graph API.
Related
I'm trying to script a B2C tenant and need to switch the Local Accounts Identity Provider to be Username based instead of email as per below picture.
MS Graph API returns an empty list for the path GET https://graph.microsoft.com/beta/{tenantid}/identityproviders.
Is it possible to switch this programmatically?
I can migrate to the trustframework policy xml upload method if necessary but it seems like overkill.
The scene you described should be for Azure AD B2C instead of Azure AD B2B.
It has a limitation in Microsoft Graph currently.
When we try to List identityProviders, local account identity Provider won't be listed in the response. See reference here.
The supported types for identityProviders are:
Microsoft
Google
Amazon
LinkedIn
Facebook
GitHub
Twitter
Weibo
QQ
WeChat
So I'm afraid that we can't update the local account identity Provider via Microsoft Graph API.
If you are using user flow, I think the easiest way is to change it in Azure Portal.
If you can use custom policy, modify the configuration in custom policy is necessary.
I would like to use MS Graph Booking API for publicly available application.
Users are going to login with identity providers but obviously are not in our Azure AD.
Per my understanding, it's possible to access this API only with delegated AD user permissions.
Also as I see Azure B2C AD users seem to not have access to MS Graph API.
Question: Is there a way to expose and use MS Graph Booking API by users who are in our database or in Azure B2C AD?
I am afraid there is no such way. To use Microsoft Graph API, we need to provide the appropriate access tokens for the corresponding operations, and we must get the access token from the Microsoft identity platform(formerly Azure Active Directory for developers).
The steps are:
Register your app with Azure AD.
Get authorization.
Get an access token.
Call Microsoft Graph with the access token.
From the Azure Active Directory v2.0 authentication libraries we can see lots of samples about how to use libraries to connect Active Directory. It seems all of them should create an application at apps.dev.microsoft.com first. Then use the Application ID and a new password to act the clientID and clientSecret in a client or server middleware application.
This way, one user can use the application to login by oauth 2 or openid through the Azure Active Directory API. Also can get the personal information such as user profile correctly.
But, if I want to get all the users information in a tenant one time, is there an API can do?
But, if I want to get all the users information in a tenant one time,
is there an API can do?
You can use Microsoft Graph API - specifically List Users API.
https://graph.microsoft.com/v1.0/users
For a quick test, try using Microsoft Graph Explorer
Similarly you can list users with Azure AD Graph API as well, but it would be recommended to use Microsoft Graph API.
Read Microsoft Graph or Azure AD Graph and this SO Post (Only case to use Azure AD Graph API would be if you need something very specific that you aren't able to achieve with stable version of the newer Microsoft Graph API.)
Azure AD Graph API to list users (not recommended)
https://graph.windows.net/myorganization/users
i have an application currently using the Azure AD Graph API. I would like to start migrating the app to Microsoft Graph. However, i would like to reuse the bearer tokens for hitting both the Azure AD Graph API and Microsoft Graph API.
how can i accomplish this? as currently it seems as if the apps must be registered in different portals for the different api's respectively.
it seems as if the apps must be registered in different portals for the different api's respectively
This is not consistent with my experience. I have registered my Application in Azure Active Directory.
Using the Azure portal, I am able to get permissions to both the Microsoft Graph Api and the Windows Azure Active Directory API.
i would like to reuse the bearer tokens for hitting both the Azure AD Graph API and Microsoft Graph API.
You cannot use the same token for both the Azure AD Graph API and Microsoft Graph API.
In my code, I receive an access token via the following call:
AuthenticationResult result = await authContext.AcquireTokenByAuthorizationCodeAsync(
authorizationCode,
redirectUri,
CreateClientCredential(),
resourceString
);
The resourceString parameter is either https://graph.windows.net/ for the AD Graph API, or https://graph.microsoft.com for the Microsoft Graph API.
They are distinct resources, so you must manage two tokens, applying the appropriate token for each API call.
I recently figured out that there are two Graph APIs availble for Azure Active Directory. There is the unified graph.microsoft.com and the AAD specific graph.windows.net:
Azure AD Graph API functionality is also available through Microsoft
Graph, a unified API that also includes APIs from other Microsoft
services like Outlook, OneDrive, OneNote, Planner, and Office Graph,
all accessed through a single endpoint with a single access token.
Source
Is there any reason to use the unifed Graph API when I only need to browse AAD objects? Will the AAD specific graph.windows.net GraphAPI get deprecated?
There has been no announcement of Azure AD Graph API's deprecation and we (and others) use it in production every day.
If you can get what you want through Azure AD Graph API, I'd say use it. If you need something else from the Microsoft Graph API (like emails or contacts), use that one.