I want to learn Azure directory services, so I created a free Microsoft Azure account to play around with Azure, and then I created a new App registration at portal.azure.com. So I have this registered application in Azure with a Client ID, Tenant ID, and even a Client Secret, because I want to learn API permissions with this app.
Now in the Microsoft Graph Explorer, I want to try using API methods like Get Application and List Applications.
However, if I log in and run the API to list my applications (GET https://graph.microsoft.com/beta/applications), the response has an empty array of applications.
Also if I try to GET the specific app that I registered in AD, I get a 404: Resource Not Found found error.
What am I doing wrong? How can I use the Graph Explorer with my test Azure account so my registered application can be retrieved and edited with Microsoft Graph APIs?
More Details Below
When I run GET https://graph.microsoft.com/beta/applications in Microsoft Graph Explorer, I expect a list of my applications, including the one app I registered in Azure. Instead, here is the response:
{
"#odata.context": "https://graph.microsoft.com/beta/$metadata#applications",
"value": []
}
When I run GET https://graph.microsoft.com/beta/applications/{client-id}, with my registered app's client-id, I expect all the details of my registered app, but instead, the response is error 404:
{
"error": {
"code": "ResourceNotFound",
"message": "Resource not found.",
"innerError": {
"request-id": "*****",<--I commented this out
"date": "2019-05-28T20:17:11"
}
}
}
If this were a permissions issue, I would expect unauthorized errors instead of "resource not found". I've tried adding Microsoft Graph permissions to my registered App (Directory.Read.All, Directory.ReadWrite.All), but this hasn't helped.
This is nothing to do with Azure free account. If you login in Graph Explorer using outlook account, it will identify this account as a personal account(with tenant outlook.com). That's why you can not find the applications you created in your tenant.
It is recommended to create a new user in your tenant to do the tests.
Here are the steps.
1.Click Azure Active Directory->Users->New User. The username should be something like username#{your tenant name}(XXX.onmicrosoft.com)
2.After the creation, add the roles for this user.
Related
I'm trying to use "invoke an http request" action in power automate to query a log analytics workspace. I have access to perform this from azure portal. I referred this Microsoft article to get the URI. But when I try to execute the flow, I get the below error:
Complete error message:
{
"error": {
"message": "The provided authentication is not valid for this resource",
"code": "InvalidTokenError",
"correlationId": "45e0ff0c-01f1-4ea5-a11d-ec6ce2d71b8b",
"innererror": {
"code": "InvalidAuthenticationTokenTenant",
"message": "The access token is from the wrong issuer 'https://sts.windows.net/687f51c3-0c5d-4905-84f8-97c683a5b9d1/'. It must match one of the tenants 'https://sts.windows.net/2f4a9838-26b7-47ee-be60-ccc1fdec5953/,https://sts.windows.net/a6eb2ff5-3009-4bfc-b769-24a2f82c1913/' associated with this subscription. Please use any authority (URL) from 'https://login.windows.net/2f4a9838-26b7-47ee-be60-ccc1fdec5953,https://login.windows.net/a6eb2ff5-3009-4bfc-b769-24a2f82c1913' to get the token. Note, if the subscription is transferred to another tenant there is no impact to the services, but information about new tenant could take time to propagate (up to an hour). If you just transferred your subscription and see this error message, please try back later."
}
}
}
The analytics workspace that I'm trying to query is not under my AAD tenant. It is under another tenant/directory, which I have access from portal. How can I get the access token so that I can execute this query?
I have already tried the action "Run query and list results" in power automate, which gave the same error.
Any suggestions?
Please check below points:
Please check if you have multiple subscription .So while
requesting access token , it is the tenant which is not part of the
subscription that you might have selected. In such a case try to
change the settings and make your subscription map to the directory
which you want to use.
In some cases browser tries or attempts to get an access token from
already logged in tenant .So If its under same subscription, try to
check after clearing the cache
You can also put required tenant ID in the enviroment settings of
your particular app, using DefaultAzureCredential()
Or Configure the authority defining the tenantId
https://login.microsoftonline.com/{tenant-id} for multiple tenants
Signing in once to access to all the Azure Log Analytics data from
all tenant may not be feasible.It may require reauthentication .
Check this way to get
the accesss token for that particular tenant Request an
authorization token - Azure Monitor | Microsoft Docs and use the
token to call the log analytics workspace
References:
Query - Execute - REST API (Azure Log Analytics) | Microsoft Docs
azure log analytics - Valid authentication was not provided - Stack
Overflow
I am integrating Login with Azure AD for one of my clients on my website. I am only targeting one specific group in their organisation, and not everybody in the entire organisation.
This new feature has 2 requirements:
We need to create an account for people logging in via their email using our clients Azure AD.
We need to run a CRON job daily to check if anybody has been removed in their AD (due to them leaving the company), so we also need to remove their profile in our application.
For number 1, I think it's sufficient to call the /authorization, /token and /userinfo endpoints. Is this correct?
But for number 2, I am having issues to see how this is possible.
When browsing the graph explorer (https://developer.microsoft.com/en-us/graph/graph-explorer) I can find the following 2 API methods:
GET all users in the organization /users ---> But i am unsure whether this returns all the users in their AD, or only the ones applicable for my application?
GET direct members of a group with count /groups/<id</members ---> Is this the one I am looking for when they are assigned into a specific group?
I've also found this SO link : https://stackoverflow.com/a/64553305 which talks about saving the access token and refresh token. Is it possible if I save these two to fetch the userinfo at any point in time? This way I could possibly query all the created accounts each day and if one of them returns a status deleted, or empty I know the account no longer exists? Or is this not an option?
Thanks in advance!
UPDATE:
I noticed that my client granted me the User.Read and User.Read.All graph permissions.
But i'm not certain how to call this API? When calling this API in Postman :
https://graph.microsoft.com/v1.0/users/123-this-is-the-id
I am getting the following response:
{
"error": {
"code": "InvalidAuthenticationToken",
"message": "Access token is empty.",
"innerError": {
"date": "2021-10-07T12:59:05",
"request-id": "...",
"client-request-id": "..."
}
}
}
I am trying to use the Microsoft Graph API to configure an Azure B2C instance. Specifically, I need to create UserFlows and IdentityProviders. For this purpose, I have created an AppRegistration with IdentityProvider.ReadWrite.All and IdentityUserFlow.ReadWrite.All API application permissions for the Microsoft Graph. I am able to call the APIs for creating new user flows and identity providers without a problem, but I am unable to link flows to an identity provider. Whenever I use any of the linking API's, I get an error:
AADB2C (User Authorization: Access is denied)
As an example, I get this when trying to list registered identity providers for specific user flow, i.e.
GET https://graph.microsoft.com/beta/identity/b2cUserFlows/B2C_1_{flowId}/identityProviders
The response for this request is a 403 with
{
"error": {
"code": "AADB2C",
"message": "User Authorization: Access is denied.",
"innerError": ...
}
}
I am using the Beta API as described in the docs here: https://learn.microsoft.com/en-us/graph/api/b2cuserflows-list-identityproviders?view=graph-rest-beta&tabs=http. I get the samme error when trying to link a user flow with an identity provider as described in the documentation here: https://learn.microsoft.com/en-us/graph/api/b2cuserflows-update-identityprovider?view=graph-rest-beta&tabs=http
Any idea why I keep getting this authorization block?
Update: I have tried expanding the .IdentityProviders property on a userflow when reading it from the graph api. This does not give a 403, but the identity providers list, on the returned user flow, is empty even when providers have been manually added to the flow in the Azure Portal.
Please ensure to comply with this:
The work or school account needs to belong to one of the following
roles:
Global administrator External Identity User Flow administrator
I have a scenario, I need to write functional tests for my API(s). API uses Azure AD authentication. There are multiple roles in system and role of a user is decided on the basis of membership of different AD groups.
so for functional test I need different users with in different groups.
I created a service principals with contributor rights in subscription and added them in groups and granted following Microsoft graph Application type API permissions.
- Application.Read.All
- Directory.Read.All
Now I used these apis to complete my use case.
1- https://login.microsoftonline.com/{tenant-Id}/oauth2/token
to get the access token against service principal.
2- GET https://graph.microsoft.com/v1.0/me/memberOf
to get the list of user's groups. but i got following response with authentication token of service principal.
{
"error": {
"code": "Request_ResourceNotFound",
"message": "Resource 'xxxx471-bxxxa-45a2-b61b-18xxxxx42af88' does not exist or one of its queried reference-property objects are not present.",
"innerError": {
"request-id": "fxxxxc41-319e-xxxx-xxxx-360xxxx58077",
"date": "2020-04-13T11:41:01"
}
}
}
I also have tried this
3- https://graph.microsoft.com/v1.0/users/{princialId}/memberOf
and get the following response
"error": {
"code": "Request_ResourceNotFound",
"message": "Resource 'xxxxx-xxxx-xxxx-b61b-18421142af88' does not exist or one of its queried reference-property objects are not present.",
"innerError": {
"request-id": "fxxxxc41-319e-xxxx-xxxx-360xxxx58077",
"date": "2020-04-14T05:59:03"
}
}
}
I have used object id of app registered in azure AD. when i searched service principal using power shell using following command I found different Object_Id than which is written on AD app on azure portal
command : get-AzureADServicePrincipal
with this Object_Id I was able to get service principal's groups using beta services.
https://graph.microsoft.com/beta/servicePrincipals/{object ID}/memberOf
anybody can explain why i was not able to get the groups of service principal using v1.0 service.
Thanks
anybody can explain why i was not able to get the groups of service principal using v1.0 service.
Because the v1.0 version does not support this API GET /servicePrincipals/{id}/memberOf , it just could be availale in the Beta version currently.
You could check this doc - List servicePrincipal memberOf, select the Version with 1.0, then it will give a prompt message like below.
I have used object id of app registered in azure AD. when i searched service principal using power shell using following command I found different Object_Id than which is written on AD app on azure portal
The Object Id of the service principal is not the same with that of the App Registration, the one you got from the powershell is correct, also, you can find it in the portal in the Enterprise applications like below.
I agree that beta service was not part of V1.0 but according to V1 documentation
https://graph.microsoft.com/v1.0/users/{id | userPrincipalName}/memberOf
should work.
please visit
https://learn.microsoft.com/en-us/graph/api/user-list-memberof?view=graph-rest-1.0&tabs=http
Please find documetation image here
How do you get the authentication contact info from azure ad b2c with the microsoft graph, I am looking to retrieve the email address.
I checked the documentation on Microsoft Graph API and could find no mention of how to get the Authentication Contact Info besides using PowerShell (learn.microsoft.com/en-za/azure/active-directory/authentication/…)
Based on this article, there are still some gaps between the Microsoft Graph API and the older Azure AD Graph API, but seems neither will fully retrieve what's required.
As of now, the following with get the Alternate Email field only from the "Authentication contact info" section using the Azure AD Graph API;
Register the Application in Azure AD
In the Azure Active Directory instance;
Register a new application (client_id)
Grant "Read all users' full profiles" permissions to Windows Azure Active Directory
Create a private key (client_secret) for the application
Authentication Flow
Reference: Service to Service Calls Using Client Credentials
Retrieve an access token
Request
POST https://login.microsoftonline.com/<tenant id>/oauth2/token
Payload
{
"client_id": "<client_id>",
"client_secret": "<client_secret>",
"resource": "https://graph.windows.net",
"grant_type": "client_credentials"
}
User Authentication Contact Info
Reference: Basic operations on users
Get user
Request
GET https://graph.windows.net/<tenant_id>/users/<user_id>?api-version=1.6
Headers
{
"Authorization": "Bearer <access_token>"
}
Response
{
...
"otherMails": ["<Alternate Email>"],
...
}
As you mentioned it seems that there is no microsoft Graph API could get the authentication Contact Info Email.
But we could get that information with following API, I capture it with browser. It seems a litte hack.
Get https://main.iam.ad.ext.azure.com/api/UserDetails/{userId}
About how to get the access token, please refer to this blog.
Note: I don't find this API in the Azure official document. Please don't use it for product, you could use it for test.