Read custom attributes from AD using graph API - azure

I need clarification for below users graph api,
https://graph.microsoft.com/v1.0/users/
We have synced our on-premise AD with Azure active directory. In my on premise AD we have the custom attribute called “RollNo”. I would like to read that " RollNo” data from above users graph api.
Is this possible to read custom attribute from AD ?

I don't see the rollno in azure AD. But I've created in On-premise AD which is synced with azure AD. Do we have any workaround to get this value?

When configuring Azure AD Connect there is a step that allows you to specify additional attributes that you wish to be replicated to Azure AD.But the custom attributes. name would be changed.
For more detailed information, please refer to the official article: https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-feature-directory-extensions

Related

Configure Azure AD Connect Cloud Sync without Portal?

Is it possible to reproduce the steps to "Configure Azure AD Connect cloud sync" from the Azure portal, in another way using an API?
The steps are described at this link:
https://learn.microsoft.com/en-us/azure/active-directory/cloud-sync/tutorial-single-forest#configure-azure-ad-connect-cloud-sync
I would like to automate this process to have no user interaction. Is it possible with the Graph API? Any example?
Thank you Marilee Turscak - MSFT for providing the reference Link.
I don't understand this sentence: "You need to use this application
ID 1a4721b3-e57f-4451-ae87-ef078703ec94. The displayName is the AD
domain url, if used in the portal (for example, contoso.com), but it
may be named something else." What is the application id I should use?
And what is the display name? I get 401 or 403 errors. Is there an
additional step before this?
You have to use the same application ID as its the Application templateID by default which is used to provision entries from active directory to Azure active directory.
But You can use any Display name that you want and Please make sure to have the required permissions as shown below. You can perform the post operation with Graph explorer.
After you have done the above post operation you will get the service principal ID which can be used for further steps mentioned in the document provided by Marilee Turscak - MSFT.
Reference:
How to programmatically configure cloud sync using MS Graph API | Microsoft Docs

Azure AD B2C and organizational groups

Consider the following case, for my application:
I have a website
The website sits on top of an azure api and gets data from cosmos DB
The data from cosmos DB is specific for different organizations
Different organizations should be able to have an "admin" appointed by me
The organization "admin" should be able to add his colleagues under the same organization
The users within a particular organization should only be able to view the data specific to their organization
Considering the above use-case, I have thought about using Azure B2C because:
Everything is already inside azure
I don't want to do security myself
However, I am unsure, if it is actually possible to achieve this with azure B2C? I can't seem to find any similar use-cases in the AD documentation. Hence why I start to think, that I'm going in a wrong direction...?
Therefore, can Azure AD B2C offer, what I want to achieve? (do I need a tenant for each Organization)
In case, Azure AD does not offer support for my use-case, what would you then recommend me to do?
As a white-label service, Azure AD B2C cannot be used as a built-in security provider for other Azure services without writing custom code to translate whatever authorization model you maintain in Azure AD B2C into access patterns for CosmosDB or other Azure services.
CosmosDB does have it's own in-built notion of users and permissions which you might map in some way (using custom code) to Azure AD B2C users. https://learn.microsoft.com/en-us/azure/cosmos-db/secure-access-to-data#users
You could also use CosmosDB's integration with Azure AD (not B2C) for RBAC controls: https://learn.microsoft.com/en-us/azure/cosmos-db/role-based-access-control
Finally, Azure AD B2C does not provide any out-of-the-box administrative tooling for the kind of delegated user administration model you described. Again this would need to be a custom coded admin UI or you'd need to use a third-party solution such as Saviynt for delegated administration: https://learn.microsoft.com/en-us/azure/active-directory-b2c/partner-saviynt

API for creating directory in Azure AD

I want to create directory in azure ad using api, does any such api is supported by azure? If yes then please share the api.
As far as I am aware of, there is no API for creating Azure AD tenants.
The documentation never mentions any: https://learn.microsoft.com/en-us/azure/active-directory/develop/quickstart-create-new-tenant

Not able Add the B2B invitation in Azure new portal

Currently we are working on Azure SSO migration project and doing most of the task using old azure site. we have received a mail from the Microsoft via Client to use the new azure portal.
To provide the access for B2B, in old portal we straight uploaded the files with application id and the group id and that worked well.
But, in new portal when the did the same, the ids' are getting created in azure AD portal but they are not mapped in the groups that we have created for B2B invitation for the application.
Is there any approach is there. please help.
Regards,
Avisekh
The feature in the Azure Portal allows you to add individual requests by adding guest accounts, but if you need to invite multiple people or have any type of automation, you should:
Use PowerShell New-AzureADMSInvitation cmdlet
[or]
Use the Microsoft Graph API invitations
If you need to add users to groups, then you can also use the Dynamic Groups feature in Azure B2B (perhaps this is more similar to what you used to have), as well as Graph API Groups API or via PowerShell.

Azure AD "Description" field missing when sync'd using Azure AD Connect

We're using Azure AD Connect to sync our on-premises Active Directory to Azure AD. We have the free version that comes with the Office 365 business plans.
Azure AD Connect shows the Description field as being synchronized to Azure AD, yet, the field does not appear anywhere.
We're using a third-party service to read data from our user profiles to generate email signatures, but the service cannot read the data as it doesn't "exist" in Azure.
I even tried going into our Azure AD Connect configuration, enabled Directory extension attribute sync and added the Description field for user accounts...but it created a new "description" field with a weird name instead.
Is there something I'm missing ? Do we perhaps need to have Azure AD Premium ?
Thanks for your help people!
Based on the official documentation, the attribute for Description has been synced to Azure AD. You can verify it by open Synchronization Service Manager, and check the properties for the specific user by Metaverse Search.
However, if you need to retrieve the attribute values for specific user, you must use Azure AD Graph API. For your scenario, the third-party service may leverage Azure AD Graph API for retrieving user properties.
Then, if you check the Graph API reference, you can find that Description is not included in the list, which means you can't retrieve the Description attribute from Azure AD.
As a workaround, you can use Directory extension, but the attributes are prefixed with extension_{AppClientId}_. The AppClientId has the same value for all attributes in your Azure AD tenant.
Also, you can submit your requirements to the following website, which collects feedbacks for Azure AD from users.
https://feedback.azure.com/forums/169401-azure-active-directory?query=attribute

Resources