How to Find AppId of Schema Extention App in Azure AD - azure

I have tried to get custom attributes created in Active directory using Microsoft graph. I am able to get attributes by their names using this query in Microsoft Graph
https://graph.microsoft.com/v1.0/me?$select=Department
But I'm not able to get some attributes which are not their by default (which are customly created) using microsoft graph. For an example, if I put "employeeId", the same query returns
{"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#users(employeeId)/$entity"}
Interestingly, I can get the employeeId using Azure AD graph which is now old school. (below query)
https://graph.windows.net/me/employeeId
Above query returns me the following Jason
{
"odata.metadata": "https://graph.windows.net/myorganization/$metadata#Edm.String",
"value": "38XXX"}
After some googling, I've found that there are extension attributes which are created using Azure AD connect which will create a Schema Extension App in Azure and we can get them using
extension_{appID}_employeeId
I can't find any Schema Extension App in my Azure Portal and I've tried some Powershell commands too. Our organization don't use Azure B2C AD. What I need is
A way to find AppId of Schema Extension App in Azure
Or an alternative way to get those custom attributes

A way to find AppId of Schema Extension App in Azure
If you want to find the AppId of Schema Extension App, you could use the MS graph api below.
GET https://graph.microsoft.com/beta/applications?$filter=displayName eq 'Tenant Schema Extension App'
For more details about required permission etc, refer to this similar issue.

Eventually, I've found the Tenant Schema Extension AppID buy running below query in Microsoft Graph Explorer
Note : Use Beta for Graph API version
https://graph.microsoft.com/beta/me
Which returned me a lengthy Json with below output
"userPrincipalName": "example#abc.com",
"externalUserState": null,
"externalUserStateChangeDateTime": null,
"userType": "Member",
"extension_{appid}_extensionAttribute3": "XXX",
"extension_{appid}_extensionAttribute2": "XXX",
"extension_{appid}_extensionAttribute1": "XXX",
"extension_{appid}_employeeID": "XXXXXX",
Additionally, the below query returned the extension attributes even without the appid (you should use beta version)
https://graph.microsoft.com/beta/me?$select=UserPrincipalName,onPremisesExtensionAttributes
Which returned the below Json
{
"#odata.context": "https://graph.microsoft.com/beta/$metadata#users(userPrincipalName,onPremisesExtensionAttributes)/$entity",
"userPrincipalName": "xxxx#xxx.com",
"onPremisesExtensionAttributes": {
"extensionAttribute1": "XXX",
"extensionAttribute2": "XXX",
"extensionAttribute3": "XXX",
"extensionAttribute4": null,
"extensionAttribute5": null,
"extensionAttribute6": null,
"extensionAttribute7": null,
"extensionAttribute8": null,
"extensionAttribute9": null,
"extensionAttribute10": null,
"extensionAttribute11": null,
"extensionAttribute12": null,
"extensionAttribute13": null,
"extensionAttribute14": null,
"extensionAttribute15": null
}
}

Related

Add app extension attribute in user flow JWT Azure AD B2C

I am working in Azure AD B2C to add custom extensions per application. Theses extensions must be returned in the jwt when the login is requested by the application.
So I create the extension on the app using the graph api
POST https://graph.microsoft.com/v1.0/applications/{{appid}}/extensionProperties
{
"name": "name",
"dataType": "String",
"targetObjects": [
"User"
]
}
Then I associate a value for a specific user
PATCH https://graph.microsoft.com/v1.0/users/{{userid}}
{
"extension_{{appid(without dashes}}_name": "1234"
}
Now I go on the app manifest to add the optional claim.
"optionalClaims": {
"idToken": [
{
"name": "extension_{{appid(without dashes}}_name",
"source": "user",
"essential": true,
"additionalProperties": []
}
],
"accessToken": [
{
"name": "extension_{{appid(without dashes}}_name",
"source": "user",
"essential": true,
"additionalProperties": []
}
],
"saml2Token": []
},
Save but the claim never appear on the jwt token.
I also tried using the answer of this post but didn't work either.
The problem is you’ve used Optional claims setup, which works for AAD but not AAD B2C.
Follow this: https://learn.microsoft.com/en-us/azure/active-directory-b2c/user-flow-custom-attributes?pivots=b2c-user-flow
If you want to select your custom attribute through the Azure Portal - AAD B2C - User Attributes blade, and the attribute was created via Graph API, you have to recreate it in the Portal for it to reconcile.
You would also need to target the b2c-extensions-app AppId when defining the attribute with Graph API.
I tried to reproduce the same in my environment and got the claims successfully
As Jas Suri - MSFT commented, this will only work if you are adding optional claims to Azure AD application.
I created the extension attribute via Graph API like below:
I associated the above extension attribute to a specific user like below:
Please check whether that extension attribute is visible in optional claims UI or not and add like below:
When you check the manifest, it will be added automatically like below:
I generated the JWT token using auth-code flow via Postman like below:
After decoding the JWT token (ID-Token), I got the claims successfully like below:

How to get appRoleAssignedTo for Microsoft Azure Applications?

I am trying to get appRoleAssignedTo for my Azure Tenant, now suppose if I have 10 applications under that tenant I will have to make 10 different calls by passing the servicePrincipal Id for all the 10 applications.
GET /servicePrincipals/{id}/appRoleAssignedTo
Is there a way through which I can get all the appRoleAssignedTo under respective servicePrincipal using just one API call.
Alternatively Microsoft provides a delta call for servicePrincipal, is there a way that the delta returns me the servicePrincipal when appRoleAssignedTo has changed(basically connecting the appRolesAssignedTo to servicePrincipal)
P.S I have tried doing it using $select and $expand and it doesn't work.
https://learn.microsoft.com/en-us/graph/api/serviceprincipal-list-approleassignments?view=graph-rest-1.0&tabs=http
https://learn.microsoft.com/en-us/graph/api/serviceprincipal-delta?view=graph-rest-1.0&tabs=http
Please try with $expand=appRoleAssignedTo in Graph Explorer.
https://graph.microsoft.com/v1.0/servicePrincipals?$expand=appRoleAssignedTo
If you want to use both $select and $expand, the "id" is required.
https://graph.microsoft.com/v1.0/servicePrincipals?$select=id,displayName&$expand=appRoleAssignedTo
The response looks like:
{
"value": [
{
"id": "xxxxxx",
"displayName": "Managed Service",
"appRoleAssignedTo#odata.context": "https://graph.microsoft.com/v1.0/$metadata#servicePrincipals('xxxxx')/appRoleAssignedTo",
"appRoleAssignedTo": []
},
....
]
}

Editing custom Azure B2C attributes using Microsoft Graph Explorer

I am trying to use the Microsoft Graph Explorer to update a custom attribute I created in B2C named GroupID.
First, I get the id of the user I want to edit using this query:
GET https://graph.microsoft.com/v1.0/{myResourceName}.onmicrosoft.com/users
This returns the following JSON:
{
"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#users",
"value": [
{
"displayName": "User Name",
"surname": "Name",
"givenName": "User",
"id": "ff46335221e1a365",
"userPrincipalName": "user#username.com",
"businessPhones": [],
"jobTitle": null,
"mail": null,
"mobilePhone": null,
"officeLocation": null,
"preferredLanguage": null
}
]
}
Now I'd like to add a value for GroupID for this user. The attribute itself does not appear in the above JSON, presumably because it does not yet have a value assigned.
I tried using this query:
PATCH https://graph.microsoft.com/v1.0/{myResourceName}.onmicrosoft.com/users/ff46335221e1a365
With request body:
{"GroupID": 1234}
But I get a 405 error:
The method or operation is not allowed.
Am I using the wrong query? I tried to follow the guide here.
UPDATE
Attached is a screenshot of the request. In this screenshot, I omitted the {myResourceName}.onmicrosoft.com from the URL. But I've tried both ways and still get the 405 error.
Please see this document:
Extension attributes in the Graph API are named by using the
convention extension_ApplicationClientID_attributename, where the
ApplicationClientID is the Application (client) ID of the
b2c-extensions-app application (found in App registrations > All
Applications in the Azure portal). Note that the Application (client)
ID as it's represented in the extension attribute name includes no
hyphens. For example:
"extension_831374b3bd5041bfaa54263ec9e050fc_loyaltyNumber": "212342"
So the real custom attribute name is extension_{ApplicationClientID}_GroupID.
Go to Azure AD -> App registrations to find the application id of the b2c-extensions-app application.
The {ApplicationClientID} is the application id without hyphens.
PATCH https://graph.microsoft.com/v1.0/users/ff46335221e1a365
{"extension_{ApplicationClientID}_GroupID": 1234}

B2C Custom Attributes not showing when created using Graph API directory schema API

Using the extension API documented here:
https://msdn.microsoft.com/en-us/library/azure/ad/graph/howto/azure-ad-graph-api-directory-schema-extensions
in conjuction with the B2C Graph Client sample:
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet
I created a custom attribute via the AD Graph API for directory schema extensions using this API:
POST
https://graph.windows.net/contoso.onmicrosoft.com/applications/<applicationObjectId>/extensionProperties?api-version=1.6
{
name: "OrgRoleId",
dataType: "String",
targetObjects: [
"User"
]
}
(Note I changed the API version to 1.6).
The API created custom attributes appear using the B2CGraphClient sample and has the same data as those registered via the Azure portal for B2C.
However, these API created custom attributes don't appear in the Azure portal 'User attributes' blade for the tenant, while those custom attributes created via the Azure portal for the B2C tenant do.
Note that I can successfully read and write these extension values for users (via the Graph API). I just cannot put them into claims because they don't appear on the 'User attributes' blade nor the policy claims blade in the Azure portal, and therefore they are not added as claims to the token.
What I am missing/doing wrong?
Output from B2C.exe Get-extension-attribute <b2c-extensions-app objectId>. *_Test1 appears (portal created), while *_UserRoleId does not (API created):
{
"odata.metadata": "https://graph.windows.net/<tenant_id>/$metadata#directoryObjects/Microsoft.DirectoryServices.ExtensionProperty",
"value": [
{
"odata.type": "Microsoft.DirectoryServices.ExtensionProperty",
"objectType": "ExtensionProperty",
"objectId": "f58bc813-632c-486b-bff1-61695eeab691",
"deletionTimestamp": null,
"appDisplayName": "",
"name": "extension_<object_id>_Test1",
"dataType": "String",
"isSyncedFromOnPremises": false,
"targetObjects": [
"User"
]
},
{
"odata.type": "Microsoft.DirectoryServices.ExtensionProperty",
"objectType": "ExtensionProperty",
"objectId": "5e69b2d9-1ab0-463f-a231-5c188e92b4a1",
"deletionTimestamp": null,
"appDisplayName": "",
"name": "extension_<object_id>_UserRoleId",
"dataType": "String",
"isSyncedFromOnPremises": false,
"targetObjects": [
"User"
]
}
...
When you add an extension attribute through the portal, it is created in the directory and owned by the b2c-extensions-app application and it is also added to a tenant-wide policy. That is what allows you to use them in application policies as you create them.
When you create an extension attribute using Graph API, it is not added to the policy and usually created on an application other than b2c-extensions-app. You can use these properties directly in custom policies, but they will not appear in the portal and cannot be used in the policies created through the portal.
It is a best practice to just create the extension properties through the portal so they are available for all policies. This allows customers to mix and match custom policies with built-in b2c user flows.

Get all domains for a tenant through REST API

I want to know if there is a way to retrieve the registered domain(s) for a tenant through REST API for Sharepoint/Office365.
Consider this scenario;
I have a tenant named abc.pqr and url for the "my" site(OneDrive) is abc-my.sharepoint.com.
Now when I create a user for this tenant, the UI panel gives the option to select a domain for this account. Available options are;
1) #abc.pqr
2) #abc.onmicrosoft.com
Now, the problem is, if I have a user of this sort >>> testUser#abc.onmicrosoft.com, how do I findout the registered domain for this tenant? Which in my case is abc.pqr.
Is there a way to find this through REST API?
Sounds like what you want to know is the list of verified domains in your Azure Active Directory tenant. (Azure AD is the directory service behind Office 365 and other Microsoft online services.)
The Azure AD Graph API—AAD's REST API—can provide this for you. In your case, the GET request you would want to make is:
https://graph.windows.net/abc.onmicrosoft.com/tenantDetails
Note: you can use either the tenant ID or any verified domain of the tenant instead of abc.onmicrosoft.com. The tenant ID can be obtained from the tid claim in the access token.
The JSON response will include something like this:
"verifiedDomains": [
{
"capabilities": "None",
"default": true,
"id": "0007ABE0983098",
"initial": false,
"name": "abc.pqr",
"type": "Managed"
},
{
"capabilities": "Email, OfficeCommunicationsOnline",
"default": false,
"id": "0007ABE0983098",
"initial": true,
"name": "abc.onmicrosoft.com",
"type": "Managed"
}
]
(There's a useful Quickstart for the Azure AD Graph API that shows how to start playing around with AAD Graph API, and the GraphExplorer.)
If you're using .NET, there is a full sample at https://github.com/AzureADSamples/WebApp-GraphAPI-DotNet. (More samples for other languages and platforms at https://github.com/AzureADSamples.)

Resources