We are successfully using Graph Api with SharePoint Framework (SPFX) to get current user photo. BUT this only works for users within the organization.
For guest users this is not working. I have tried using AAD Graph API but it seems that also requires users within the organization.
The external/guest users have assigned O365 licenses.
According to your description, you want to get the Guest User's Photo.
Based on my test, we can get it if the user had modified his photo and login in outlook. I have get a user with the mail address onmicrosoft.com
The simple code like this:
await _serviceClient.Me.Photo.Request().GetAsync();
We can also see that some users are not support this action. For more detail, we can refer to this document.
Related
I am using Azure Graph API Explorer. I want to query the apps list in a tenant. I am user in tenant_x (where user was originally created) as well as admin in tenant_y (created later with my user). I understand that when I log in I go directly in the origin tenant (so tenant_x) therefore Graph Explorer does not allow me to query tenant_y. So as admin of tenant_y I have added a new user in tenant_y. I log in now with that user but still I am not able to query the applications that are in tenant_y. So how can I query apps in tenant_y? Is there a way? thanks.
The API I am calling (with new user log-in) to first retrieve all applications:
https://graph.microsoft.com/beta/applications
Response is:
{
"#odata.context": "https://graph.microsoft.com/beta/$metadata#applications",
"value": []
}
Of course I have apps in that tenant.
Based on our communication, you have used a personal account as guest of tenant_y to query the apps list in tenant_y.
Unfortunately, Microsoft Graph Explorer will not recognize your personal account as a guest user. It will still treat it as a personal account.
So it will query the apps list for the personal account rather than tenant_y.
So now you have two choices:
Create a new user in tenant_y by following add a new user and
then use this new user to log into Microsoft Graph Explorer to query
the apps list.
Implement Get access on behalf of a user and make sure that you
call {your tenant} endpoint rather than common endpoint while
requesting the access token. And you should use another tool (for
example Postman) instead of Microsoft Graph Explorer.
Update:
You can modify the permissions in Microsoft Graph Explorer like this:
Click on the "modify permissions" under your username in Microsoft Graph Explorer and check the Directory.Read.All permission.
Today that's possible if you pass the tenant query string parameter like this:
https://developer.microsoft.com/en-us/graph/graph-explorer?tenant=mydomainname.onmicrosoft.com
Note that you need to logout before going to this URL with the tenant query string. It'll ask you to login again. After login you can issue queries against the other tenant you have access to (not your home tenant where your account was originally created on).
If you get a 401 while running the specific query, make sure you grant the required permissions on "Modify permissions" tab and click the Consent button in each required permission. After that your query should return a 200 success result.
Graph Explorer today does not support signing in to the tenanted endpoint. A tenanted endpoint is used in the following format
https://login.microsoftonline.com/{tenantId}/V2.0
Once your user account from tenant_x is made a guest user in tenant_y, to effectively query tenant_y using your guest user account, an app (like Graph explorer) has to sign you in the other tenant. Instead Graph Explorer uses the /Common endpoint, which will always sign you in your home tenant (tenant_x).
The only available workaround is to develop a application quickly and sign-in to a tenant of your choice and run Apis in it.
Graph explorer is a tool to help developer's discover and learn about the Graph Api and thus might shy away from introducing too much complexity. But it does not hurt to ask for this feature at their Github repo.
We have E5 account for Office 365. We have issue on SharePoint Online. My issue is that We have created one site collection and in that site collection one page is going to be access by external users. We did all the setting and now we can send email to external users and programmatically we add external user to certain SharePoint Group and this group have access to particular page.
External user is getting email too. Once external user clicked on it, it will take to our tenant and if the external user email is not Microsoft account than he can log-in successfully but it cannot access the resources. I get below error message
Your sign-in was successful but does not meet the criteria to access
this resource. For example, you might be signing in from a browser,
app, or location that is restricted by your admin
How can I solve it.
You will need to edit the conditions on your policy to meet your requirement. You did not list what you currently have so it's hard to say what needs to be done to fix it. You can find your policies under Azure AD in the portal. This post outlines where those settings can be found.
https://blogs.technet.microsoft.com/skypehybridguy/2017/08/31/microsoft-teams-restrict-usage-with-azure-ad-conditional-access/
Our company has a Microsoft Azure account (Pay-As-You-Go).
We had a programmer that developed our web app. We gave him full access to our Azure account. So, he had access to everything.
We intend to hire another developer to make modifications to the web app, so he'll need access to the App Services and SQL Databases. Our intention is to just allow him access to those features.
We did our research and came across the documentation, Resources, roles, and access control in Application Insights. We followed it step by step, but there's an issue. Doc LINK
We tested the procedure by adding one of our IT staff's Microsoft account (personal Outlook.com account) and assigning him the Contributor role, and sent him an invite. He's not seeing the invite. We did the same for another staff, but it's the same problem.
Can we get some assistance please?
It was not working earlier .I tried with one gmail id. Now it is working perfectly fine and I am able to receive the invitation email.
To send invitation, you need to go to active directory. Add user's email as a guest under add user option (Add guest user).
I'm using the Graph API to pull down information about a specific user in my organization. This works great, however one piece of information I need is the users "Security Groups" from their Active Directory account.
I use the following URL to request the Graph API information for a given Active Directory objectID.
https://graph.windows.net/[domain]/users/[objectID]?api-version=1.5
This gives me an JSON result that contains the users information such as their Department, jobTitle, userPrincipalName, etc.
How can I also request the users Security Group memberships? Is this possible?
They are available on the memberOf navigation property. So you can make a call to this:
https://graph.windows.net/[domain]/users/[objectID]/memberOf?api-version=1.5
User entity documentation
I'm seeking a method of automatically provisioning an ‘active’ Yammer user account for a new O365 user account (and existing ones, as a once off), without requiring the user to ‘click the Yammer tile’ or otherwise login to Yammer.
The default process (as articulated in this post) is:
The Office 365 admin creates a user in Office 365 (or Azure AD).
The user logs on to Office 365 using the identity provider that is configured for the tenant.
The user clicks the Yammer tile in the app launcher to go to Yammer.
A new Yammer user is created for the Office 365 user.
The user's profile properties from Azure Active Directory are automatically populated in the user's Yammer profile.
We're building an employee app, which currently displays company news. We wish to add social functionality, leveraging the Yammer platform, via the REST API. We have developed a solution to impersonate existing users and like/comment on behalf their behalf.
However, most employees are ‘unsophisticated’ blue-collar workers, and it is anticipated that they will not complete steps 2, 3 & 4 above to ‘create/activate’ their Yammer user account (the activation steps).
Methods considered or explored so far:
Using the REST API to create a new user – this creates a user in the ‘pending’ state, which remains pending until the activation steps are completed.
Using the Bulk Update Users to create new users from a CSV:
a) If a password is set, then a new ‘active’ user is successfully created (great!). However, that user account appears to be entirely disconnected from the corresponding O365 user account (meaning changes to user profile properties will not sync to/from Azure AD, passwords may be different, and users who are deleted/suspended in AAD will not sync to Yammer). These accounts are only linked if/when the activation steps are completed.
b) If a password is not set, then the new user is created in a ‘pending’ state, much the same as using the REST API.
Questions:
Is there any other way to create an 'active' user in Yammer, which is linked to the user’s O365 account?
Could a provider hosted app be used to impersonate a user and complete the activation steps on their behalf?
Not that it solves the problem, but does the REST API allow you to update a user’s state from 'pending' to 'active' (or create an 'active' user in the first place)?
Your steps about the default process are pretty acurate but I would add that once a user is created in AD users can simply go to Yammer.com (either on web or on iphone/android) and sign in through there. Iphone and Android use an Azure Authentication library that will find the users Office account.
Is there any other way to create an 'active' user in Yammer, which is linked to the user’s O365 account?
There isn't at this time.
Could a provider hosted app be used to impersonate a user and complete the activation steps on their behalf?
This isn't supported at this time.
Not that it solves the problem, but does the REST API allow you to update a user’s state from 'pending' to 'active' (or create an 'active' user in the first place)?
There is not an api for this.