We have lot of references in the web to fetch the all AAD users but i need to fetch all the users from an Azure subscription.
I have created an App in Azure active directory and added that App to the Subscription then used ClinetId and Client secret to create the AuthToken. Used the created auth token to hit the below REST API(an Azure resource management REST API)
https://management.azure.com/subscriptions/{my subscription id}/resourceGroups/{My resource group name}/providers/Microsoft.ApiManagement/service/{my Azure managment API Name}/users?api-version=2018-01-01
But this rest API is retrieving only one User, which is mine.
Here i want to retrieve all the users in a subscription.
Here is the MSDN url i used as reference.
Please can any one help me on this.
It is not because of the free sub.
Does your app have the permission to the Graph API (to read users)? If you try the same user via PS console and you get the same output then its not your code but permissions (Good read on PS https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-powershell-1.0/ff730967(v=technet.10) ).
On the graph api here https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-graph-api-quickstart
You can find the answer for this question in below thread.
Removing the user from Azure subscription programtically(C#)
Related
I am writing an web app where the user passes a bearer token acquired from login.microsoftonline.com. The app uses the token to connect to the Azure AD REST API at management.azure.com. The app successfully executes a GET https://management.azure.com/subscriptions?api-version=2016-09-01 request. The response is {"value":[]}, indicating no subscriptions. This looks correct to me, because of our specific corporate environment. When I login from the azure CLI, I must use az login --allow-no-subscriptions to avoid "no subscriptions found" error messages.
My challenge is that I want to get a list of AD groups from the REST API. The documentation indicates that the URL format is:
GET https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ApiManagement/service/{serviceName}/groups?api-version=2019-12-01
I do not see how to form a URL with no subscription ID. Is there a way to do so?
You could not list the Azure AD groups via Azure REST API(https://management.azure.com), Azure REST API is for Azure resources, the api Group - List By Service you provided is used to list the groups in API Management service, not AAD groups.
To list AAD groups, your option is to use Microsoft Graph - List groups(https://graph.microsoft.com, it is Recommended)
GET https://graph.microsoft.com/v1.0/groups
or Azure AD Graph - Get groups(https://graph.windows.net).
GET https://graph.windows.net/myorganization/groups?api-version=1.6
How can I fetch all users from my azure active directory ? I need some API for it.
You can use the Graph API list users
GET https://graph.microsoft.com/v1.0/users
Please try with below api:
Get https://vssps.dev.azure.com/{org name}/_apis/graph/users?subjectTypes=aad&api-version=5.1-preview.1
Note: Specify the subjectTypes as aad.
Then it will fetch all users which are members of organization, also located in the AAD tenant that connected with the azure devops organization.
This is the sample response of mine:
I need to get the Azure Subscriptions to which a Azure AD user is linked to.
I tried using the Microsoft Graph Api, but was not able to figure it out.
A GET call to https://management.azure.com/subscriptions?api-version=2014-04-01 should give you a list of subscription for user that got issue the token. You should be using Azure API not Graph.
I want to get the health and other resource details of a particular Azure Account or Subscription using these API's
https://learn.microsoft.com/en-us/rest/api/resourcehealth/availabilitystatuses/listbysubscriptionid
When i do TryIt on the web page it works, but If i want to do it using say PostMan or programatically, how do i generate the Authorization key, I have seen docs to create Authorization Key using "App Registrations", but i dont have any WebApp here, All i want to do is get the details of a particular account or subscription using Azure provided API calls and using any AD user with proper roles for authentication.
This link provides some details but then i dont have a clientid here, since i dont have any webapp
https://msdn.microsoft.com/en-gb/library/azure/dn645543.aspx
Please let me know if anyone has tried doing this.
Thanks
You have to register an app in Azure AD.
This does not need to be an actual "Web app".
You are registering a service principal (you can think of it as a service account).
After registering the app (with type Web App/API), generate a Key for it.
Write down the Application Id (Client Id) and the key (Client Secret).
Then give the service principal access through the Access Control (IAM) section on the subscription/resource group/resource where you want to give the app access to.
You can then follow the instructions here to generate the access token: https://msdn.microsoft.com/en-gb/library/azure/dn645543.aspx.
Remember to use https://management.azure.com/ as the resource since you are calling the ARM API.
I have registered a multi-tenant app in my Azure subscription. using this App, I want to create an OAuth flow for my client to be able to give me permissions to create an app in his active directory.
We are using OpenID connect flow to access the Azure AD graph API.
In spite of making our app multi-tenanted via the console, we are getting the following error when the client (xyz#outlook.com) tries to sign in:
User account 'xyz#outlook.com' from identity provider 'live.com' does not exist in tenant 'Default Directory' and cannot access the application 'bf5ca806-xxxx-xxxx-xxx-xxxx' in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account
I used the following endpoint to get an access token:
https://login.microsoftonline.com/common/oauth2/authorize?
client_id=xxxxxxxx-xxxx-xxxxx-xxxx-xxxxx
&response_mode=form_post
&response_type=code+id_token
&redirect_uri=http://localhost:8080
&prompt=admin_consent
&nonce=1234
&resource=https://graph.windows.net
Please help me to resolve this error
Unfortunately, you cannot use a guest user to login Azure AD Graph Explorer for now.
I came across the same issue as yours long time ago and I understand it's very important for customers. So, you can post your idea in this User Voice Page and the Azure Team will see it. I will also upvote for it.
But there are other solutions if you don't mind:
Solution 1: Try to use an internal account of that directory which upn ends with .onmicrosoft.com
Solution 2: Try to use other tools to get access token with a guest user(this account also need to be an admin of that directory), such as postman. Then you can use Postman to call Azure AD Graph API. You can refer to this blog to use Azure AD Graph API with Postman.
Hope this helps!