Error Calling the Graph API: Request_DataContractVersionMissing - azure

I'm trying to make a POST request to Azure AD GraphAPI to create a user in my AD B2C tenant, but I'm getting the following error
"Error Calling the Graph API:
{
"odata.error": {"code": "Request_DataContractVersionMissing",
"message": {"lang": "en",
"value": "The specified api-version is invalid. The value must exactly match a supported version"}
}
I do send the version, and based on the docs it is supported.
Version 1.6
This section lists the changes for Graph API version 1.6.
Graph API version 1.6 introduces the following feature changes:
Added support for Azure Active Directory B2C local account users. This involves new properties on the User entity and a new complex type
SignInName to support local account sign-in to Azure Active Directory
B2C tenants. For more information about Azure Active Directory B2C,
see the Azure Active Directory B2C documentation.
[Edit]
submitted json
{"accountEnabled":true,"signInNames":[{"type":"userName","value":"ausername"}],"creationType":"LocalAccount","displayName":"A display name","passwordProfile":{"password":"a password","forceChangePasswordNextLogin":true},"passwordPolicies":"policies","country":"MX","givenName":"Fstname","surename":"Lstname","department":"Dpt","jobTitle":"Title","mail":"mail#server.com","otherMails":[],"preferredLanguage":"es-MX"}
Any clue on why I'm getting the error?

There is something wrong with the api-version query parameter: Request_DataContractVersionMissing
Data contract version parameter is missing. Include api-version as a query parameter with all your requests.
Doesn't Work
https://graph.windows.net/ebenefitsdev.onmicrosoft.com/users?apiā€version=1.6
I get Request_DataContractVersionMissing error when submitting that.
Does Work
https://graph.windows.net/ebenefitsdev.onmicrosoft.com/users?api-version=1.6
The difference is the hyphen char. One is the 'normal' one I typed on my keyboard. The other is from here.
I suspect it is a copy paste problem (I've experienced these in the past).

I see one problem: signInNames not signInName
Documentation for user entity

For future readers, I ran into this issue with 2.0 of graph.windows.net, but it was not the hyphen. It seems this error is also shown if the client ID you used to get a resource token for graph.windows.net is not correct.

Related

Unable to get Sign Ins for Service Principal using Microsoft Graph API

I am trying to use List SignIns API to get a list of sign-ins for my Service Principal however the API is not returning any results when I try to filter the results by Service Principal id and/or Service Principal Application Id. If I remove the filter, I am able to get the data.
Essentially I am trying to get the data shown in Azure Portal as shown in the screenshot below.
I have tried both Graph Explorer as well as Microsoft.Graph SDK (C#) and in both places I am not getting any result back.
Things I tried:
In Graph Explorer, I tried the following request URL: https://graph.microsoft.com/1.0/auditLogs/signIns?$filter=id eq 'my-service-principal-id' and that did not give any results back.
I even tried https://graph.microsoft.com/beta/auditLogs/signIns?$filter=appId eq 'my-application-id' and still no results.
I tried with both beta and 1.0 version numbers and same results.
I checked the Azure Portal network request in browser and noticed that instead of using graph.microsoft.com, it is using graph.windows.net and is sending the following request:
https://graph.windows.net/tenant-id/activities/getSummarizedServicePrincipalSignIns(aggregationWindow='1d')?$filter=(createdDateTime ge 2021-04-21T13:03:32.608Z and createdDateTime lt 2021-04-28T13:03:32.608Z and (appId eq 'my-application-id' or contains(tolower(appDisplayName), 'my-application-id')))&$top=50&$orderby=createdDateTime desc&source=kds
I also read the documentation for List SignIns API and following caught my eye:
Retrieve the Azure AD user sign-ins for your tenant. Sign-ins that are
interactive in nature (where a username/password is passed as part of
auth token) and successful federated sign-ins are currently included
in the sign-in logs.
I am not sure if what I am trying to accomplish is even possible with Graph API considering I am not getting any results back and Azure Portal is not even using Graph API to get this data.
Any insights into this will be highly appreciated.
This is possible using the 'beta' endpoint - but at this point it only seems to include 'interactive' sign-ins by default. If you add a filter on signInEventTypes it can return other types too:
So for 'User sign-ins (non-interactive)':
https://graph.microsoft.com/beta/auditLogs/signIns?$filter=signInEventTypes/any(t: t eq 'nonInteractiveUser')
For 'Service principal sign-ins':
https://graph.microsoft.com/beta/auditLogs/signIns?$filter=signInEventTypes/any(t: t eq 'servicePrincipal')
For 'Managed identity sign-ins':
https://graph.microsoft.com/beta/auditLogs/signIns?$filter=signInEventTypes/any(t: t eq 'managedIdentity')
For all sign ins (let me know if there's a more concise way!
https://graph.microsoft.com/beta/auditLogs/signIns?$filter=signInEventTypes/any(t: t eq 'interactiveUser' or t eq 'nonInteractiveUser' or t eq 'servicePrincipal' or t eq 'managedIdentity')
https://learn.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-all-sign-ins#return-log-data-with-microsoft-graph
Beta API has ServicePrincipalId and ServicePrincipalName, you can filter based on these attributes. This link lists the supported Attributes in $filter. This API supports $filter, $skiptoken and $Top.How ever do note Beta API are subjected to change.
https://learn.microsoft.com/en-us/graph/api/signin-list?view=graph-rest-beta&tabs=http#attributes-supported-by-filter-parameter
Here's a blog about graph.windows.net and graph.microsoft.com
https://developer.microsoft.com/en-us/identity/blogs/microsoft-graph-or-azure-ad-graph/

Calling the azure tenants REST api doesn't provide the expected json data

When calling the latest (version 2020-01-01) azure tenants api (management.azure.com/tenants) I don't see the same properties in the response as I get when using the "Try it" feature on the "Tenants - List" page in the online Azure REST documentation.
The response that I get only contains the "id", "tenantId" and "tenantCategory" properties. So the cool stuff like countryCode, domains, displayName, etc. are missing. I was using an older api version before which only included the "id" and "tenantId" properties so I do see the additional "tenantCategory" property at least.
When calling the 2020-01-01 version of the subscriptions list API in my code I do get all the same properties that I see when I use the "Try it" feature.
Has anyone else experienced this issue or know what could be the cause?
Thanks in advance!
I tried with https://management.azure.com/tenants?api-version=2020-01-01 in Try it, it returned the properties. Try to use 2020-05-01, 2020-06-01 or 2020-07-01 versions. They all worked for me.
When using Postman to call the API:
So it turns out that if you request the token under user context and use that as bearer token in the authorization header of the API call you get all the properties in the response, i.e. the same properties as you see when using the "Try it" feature online. But in my app I'm requesting it under the application context and then the expected behaviour is to only return the "id", "tenantId" and "tenantCategory" properties. So the tenants api is a bit different than the others and it's supposed to be that way.

Azure B2C - Link IdentityProvider to UserFlow causes 403 using Graph API

I am trying to use the Microsoft Graph API to configure an Azure B2C instance. Specifically, I need to create UserFlows and IdentityProviders. For this purpose, I have created an AppRegistration with IdentityProvider.ReadWrite.All and IdentityUserFlow.ReadWrite.All API application permissions for the Microsoft Graph. I am able to call the APIs for creating new user flows and identity providers without a problem, but I am unable to link flows to an identity provider. Whenever I use any of the linking API's, I get an error:
AADB2C (User Authorization: Access is denied)
As an example, I get this when trying to list registered identity providers for specific user flow, i.e.
GET https://graph.microsoft.com/beta/identity/b2cUserFlows/B2C_1_{flowId}/identityProviders
The response for this request is a 403 with
{
"error": {
"code": "AADB2C",
"message": "User Authorization: Access is denied.",
"innerError": ...
}
}
I am using the Beta API as described in the docs here: https://learn.microsoft.com/en-us/graph/api/b2cuserflows-list-identityproviders?view=graph-rest-beta&tabs=http. I get the samme error when trying to link a user flow with an identity provider as described in the documentation here: https://learn.microsoft.com/en-us/graph/api/b2cuserflows-update-identityprovider?view=graph-rest-beta&tabs=http
Any idea why I keep getting this authorization block?
Update: I have tried expanding the .IdentityProviders property on a userflow when reading it from the graph api. This does not give a 403, but the identity providers list, on the returned user flow, is empty even when providers have been manually added to the flow in the Azure Portal.
Please ensure to comply with this:
The work or school account needs to belong to one of the following
roles:
Global administrator External Identity User Flow administrator

Error getting SAML Metadata for Azure AD B2C Policy - AADB2C90022

Setting up a custom policy in Azure AD B2C to connect to an ADFS Identity Provider. This requires a SAML metadata endpoint as specified in the documentation at the link below.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-custom-setup-adfs2016-idp#configure-an-adfs-relying-party-trust
The error being encountered is:
AADB2C90022: Unable to return metadata for the policy [my-policy] in tenant [my-tenant].onmicrosoft.com.
and is being encountered when I go to the endpoint:
https://login.microsoftonline.com/te/[my-tenant].onmicrosoft.com/[my-policy]/samlp/metadata?idptp=[my-technical-profile]
I have tried making the request from the b2clogin.com endpoint with the same result as above.
E.g. https://[my-tenant].b2clogin.com/te/[my-tenant].onmicrosoft.com/[my-policy]/samlp/metadata?idptp=[my-technical-profile]
I have also tried using my tenantId GUID in place of [my-tenant].onmicrosoft.com which resulted in the exact same result.
E.g. https://login.microsoftonline.com/te/[my-tenant-id]/[my-policy]/samlp/metadata?idptp=[my-technical-profile]
Re-visit the process by which you created the certificate, uploaded it to your 'Policy Keys' and referenced it in your custom policy files.
My scenario was similar, I had the same error and no output via Application Insights / Journey Recorder.
I had tried to avoid using 'makecert.exe' and instead used another SSC generation tool. This simply did not work, I think because the private key was not being incorporated in the certificate file.
This guide has been invaluable, see also this test facility

Azure B2C with Salesforce, missing "objectId"

I'm testing Azure B2C with Salesforce as IdP, and the login process works fine from Salesforce perspective (Salesforce Identity Provider Event Log show "success" for sing-on attempts), but redirection back to simple testing web application ends up to error page such as
/redirect.html#error=server_error&error_description=AADB2C90037%3a+An+error+occurred+while+processing+the+request.+Please+contact+administrator+of+the+site+you+are+trying+to+access.%0d%0aCorrelation+ID%3a+f0292157-ffad-472d-8119-3cd05518654c%0d%0aTimestamp%3a+2018-02-13+15%3a01%3a54Z%0d%0a
Looking at Application Insights, I see error:
A claim could not be found for lookup claim with id "objectId" defined in
technical profile with id "AAD-UserReadUsingObjectId" policy
"B2C_1A_SignUpOrSignInUsingSalesforce" of tenant "xyz.onmicrosoft.com".
I've followed the tutorial here and double checked lots of things, but not sure it this issue is due to invalid UserJourney or ClaimsProvider/TechnicalProfile. Or is it just that I'm missing respective user in Azure B2C that I have in Salesforce?
I don't at least see 'objectId' incoming in saml:Assertion:
<saml:Assertion xmlns:samlp=\""urn:oasis:names:tc:SAML:2.0:protocol\"" xmlns:xsi=\""http://www.w3.org/2001/XMLSchema-instance\"" ID=\""_b0b0193ce1e861e13ec39f9a991cb3501518533690616\"" Version=\""2.0\"" IssueInstant=\""2018-02-13T14:54:50.616Z\"" xmlns:saml=\""urn:oasis:names:tc:SAML:2.0:assertion\""><saml:Issuer Format=\""urn:oasis:names:tc:SAML:2.0:nameid-format:entity\"">https://XYZ.my.salesforce.com</saml:Issuer><saml:Subject><saml:NameID Format=\""urn:oasis:names:tc:SAML:2.0:nameid-format:transient\"">jussi.palo#XYZ.com</saml:NameID><saml:SubjectConfirmation Method=\""urn:oasis:names:tc:SAML:2.0:cm:bearer\""><saml:SubjectConfirmationData NotOnOrAfter=\""2018-02-13T14:59:50.616Z\"" Recipient=\""https://login.microsoftonline.com/te/XYZauthdev.onmicrosoft.com/B2C_1A_TrustFrameworkBase/samlp/sso/assertionconsumer\"" InResponseTo=\""_50a752dd-244c-4447-9ac9-6338e8bb692e\"" /></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore=\""2018-02-13T14:54:20.616Z\"" NotOnOrAfter=\""2018-02-13T14:59:50.616Z\""><saml:AudienceRestriction><saml:Audience>https://login.microsoftonline.com/te/XYZauthdev.onmicrosoft.com/B2C_1A_TrustFrameworkBase</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant=\""2018-02-13T14:54:50.616Z\""><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:unspecified</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement><saml:Attribute Name=\""userId\"" NameFormat=\""urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified\""><saml:AttributeValue xsi:type=\""xs:anyType\"">0050N0000060rpy</saml:AttributeValue></saml:Attribute><saml:Attribute Name=\""username\"" NameFormat=\""urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified\""><saml:AttributeValue xsi:type=\""xs:anyType\"">jussi.palo#XYZ.com</saml:AttributeValue></saml:Attribute><saml:Attribute Name=\""email\"" NameFormat=\""urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified\""><saml:AttributeValue xsi:type=\""xs:anyType\"">jussi.palo#XYZ.com</saml:AttributeValue></saml:Attribute><saml:Attribute Name=\""is_portal_user\"" NameFormat=\""urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified\""><saml:AttributeValue xsi:type=\""xs:anyType\"">false</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion>
For some reason, the User Journey Player isn't showing anything, so I'm thus far been stuck with Application Insights.
Looks like it was confusion on what Starter Pack policy files should be used with the Salesforce instructions. Turned out using "SocialAndLocalAccounts" policy files as a basis did the trick, so my UserJourney was not right at first.
I will leave the question here for anyone else running into similar error messages.

Resources