We're using Azure AD Connect to sync our on-premises Active Directory to Azure AD. We have the free version that comes with the Office 365 business plans.
Azure AD Connect shows the Description field as being synchronized to Azure AD, yet, the field does not appear anywhere.
We're using a third-party service to read data from our user profiles to generate email signatures, but the service cannot read the data as it doesn't "exist" in Azure.
I even tried going into our Azure AD Connect configuration, enabled Directory extension attribute sync and added the Description field for user accounts...but it created a new "description" field with a weird name instead.
Is there something I'm missing ? Do we perhaps need to have Azure AD Premium ?
Thanks for your help people!
Based on the official documentation, the attribute for Description has been synced to Azure AD. You can verify it by open Synchronization Service Manager, and check the properties for the specific user by Metaverse Search.
However, if you need to retrieve the attribute values for specific user, you must use Azure AD Graph API. For your scenario, the third-party service may leverage Azure AD Graph API for retrieving user properties.
Then, if you check the Graph API reference, you can find that Description is not included in the list, which means you can't retrieve the Description attribute from Azure AD.
As a workaround, you can use Directory extension, but the attributes are prefixed with extension_{AppClientId}_. The AppClientId has the same value for all attributes in your Azure AD tenant.
Also, you can submit your requirements to the following website, which collects feedbacks for Azure AD from users.
https://feedback.azure.com/forums/169401-azure-active-directory?query=attribute
Related
Is it possible to reproduce the steps to "Configure Azure AD Connect cloud sync" from the Azure portal, in another way using an API?
The steps are described at this link:
https://learn.microsoft.com/en-us/azure/active-directory/cloud-sync/tutorial-single-forest#configure-azure-ad-connect-cloud-sync
I would like to automate this process to have no user interaction. Is it possible with the Graph API? Any example?
Thank you Marilee Turscak - MSFT for providing the reference Link.
I don't understand this sentence: "You need to use this application
ID 1a4721b3-e57f-4451-ae87-ef078703ec94. The displayName is the AD
domain url, if used in the portal (for example, contoso.com), but it
may be named something else." What is the application id I should use?
And what is the display name? I get 401 or 403 errors. Is there an
additional step before this?
You have to use the same application ID as its the Application templateID by default which is used to provision entries from active directory to Azure active directory.
But You can use any Display name that you want and Please make sure to have the required permissions as shown below. You can perform the post operation with Graph explorer.
After you have done the above post operation you will get the service principal ID which can be used for further steps mentioned in the document provided by Marilee Turscak - MSFT.
Reference:
How to programmatically configure cloud sync using MS Graph API | Microsoft Docs
I need clarification for below users graph api,
https://graph.microsoft.com/v1.0/users/
We have synced our on-premise AD with Azure active directory. In my on premise AD we have the custom attribute called “RollNo”. I would like to read that " RollNo” data from above users graph api.
Is this possible to read custom attribute from AD ?
I don't see the rollno in azure AD. But I've created in On-premise AD which is synced with azure AD. Do we have any workaround to get this value?
When configuring Azure AD Connect there is a step that allows you to specify additional attributes that you wish to be replicated to Azure AD.But the custom attributes. name would be changed.
For more detailed information, please refer to the official article: https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-sync-feature-directory-extensions
Currently we are working on Azure SSO migration project and doing most of the task using old azure site. we have received a mail from the Microsoft via Client to use the new azure portal.
To provide the access for B2B, in old portal we straight uploaded the files with application id and the group id and that worked well.
But, in new portal when the did the same, the ids' are getting created in azure AD portal but they are not mapped in the groups that we have created for B2B invitation for the application.
Is there any approach is there. please help.
Regards,
Avisekh
The feature in the Azure Portal allows you to add individual requests by adding guest accounts, but if you need to invite multiple people or have any type of automation, you should:
Use PowerShell New-AzureADMSInvitation cmdlet
[or]
Use the Microsoft Graph API invitations
If you need to add users to groups, then you can also use the Dynamic Groups feature in Azure B2B (perhaps this is more similar to what you used to have), as well as Graph API Groups API or via PowerShell.
I'm working on an application that will allow users to authenticate to Azure Active Directory and then manage resources in their Azure account via Azure Resource Manager API calls.
I've found several walkthroughs on building such an app including this post. However, in the part that discusses authentication with Azure Active Directory, there's a step showing the need to manually retrieve the Azure Active Directory name from the Azure Portal.
The directory name is plugged into app settings (and ultimately authentication calls to the directory) as follows
http://login.microsoftonline.com/{directory_domain_name}/OAuth2/Authorize
Is there any way to programmatically retrieve {directory_domain_name} without requiring users to login and lookup the information in the Azure Portal?
The one answer to this question has a dead link and another pointing to the Graph API, which seems to still require the domain name.
For your particular scenario, look like you want to build an app that will be users from different Azure AD tenants. This scenario is best addressed by building a multi-tenant application.
To make your application multi-tenant, you'll need to go to the Azure Portal and in the Configure tab of your Azure AD application, set the "Application is Mult-Tenant" option to yes.
Once you do this, you can just call
http://login.microsoftonline.com/common/oauth/authorize
http://login.microsoftonline.com/common/oauth/token
And Azure AD will resolve the figure out which tenant to authenticate against based on the the credential that the user types in.
More information on multi-tenant applications:https://azure.microsoft.com/en-us/documentation/articles/guidance-multitenant-identity-authenticate/
Sample multi-tenant application: https://github.com/Azure-Samples/active-directory-dotnet-webapp-multitenant-openidconnect
Our company is considering using AAD B2C as the backing store for our SaaS user accounts. Our plan is use Resource Manager templates to deploy the Azure infrastructure (web, storage, sql, etc) for each client. AAD B2C will be part of that if this works out, but as of now there doesn't appear to be a way to include AAD B2C in resource manager templates.
My view of the intent of the B2C product is that it serves as a replacement for the auth and user store components of an app, and should therefore be considered infrastructure. Right now the hierarchy between AAD and resource groups in the new azure portal doesn't reflect that - resource groups (and their resources) appear 'under' an identity in an AAD account. But why is that? Is an AAD a parent to a resource group? I'm trying to understand how the two fit together.
If AAD B2C is really intended to serve this purpose when it leaves preview, it will need to support automation. After a quick search I can't even find code samples to provision a new directory, let alone do so using Resource Manager templates.
Am I looking at this all wrong?
Currently there is no way to automate the creation of an AAD B2C tenant like there is also no way to automate the creation of an AAD tenant.
After you created a tenant you can access it programmatically via the Graph API. You can read more about this in the documentation: https://azure.microsoft.com/en-us/documentation/articles/active-directory-b2c-devquickstarts-graph-dotnet/.
The first paragraph of this documentation mentions the following:
Azure Active Directory (Azure AD) B2C tenants tend to be very large. This means that many common tenant management tasks need to be performed programmatically. A primary example is user management. You might need to migrate an existing user store to a B2C tenant. You may want to host user registration on your own page and create user accounts in Azure AD behind the scenes. These types of tasks require the ability to create, read, update, and delete user accounts. You can do these tasks by using the Azure AD Graph API.
Caution: at the point of writing this is still in preview so the API can change any time and you have no SLA.
For the latest status about which Azure services support ARM you can read this page: https://azure.microsoft.com/en-us/documentation/articles/resource-manager-supported-services/