I recently figured out that there are two Graph APIs availble for Azure Active Directory. There is the unified graph.microsoft.com and the AAD specific graph.windows.net:
Azure AD Graph API functionality is also available through Microsoft
Graph, a unified API that also includes APIs from other Microsoft
services like Outlook, OneDrive, OneNote, Planner, and Office Graph,
all accessed through a single endpoint with a single access token.
Source
Is there any reason to use the unifed Graph API when I only need to browse AAD objects? Will the AAD specific graph.windows.net GraphAPI get deprecated?
There has been no announcement of Azure AD Graph API's deprecation and we (and others) use it in production every day.
If you can get what you want through Azure AD Graph API, I'd say use it. If you need something else from the Microsoft Graph API (like emails or contacts), use that one.
Related
I want to read mails of users of a specific domain (tenant) using Outlook API. However, I don't have privileges to register new app in Azure portal, for that domain, and so am not able to use Graph API. We cannot use Outlook API without an OAuth app. In this case, using IMAP/POP3 is my only choice? How secure is to use IMAP/POP3 to read mails when compared to Azure AD Graph API? Please advise.
It depends on what you really want to achieve.
If you just want to read the messages, configuring your mailbox in Outlook or other email provider with IMAP/POP3 is a preference. You don't need to worry about its security, it has been in service for decades.
For Microsoft Graph API, to call Microsoft Graph, your app must acquire an access token from the Microsoft identity platform. See Authentication and authorization basics for Microsoft Graph to learn more details about it.
So the point is how you want to read your email.
If you are developing your own app, using Microsoft Graph API is certainly the best choice. You can test GET https://graph.microsoft.com/v1.0/me/messages to list your emails in Microsoft Graph Explorer without registering an app in Azure AD.
When I attempt to retrieve the sAMAccountName from Azure AD via Microsoft Graph and oAuth, the attribute is not returned.
I am trying to retrieve the onPremisesSamAccountName through oAuth from Microsoft Graph on my Azure AD tenant. My local domain syncs with Azure, and I have selected the sAMAccountName directory extension for syncing. However, when I make my GET request to the Graph REST URI, I get back the correct user object, but I don't get back the onPremisesSamAccountName.
Here is my request:
https://graph.windows.net/myorganization/users/user#domain.com?api_version=1.6
That request returns the user object with a truckload of properties. When I try the following (in the hopes of "$select"ing the field, Microsoft returns the metadata URL--which actually contains the onPremisesSamAccountName property definition.
https://graph.windows.net/myorganization/users/user#somain.com?api-version=1.6&$select=onPremisesSamAccountName
Am I not formatting my query correctly? In the Azure AD portal, I have the following API permissions specified:
You can use Microsoft Graph API to get onPremisesSamAccountName property. Here is the Microsoft Graph explorer.
https://graph.microsoft.com/v1.0/users/{userObjectId}?$select=onPremisesSamAccountName
By the way, the permissions you granted are Microsoft graph api permissions, not Azure AD graph api permissions. Azure AD graph is different from Microsoft Graph. It is recommended to use Microsoft Graph API.
I am looking for an api to pull all the users using tenant ID or using MS graph API's with an AADv1/AADv2 app.
I have both v1 and v2 apps to access MS graph and also can use o365 tenant ID.
Pick the appropriate SDK for the ms graph depending on your language / platform preference. The readme in the repo will help you get started, as will the intellisense provided by the SDK. You’re going to want to ensure that your app registration has appropriate access to the APIs you’re after.
From the Azure Active Directory v2.0 authentication libraries we can see lots of samples about how to use libraries to connect Active Directory. It seems all of them should create an application at apps.dev.microsoft.com first. Then use the Application ID and a new password to act the clientID and clientSecret in a client or server middleware application.
This way, one user can use the application to login by oauth 2 or openid through the Azure Active Directory API. Also can get the personal information such as user profile correctly.
But, if I want to get all the users information in a tenant one time, is there an API can do?
But, if I want to get all the users information in a tenant one time,
is there an API can do?
You can use Microsoft Graph API - specifically List Users API.
https://graph.microsoft.com/v1.0/users
For a quick test, try using Microsoft Graph Explorer
Similarly you can list users with Azure AD Graph API as well, but it would be recommended to use Microsoft Graph API.
Read Microsoft Graph or Azure AD Graph and this SO Post (Only case to use Azure AD Graph API would be if you need something very specific that you aren't able to achieve with stable version of the newer Microsoft Graph API.)
Azure AD Graph API to list users (not recommended)
https://graph.windows.net/myorganization/users
i have an application currently using the Azure AD Graph API. I would like to start migrating the app to Microsoft Graph. However, i would like to reuse the bearer tokens for hitting both the Azure AD Graph API and Microsoft Graph API.
how can i accomplish this? as currently it seems as if the apps must be registered in different portals for the different api's respectively.
it seems as if the apps must be registered in different portals for the different api's respectively
This is not consistent with my experience. I have registered my Application in Azure Active Directory.
Using the Azure portal, I am able to get permissions to both the Microsoft Graph Api and the Windows Azure Active Directory API.
i would like to reuse the bearer tokens for hitting both the Azure AD Graph API and Microsoft Graph API.
You cannot use the same token for both the Azure AD Graph API and Microsoft Graph API.
In my code, I receive an access token via the following call:
AuthenticationResult result = await authContext.AcquireTokenByAuthorizationCodeAsync(
authorizationCode,
redirectUri,
CreateClientCredential(),
resourceString
);
The resourceString parameter is either https://graph.windows.net/ for the AD Graph API, or https://graph.microsoft.com for the Microsoft Graph API.
They are distinct resources, so you must manage two tokens, applying the appropriate token for each API call.