In this link: https://msdn.microsoft.com/en-us/library/azure/ad/graph/api/users-operations there is a field called mailNickname which adds email alias for a user in active directory.
My organization uses this. So, 1 user will have 2 mail IDs (code#company.com and alias#company.com)
How do I get the alias list of a user through an API from the azure active directory?
We have implemented a web app with Single Sign On and the above problem leads to the same user creating 2 different accounts and both are not connected.
Any help is appreciated.
You are mixing user alias with list of user e-mail addresses. E-mail alias is unique value which identifies user mailbox, it is not necessary part of its e-mail, usually it is. It is name used when user is accessing its mailbox with POP or IMAP.
E-mail addresses what you call aliases is collection of e-mail addresses stored in proyAddresses: https://msdn.microsoft.com/en-us/library/azure/ad/graph/api/entity-and-complex-type-reference#user-entity
You should not use e-mail as a property to identify a user but userPrincipalName (UPN) as this is a value which is being used to identify a user. UPN is usually same as e-mail but again - it doesn't have to be.
User UPN however might also change. It can do this and it happens, so if you want to store this information somewhere, instead of the UPN obtain user's objectId and store it.
If you are implementing SSO based on Azure AD you should use library like ADAL.NET - it is handling all these operations for you: https://learn.microsoft.com/en-us/azure/active-directory/active-directory-authentication-libraries
Related
I want to get the user emails used for Azure organization on callback action of SSO web login flow.
Could you please advise which property and which API permission should I request for it? I tried upn, preferred_username, and email properties, but as I understand they can differ from the actual email.
Tried multitenant and single-tenant approaches.
Keep in mind that the user logs in with their UPN, which is typically (but isn't necessarily) the same as their email address.
The email claim should contain the user's email address if the directory is looked after by admins. That's the one you're after.
More information on the default claim set can be found here.
More information on how the UPN might be populated, including the approach of using an Alternate ID can be found here.
When I try to add a user with a login that's a regular email address like john#gmail.com, I have the following message on the right:
'gmail.com' is not a verified domain name in this directory
I want them to be able to authenticate without a name like 'john#MyApp.onmicrosoft.com'. I read an answer that said this isn't possible, but I can see gmail and outlook email addresses that someone else added (they aren't around). They are members, not guests. How do you add users like that?
Add Guest User is the button you are looking for.
It allows you to add users with any email address.
I have 2 users in Azure AD
Microsoft Account user
Microsoft Azure Active Directory user
User 2 always works in Graph API calls but not the user 1.
https://graph.windows.net/tenantid/users/testmail#hotmail.com?api-version=2013-04-05
(Email actually is url encoded as testmail%40hotmail.com).
This gives the following error
"{\"odata.error\":{\"code\":\"Request_ResourceNotFound\",\"message\":{\"lang\":\"en\",\"value\":\"Resource 'testmail#hotmail.com' does not exist or one of its queried reference-property objects are not present.\"}}}"
Does anyone know how to fix this?
Edited:
Things I figured out trying to fix this. I am using UserPrincipal name in the query above(..users/testmail#hotmail.com?..). For built-in domain accounts userPricipal name is testmail#domain.com(this works) but for a Microsoft account userPrincipal name is testmail_hotmail.com#EXT##domain.com. This was given in the all users list (https://graph.windows.net/tenantid/users?api-version=2013-04-05). But even when I changed the query to '..users/testmail_hotmail.com#EXT##domain.com?..' ofcourse after url encoding(testmail_hotmail.com%23EXT%23%40domain.com), still it does not work. Objectid always works though for all accounts(..users/objectId?..) .
Also tried otherMails. May be the api is wrong as otherMails is an array. "https://graph.windows.net/tenantId/Users?$filter=otherMails eq 'testmail%40hotmail.com'&api-version=2013-04-05"
So the question still remains. if only email is available for an MS account(not objectid) when making the call, how to get user details?
You are missing your domain in the URL you posted. It should be
https://graph.windows.net/[your Azure AD domain]/users
To get the email address for a user you need to add the object Id of the user in the request URL. So, for example, to get an Azure AD user it would be like this:
https://graph.windows.net/[your Azure AD domain]/users/[object ID of user]/mail
For users in the directory sourced from a Microsoft Account, the mail property is null. So, you will have to look in the otherMails property like this:
https://graph.windows.net/[your Azure AD domain]/users/[object ID of user]/otherMails
If you want to access the full user account using a user's UPN, you can do that for users sourced from Azure AD. For example, for a tenant domain contoso.com and a user with a UPN johndoe#contoso.com, the query would look like this:
https://graph.windows.net/contoso.com/users/johndoe#contoso.com
This doesn't work for users sourced from Microsoft Accounts. For these accounts, the UPN contains characters (#, . for example) that break the query. You can filter by the UPN though using the naming convention that is used for users sourced from Microsoft Accounts. Suppose you have a user whose email is jayhamlin#yahoo.com in your directory. The UPN would be something like jayhamlin_yahoo.com#EXT##contoso.com. So, you could use a filter and look for the first part of the UPN like this:
https://graph.windows.net/contoso.com/users?api-version=2013-11-08&$filter=startswith(userPrincipalName, 'jayhamlin_yahoo')
You can easily explore the Graph API and object properties for your directory using https://graphexplorer.cloudapp.net.
That filter can work, but you could also filter on otherMails. Your original query didn't work because otherMails is a multi-valued property- so you need to use "any":
https://graph.windows.net/tenantId/users?api-version=1.5&$filter=otherMails/any(x:startswith(x,'testmail#hotmail.com'))
When are you using this lookup? Is it once the user has signed in or for some people picking scenario?
Cheers,
Assume a new user registers today on my website today with Gmail-id and there gets an account created in OpenAM with user-name as Gmail-id.
Lets say in future the same user uses facebook account to login on my website. Taking this for granted that I know that the user has registered on the website with Gmail earlier and I precisely know his/her Gmail-id.
Is it possible that I can link both user credentials to the same OpenAM account without creating a new account ?
What could be the other alternatives ?
I'm going to assume that when you say "Gmail-id" you mean email address. Google also has a concept of a numerical ID that would not be constructive in this case.
To set this up, you'd need two OAuth 2 modules for each of Google and Facebook, with appropriate scopes to be given the email address in the user profile, and you'd need to set up the account mapping to map the email address from each of Google and Facebook to the mail attribute, and the attribute mapping would then have the same mapping (as well as other appropriate mappings to get user's name, etc).
This means that when the user returns to OpenAM an account with mail=[email from Google/Facebook] will be looked for, and if found, used. If not found, an account with that email address will be created, and would then be used in the future.
Obviously you will need to decide that you trust the email address provided by Facebook represents the identity you have from GMail, but it sounds like you're happy with that.
Assuming email addresses are all different, so not from one or two single email suffixes.
I know there is UPN login, but I believe that to be with predefined UPN Suffixes, not 1000s of unique ones.
There is also ADFS type stuff.
Yes you can use email address as the login normally in interanet you can use Your exchange email address associated with your AD user id.
in extranet app scenarios you can use open id based authentication or windows live id