I'm using Graph API's isMemberOf function to test whether a user is a member of a particular group. This works great for Office 365 groups, but always seems to return false for "Local Active Directory" groups. I'm assuming the local groups are being synced correctly as I can see them and their membership list using the Azure AD portal.
Is it possible to test for group membership of local active directory groups using the Graph API?
Related
Are nested groups inside azure active directory work in SharePoint online? so if we created a nested azure active directory group, can we add this nested group to SharePoint site permission?
In other words, let say we have 2 AD groups; Group-A & Group-B .. and we added Group-B inside Group-A .. then we added the nested group to a SharePoint site >> then will all users inside AD Group-A and AD Group-B get the permission on SharePoint? Thanks
• As per what you said, nested groups are a subset of the larger groups they are a part of, i.e., nested group members can be a part of multiple member groups and other nested groups of which they are originally a part of. And since you are talking of Azure AD groups, they are of two types, viz., Microsoft 365 and Security. I tried to give permission to groups created in Azure AD, both Microsoft 365 and Security groups to Sharepoint site through ‘Site Permissions’ option and was successful in adding the groups to the respective sites for Sharepoint access.
Also, these groups are nested as specified by me above and I didn’t encounter any such issue in accessing the Sharepoint site through them. Please find the screenshot below for reference: -
Of the above, ‘Test_group’ and ‘All Users’ are Security groups, so they cannot be added in the ‘Grant Permissions’ list or they won’t be invited whereas the other two groups are Microsoft 365 groups, so their users who have Office 365 license enabled will be invited and be able to grant the required permissions. Thus, nested Microsoft 365 Azure AD groups are only allowed for Sharepoint site permissions. For more information regarding the groups, please refer the below link for more details: -
https://learn.microsoft.com/en-us/microsoft-365/admin/create-groups/compare-groups?view=o365-worldwide
My goal is to get the Azure AD users who have been assigned the Classic Administrator role in an azure subscription.
I use the REST api's Classic Administrators - List to retrieve all classic admins but it returns an Email which is not unique enough and an ID called netId/puid which is not present on the user returned from the Graph API.
I followed the Azure Portal's network to see how it gets the users for AAD but it queries the Graph API with an internal API version '1.61-internal' that I can't use.
Does anyone know on a way to retrieve this information?
Thanks
There is not an exposed API to match netId/puid with users.
But you can get the puid from the access token.
Or you could use Microsoft 365 Powershell cmdlet Get-MsolUser -UserPrincipalName "{upn}" | fl to get the user and find the LiveId property.
Record the puid or LiveId above and the corresponding user information to your local configuration file and match them with the name property in response of Classic Administrators - List.
Then you can get the corresponding users who are classic Administrators.
It's just a workaround and there are many workloads. I don't think it is a good method but there is no other way.
https://developer.microsoft.com/en-us/graph/docs/concepts/webhooks#supported-resources states that Azure AD based resources are subject to a Per app and tenant combination: 7 total subscriptions
Calendars are assigned to users. Does this mean that they are "Azure AD based resources"?
I'm hoping to be able to have hundreds of subscriptions active for a single tenant.
Well since the line reads:
Certain limits apply to Azure AD based resources (users, groups) and may generate errors when exceeded:
I'd assume it only applies to users and groups which reside in Azure AD. Office 365 Calendars do not, MS Graph API gets them from the Outlook Calendars API.
And it's not too hard to test this, try creating 8 subscriptions :)
I'm trying to find out a way to create a User (work account) with specified DirectoryRole in Azure Active Directory Graph API using one Azure AD Graph API call.
I can make two separate calls (one to create the user and one to assign the DirectoryRole) but is it possible to include the role in the POST user payload and assign the role in the same call?
Apparently as of today, the Azure AD Graph REST Api is not able to create a user with a non-default directory role in one call
So we should make 2 separate calls To create a user and a second call to make the user a member of the Directory Role.
I didn't find any documentation around this, but had a chat with someone from AD team and he informed me of this.
I created some AD user in Azure Management Portal, too and would like to assign some roles to these users. My user has role "Global Administrator". There are only roles available that do not fit to my business requirements. So I would like to know whether there is already a solution how to add new roles because Graph Api or azure ad powershell seems not to support this feature.
Thx for the support
Azure AD doesn't yet allow creating custom "app roles". You can however create security groups and add users to those groups. The application that needs to check for these roles for authorization can check for the signed in user's group membership (transitively using this graph API: http://msdn.microsoft.com/en-us/library/azure/dn424889.aspx) for the group that represents the role(s).
App roles is on our radar - however you shouldn't block on it.
Hope this helps.
Now this is supported and in your app you can
[Authorize(Roles = "Admin, Observer, Writer, Approver")]
In this example of Microsoft you can see how to do it https://github.com/AzureADSamples/WebApp-RoleClaims-DotNet
You can red more about this feature in http://blogs.msdn.com/b/aadgraphteam/archive/2014/12/12/announcing-the-new-version-of-graph-api-api-version-1-5.aspx