Really straitghforward question: Is it possible to create one or more groups in a group in Windows Azure AD?
The use case: Everytime a new group is created on Outlook Office 365, a group is created at the Windows Azure AD. So far so good. However, the scenario presented to me is that my application could pontentially create hundreds of groups. So in order to make things clean, I thought of create a main group with several sub groups (like directory and sub directories), but I don't seem to find any obvious option to accomplish that.
May I kindly ask for guidance on this, if it's possible or not? If it's possible, how could it be done? If not, is there any intention to implement something alike?
Many thanks in advance.
Groups can be member of Groups by calling:
POST https://graph.windows.net/myorganization/groups/{object_id}/$links/members?api-version
With the request body containing a URL to your DirectoryObject (in your case, it would be a Group)
{
"url": "https://graph.windows.net/myorganization/directoryObjects/3eb6055a-baeb-44d4-a1ea-2fee86d8891b"
}
Here are the docs: Azure AD Graph API Docs
Related
As you can see my question above, I was wondering if it is possible to retrieve the assigned groups of an Azure Active Directory (AAD) based user via Microsoft GraphAPI.
My situation is, that I have an ASP.NET MVC project with Microsoft Azure enabled. My goal is, that an Azure user can login on my website with it's Azure account.
The idea is, that an azure user is an admin or an user (depending on the azure groups) and depending of this role group, the user can view more or less of my webpage.
For example:
When Peter logs in with his azure account on my webpage, he should only be able to see:
Add new Document
Edit Document
Remove Document
because he is only assigned as "User" in Azure Active Directory.
But when Sabrina logs in with her azure account on my webpage, then she should be able to do the same as Peter, but she also can see:
Manage Products
Add new customer
etc.
because she is been assigned as an admin in Azure Active Directory.
My problem is, that I did not find out how I retrieve the assigned group of an user with Microsoft GraphAPI. The part, which user can see or not after I got the roles is not a big deal.
I already tried this API call:
https://graph.microsoft.com/v1.0/me/
But it seems, that the response of this call does not include the actual assigned group of that user.
Do you think it is possible to retrieve the assigned group of an azure user? Is this even possible? Or do I have to do something else to retrieve these information?
I hope you understand my point and I am also looking forward for any response. Thanks in advance!
Add /memberOf to the URL to receive the groups a user is member of.
https://graph.microsoft.com/v1.0/me/memberOf
Here's a link to the specific graph api - https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/user_getmembergroups
Take a look at this sample application on Github. It does something very similar with a task tracker application, where different users are able to perform different actions based on the group they belong to -
https://github.com/Azure-Samples/active-directory-dotnet-webapp-groupclaims/blob/master/README.md
Also, in cases where a user is a member of too many groups, you get back an overage indicator and have to make a separate call to get all groups. Read about “hasgroups” and “groups:src1” claims here - https://learn.microsoft.com/en-us/azure/active-directory/develop/v1-id-and-access-tokens
According to your system architecture, if some user has too many joined groups, the API https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/user_getmembergroups will return too many groups.
But if the groups with permissions in your system are not too much, you can use this API: https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/user_checkmembergroups to check if the current user is the member of specified groups.
It is not good idea to use this API: https://graph.microsoft.com/v1.0/me/memberOf. Because it returns only the groups that the user is a direct member of, but security group can be member of security group.
Basically, I just want to use Microsoft Graph to get a list of active directory users and their email addresses.
Ideally, I could get all the admin users for a certain subscription.
How do I do that? I couldn't find any good examples online.
Assuming you have the correct access to a tenant, and an authenticated token granting you access to the Microsoft Graph, you can use the following REST API calls to get the data you are looking for:
List Users - Documentation
GET https://graph.microsoft.com/v1.0/users
List Admins (via directory roles) - Documentation
This is a multi-step process. First you must find the directory role for the Company Administrator, which will always have the roleTemplateId of 62e90394-69f5-4237-9190-012177145e10. This should not be confused by the actual directory role id, which will be different per directory.
GET https://graph.microsoft.com/v1.0/directoryRoles
Then you want to list the users who are a part of that directory role:
GET https://graph.microsoft.com/v1.0/directoryRoles/<id>/members
If you really need to get started from scratch, I recommend you look at this PowerShell sample I made which simplifies authentication, and allows you to make queries to resource endpoints like the Microsoft Graph.
https://github.com/shawntabrizi/Microsoft-Authentication-with-PowerShell-and-MSAL
I'm new to azure active directory and I'm trying to implement a group based access mechanism in my mvc5 (C#) app. I have the Azure side sorted, my users are assigned to groups but I want to be able to determine which group they are in to control access to areas within the web app. (similar to roles based access)
so I need something like this
if (User.IsInGroup("Admin") || User.IsIngroup("Creator"))
{
//do something here
}
there are only 2 groups so I don't really need roles. I've looked at a few options using the graph api and they seem like massive overkill for what I'm trying to achieve. Whats the best way to implement this ? Do I need to implement the graph API ? Id appreciate any advice
You could enable Group Claims in Azure AD app, that will makes it simple to enable access management using AD groups. To enable your application to receive group claims :
1.In your application page, click on "Manifest" to open the inline manifest editor.
2.Edit the manifest by locating the "groupMembershipClaims" setting, and setting its value to "All" (or to "SecurityGroup" if you are not interested in Distribution Lists).
3.Save the manifest.
Then when user login , you will get the groups information in token ,but it will return the object id of group(that is unique identity, group name could be changed).Please click here and here for more details , also see the new groups claim sample published in the Azure AD samples github repo: https://github.com/AzureADSamples/WebApp-GroupClaims-DotNet
Please let me know if it helps .
Not sure if this belongs here or on Serverfault.
I have a Sharepoint installation and several Active directory domains. In each domain, I have some Security groups.
I need to create Sharepoint groups that contain those Active Directory groups, but I need to inlude the actual users instead of just the security group. (So in I have Group G1 with Users U1 and U2, my Sharepoint group needs to contain U1 and U2 instead of G1).
Before I build something like this myself (which is rather straight-forward with a Timer Job and some Management forms), I just wonder if something like this is already built in to Sharepoint 2007? Or if they are existing solutions?
Googling brought only results about the normal AD<>SP Profile import, which works fine, but nothing about Security Groups.
This definitely isn't built into SharePoint. It may be available in a third party solution, however my guess is it would be an uncommon requirement so unlikely.
I would probably develop the solution myself. It shouldn't take long.
I would write a timer job for this (if you want to keep the AD groups and SP groups in sync).
Make sure all your groups are in 1 OU (to make for an asy stsrting point for an LDAP query), then iterate through all the security group objects with Directory Services in the TimerJob execute method. Then, iterate through all user objects in the group and add them to the corresponding SP group, remove users that are removed from the AD group from the SP group too.
I have to import a lot of old data into SharePoint. In this data, I need to create a lot of users who are no longer in AD. Does anyone have any idea how to do that?
Cheers
The options I can come up with:
Recreate the users in Active Directory and disable the accounts
Attribute the files to a generic account
Tie into a SQL database for user accounts in addition to Active Directory
On a sidenote, I've seen it to be a best practice to never delete users from Active Directory due to issues like these. Instead, just disable the accounts and move them to an out of the way OU.
I don't think this is possible as you are really trying to create orphaned users. Better just revert these users to the System Account - that is what I did when I last migrated a SharePoint 2003 farm to MOSS 2007.
You can use CSVDE to import a comma separated file, or dsadd command to add each user. See this link for details.