I have an AAD group in which I added 5 users. On running delta link (https://learn.microsoft.com/en-us/graph/delta-query-groups#deltalink-response), I see the response showing 5 users. I deleted these 5 users from AAD (Note that I deleted users from Azure Active Directory). And these users were automatically removed from the AAD group that they belonged to. On running the delta link, I see no response:
{
"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#groups",
"#odata.deltaLink": "",
"value": []
}
My assumption was delta link would show these removed users. If that's not the case, is there a Graph API that returns users removed from an AAD group because they longer present in AAD?
I saw this doc: https://learn.microsoft.com/en-us/graph/api/directory-deleteditems-list?view=graph-rest-1.0&tabs=http
On running this https://graph.microsoft.com/v1.0/directory/deletedItems/microsoft.graph.user?$count=true
I see all the users that were deleted from AAD.
Is there a way to get users removed from an AAD group because they longer present in AAD?
I tried to reproduce the same in my environment and got the below results:
I created one Azure AD group and added 5 users to it like below:
Now, when I ran the delta query on groups, I got the results successfully as below:
GET https://graph.microsoft.com/v1.0/groups/delta?$select=displayName,description,members
Response:
I deleted those 5 users, and they are automatically removed from the group like below:
UPDATE
Now, when I ran the below query including filter, I got those 5 removed users in that group with reason as deleted as below:
GET https://graph.microsoft.com/beta/groups/delta/?$filter=id eq 'group_id' &$select=id,displayName,members
Response:
I too got the delta link in the response like below:
But when I ran that delta link, I'm getting empty results same as you like below:
So, instead of running delta link, just execute the normal query like below to get the results:
GET https://graph.microsoft.com/beta/groups/delta/?$filter=id eq 'group_id' &$select=id,displayName,members
Otherwise, instead of deleting the users directly from Azure AD, remove the users from the group first and run the query.
Once the user is removed from AAD the user is also removed from all groups and it's not possible to find out in which group/groups the user was in.
Try to remove users from group before deleting them from AAD.
Related
We are connecting our Keycloak server to AD and it’s configured so changes in AD get stored in Keycloak’s Database. The final goal is to have our Application’s DB synchronised and we are succeeding so far, except for the User Group Memberships.
Here is what we have tried so far:
A Group Mapper has been created, connecting it to AD. We have tried with the 3 available modes: LDAP_ONLY, READ_ONLY and IMPORT with no success in any case.
When we add or remove a Group from a user in AD (with no other change) and in User Federation we sync for “changed users”, Group changes are not detected at all (Sync of users finished successfully.0 users added, 0 users updated, 0 users removed, 0 users failed.).
We have created a custom Event Listener. When synching, no normal Event is dispatched. An Admin Event is dispatched but no info about the User neither about the Group comes with the Event (only Info about the Realm).
A custom implementation of LDAPStorageMapper has been done. None of the methods are executed when synching and only Group changes were done in AD (I would expect at least syncDataFromFederationProviderToKeycloak to be executed).
Keycloak Tables USER_GROUP_MEMBERSHIP and FED_USER_GROUP_MEMBERSHIP are empty. Even after trying with the aforementioned Modes LDAP_ONLY, READ_ONLY and IMPORT.
When going to User Details in Keycloak, tab Groups:
With mode LDAP_ONLY no need for sync. The Groups show up there updated before synching.
With mode IMPORT. No Group is shown, neither before nor after synching.
With mode READ_ONLY. Groups are shown, but for them to be updated Users changed sync need to be don.
When getting the user from Keycloak's REST API attribute modifyTimestamp stays unchanged, even after trying all previous steps.
All we need is to find out which users were changed since last sync so we can update their Groups. Any tip on that? Am I missing any table, event, configuration… for that?
Any help is greatly appreciated.
We use Azure AD user provisioning, to create and manage users in Salesforce. In itself this is working correctly. But... we have created a new (custom) profile in Salesforce (which Azure AD refers to as role) and this new profile is not being loaded into Azure AD. When creating a new user, we see our old custom profiles, but not the new one.
We started looking in the provisioning logs and saw a lot of "failed" entries. The first part of these logs reads like this:
The name, id, and claim properties of an app role in Azure AD must be
unique. We are unable to update an app role as one or more properties
are not unique. This is most commonly caused by having non-unique role
names in the directory from which roles are being imported.
And then a bunch of non-unique profiles/roles are listed. These are all standard profiles, such as Standard User and System Administrator. They appear twice in the list.
Going back to the screen where we add users, sure enough, these double entries are there as well. Each duplicate being an inactive choice. And: some old custom profiles are shown, also inactive. But not the new one.
This has worked before, as we see the old custom profiles listed. But somewhere/somehow double entries have been added and now we are stuck.
What is the solution? I have no idea on how to remove those duplicate entries from Azure AD. In Salesforce, there are no duplicate profiles. And even if I could remove the duplicate entries from Azure AD, maybe they would be added again on the first provisioning run.
I mapped AD groups to roles using Mappers. When I login with test user(with ADGroup1, ADGroup2),
In the Keycloak logged-in user's mapper roles (role1, role2) are assigned correctly.
When I remove a user from an AD group (-ADGroup2) in Azure. It was deleting role (-role2) in Keycloak after logging in again.
I tried to add the AD group (ADGroup2) back again. It was not an appending role again. Seeing only role1.
Mapper is configured as below:
ADGroup1 ==> test_client.role1
ADGroup2 ==> test_client.role2
If I delete both AD groups, user roles are also deleted in Keycloak. only appending is the problem.
thank you for posting your query. This seems like a user data sync delay. Could you please try to have "Sync Mode Override" to "force". This would update user data at each user login. Ref: https://github.com/keycloak/keycloak-documentation/blob/main/server_admin/topics/identity-broker/mappers.adoc
Thanks
When using the graph explorer I am able to get results from some of the API's. However not able to get when requesting for reports
For Example, this works perfectly fine;
https://graph.microsoft.com/v1.0/users
However, calling the below report related request results in an error "We do not recognize this tenant ID ... Please double-check the tenant ID and try again." I am facing this issue for any such call for reports.
https://graph.microsoft.com/v1.0/reports/getOffice365ActiveUserDetail(period='D90')
Is there some issue with App Registration which is causing this? The error message for checking the TenantID is totally misleading as the token is same in both the cases and I am not doing anything different between the two calls. Would appreciate any guidance.
Try checking these.
Try the request after giving some time like 48 hrs approximately as
it might take a little time for the tenant id to propagate across all
the instances and reflect in Microsoft graph api.
Check if you have given valid tenant ID
check tenant expiration (as admin account)
Else check if required permissions are set.
Reports.Read.All permission is needed to call this API.Refer Microsoft
Graph permissions
Please add the Delegated permisson /the Application permission and test it again. See Microsoft Graph v1.0 | Microsoft Docs
If that’s done already check if admin consent is provided .
( Reports.Read.All permission allows an app to read all service
usage reports without a signed-in user. Make sure to check if you
granted the permission(by clicking Grant Permissions from admin
account).
See reports-permissions
References:
Similar thread
concept-reporting-api
Update:
This error may occur when the usage report is not ready .Because if
the tenant is new , it might take sometime( upto 48 hours) for
the report service to pick it up and start generating reports.
You must be able to test it manually from O365 Admin
Portal.Portal.office.com -> Admin Tab -> Show all -> Reports ->
Usage
Other wise , you may contact support to raise a request.
I should note, this user had existed in the past, left, and then came back to be reactivated.
I inherited this Redmine system in the interim, so I don't know all of tis details (read: quirks)
===
When attempting to create the user name.last#student.email.edu, Redmine fails the user add saying The email is already in use.
However a search of Redmine users shows no such user, and can find no such email.
When searching in Redmine for both MY username and my email - both come up, so I think I'm doing the search correctly.
Redmine users are validated against an Samba Active Directory domain (not locally).
The user account seems to be fine in Samba Active Directory.
One user can have multiple e-mail addresses, best way to resolve that situation is to either seek for that user via ruby console or with some SQL database query tool.
Console approach:
To activate ruby console, just on your Redmine server, navigate via terminal or cmd on windows to Redmine install folder and type rails console, you might need to add RAILS_ENV=production if required.
EmailAddress.find_by(address: "my#address.com")
Replace my#address.com with address you are looking for, or
That would return result like:
#<EmailAddress id: 3, user_id: 1, address: "my#address.com"...
Than in following query, you can get exact user id, by using user_id from previous query:
User.find_by(id:id_from_previous_query)
Just replace id_from_previous_query, with proper id, retruned in previous query.
Database approach:
E-mail addresses are located in email_addresses database table.
Below is sql code that you can run if you installed Redmine with MySql/MariaDb,
just replace %search% with email or part of email that you are searching for
select login,firstname,lastname,address from users left join email_addresses on users.id=email_addresses.user_id where email_addresses.address like '%search%'
I have also created feature proposal, based upon your inquiry here: https://www.redmine.org/issues/31043