Microsoft Graph Api - Create a Domain in a healthy state - active-directory

How does one get a domain into a healthy state using the Microsoft Graph Api?
Domains that are created and verified using the Graph Api always show with an exclamation mark and "Incomplete Setup" in the Office 365 management portal.
The steps performed by the GraphApi are as follows:
Create a domain using the graph api in tenancy. POST /domains
Get the domain txt records from graph api. GET /domains/{domainName}/verificationDnsRecords
Add TXT records to DNS zone on Cpanel (external)
Verify domain using Graph Api. POST /domains/{domainName}/verify
Set Services. PATCH /domains/{domainName}
However after performing all the above steps the domain still shows as in an incomplete state. The only way to get it to Healthy state is by using the portal.
Including step 5 or leaving it out doesn't make a difference at all.
How does one get a domain into a Healthy state using the Graph Api?
Office365 Domain section
I'm afraid that it's not supported to get a domain into a Healthy
state using Microsoft Graph API.
As you know, we cannot update DNS settings via Microsoft Graph API.
Although we can verify the domain, but the domain status which is
visible in portal is not exposed in Microsoft Graph domain properties.
And the O365 admin portal is calling another kind of API:
https://admin.microsoft.com/admin/api/Domains which is not exposed to
update the domain data.
Has this changed?

I think that it's not supported to get a domain into a Healthy state using Microsoft Graph API.
As you know, we cannot update DNS settings via Microsoft Graph API.
Although we can verify the domain, but the domain status which is visible in portal is not exposed in Microsoft Graph domain properties.

Related

What's the correct Microsoft Graph API endpoint for promoting a subdomain to root in Azure AD? It exists in Azure AD Graph API, but that's deprecated

Background:
I want to add a subdomain to Azure AD so that users can have it as a UPN suffix. The parent domain is federated, but I don't want the child domain to be federated. The child domain inherits the authentication type of the parent, unless you use this one Azure Active Directory Graph API method to promote the subdomain to root. Then it can have it's own authentication type and settings applied.
Problem:
What's the correct Microsoft Graph API endpoint for promoting a subdomain to root? It exists in Azure AD Graph API, but that's deprecated:
https://learn.microsoft.com/en-us/azure/active-directory/enterprise-users/domains-verify-custom-subdomain
Use Microsoft Graph API to make this a root domain
Use the following command to promote the subdomain:
POST https://graph.windows.net/{tenant_id}/domains/child.mydomain.com/promote?api-version=1.6
If I fill in {tenant_id} and fill in the subdomain I want to promote into Microsoft Graph Explorer, it fails with this:
"Your access token has expired. Please renew it before submitting the request."
I think that's because it's a Azure Active Directory Graph API call (graph.windows.net) instead of a Microsoft Graph API call. So the tokens have different audiences.
It sounds like the conversion process is this:
https://graph.windows.net/{tenant_id}/{resource}?{version}
https://graph.microsoft.com/{version}/{resource}
So I tried to run it like this:
https://graph.microsoft.com/v1.0/domains/child.mydomain.com/promote
But that fails with:
BadRequest
Resource not found for the segment 'promote'.
I did try to create an Application Registration in Azure and give it permission to Azure Active Directory Graph, but it's locked. It sounds like Microsoft is locking out new registrations to avoid people creating new Application that target it. It displays this warning message:
Azure Active Directory Graph will be deprecated in June 2022. We recommend using Microsoft Graph APIs for your application. If you are currently using Azure Active Directory Graph, please migrate to Microsoft Graph.
I have tested in my environment.
Use Microsoft Graph API to make this a root domain Use the following
command to promote the subdomain: POST
https://graph.windows.net/{tenant_id}/domains/child.mydomain.com/promote?api-version=1.6
I tried this and I got the same error:
"Your access token has expired. Please renew it before submitting the request."
This is because we are trying to call Azure AD Graph API using Microsoft Graph API access token
Currently, there is no API request to promote the subdomain to root using Microsoft Graph API.
I tried the below request to promote the subdomain to root
PATCH https://graph.microsoft.com/v1.0/domains/child.mydomain.com
Body :
{
“isRoot” : true
}
But I got the below error:
So currently, we cannot promote the subdomain to root using Microsoft Graph API.
I used Azure AD Graph API and I am able to promote the subdomain to root in Azure AD.
I logged into Azure AD Graph Explorer
I ran the below request:
POST https://graph.windows.net/{tenant_id}/domains/child.mydomain.com/promote?api-version=1.6

Create a Domain in a healthy state using the Microsoft Graph Api

How does one get a domain into a healthy state using the Microsoft Graph Api?
Domains that are created and verified using the Graph Api always show with an exclamation mark and "Incomplete Setup" in the Office 365 management portal.
The steps performed by the GraphApi are as follows:
Create a domain using the graph api in tenancy. POST /domains
Get the domain txt records from graph api. GET /domains/{domainName}/verificationDnsRecords
Add TXT records to DNS zone on Cpanel (external)
Verify domain using Graph Api. POST /domains/{domainName}/verify
Set Services. PATCH /domains/{domainName}
However after performing all the above steps the domain still shows as in an incomplete state. The only way to get it to Healthy state is by using the portal.
Including step 5 or leaving it out doesn't make a difference at all.
How does one get a domain into a Healthy state using the Graph Api?
I'm afraid that it's not supported to get a domain into a Healthy state using Microsoft Graph API.
As you know, we cannot update DNS settings via Microsoft Graph API.
Although we can verify the domain, but the domain status which is visible in portal is not exposed in Microsoft Graph domain properties.
And the O365 admin portal is calling another kind of API: https://admin.microsoft.com/admin/api/Domains which is not exposed to update the domain data.

Skype For Business Online supproted by Azure AD 2.0?

I developed an app which has integration with Microsoft Graph API and uses Azure 2.0 API for authentication.
From Microsoft Graph I can get users.
Now I want to see a presense information for each user and therefore I need to use Skype for business online.
I send request to:
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root
And a user href is:
https://webdir0f.online.lync.com/Autodiscover/AutodiscoverService.svc/root/oauth/user
Than I got access token for https://webdir0f.online.lync.com from:
https://login.microsoftonline.com/<mytenant>/oauth2/v2.0/token
And token has not "roles" claim which is strange.
Than https://webdir0f.online.lync.com/Autodiscover/AutodiscoverService.svc/root/oauth/user returns me 500.
Is there a way to use Azure 2.0 to get access to Skype For Business Online?
Is there a way I can get presence information without a signed in user in Skype For Business Online?
UPD:
I was able to get access token for scope https://webdir0f.online.lync.com/Contacts.ReadWrite using client secret.
Small correction, what you're here isn't "Azure 2.0" but rather Azure Active Directory's "App v2" or, more commonly, the "v2 Endpoint".
The v2 Endpoint has several well-known limitations and not all APIs and features are supported. The Skype and Skype for Business APIs both lack support for the v2 Endpoint.
In general, unless it's a recently released API or it is surfaced by Microsoft Graph, then it will only work with tokens issued by the v1 Endpoint.
I managed to get access to Skype For Business using Azure 2.0 application. Just followed the guidelines.
During autodiscovery you need to set scope to next user or redirect uri like this: https://webdir0f.online.lync.com/Contacts.ReadWrite.
Than Azure 2.0 realizes it's Skype For Business uri and scope and works properly.
Though still Skype For Business API is old and very hard to use.
And I haven't found a way to get all other company user presence information from Sfb API.
Looks like it makes sense to wait until Trusted Application API will work.
Also trying to get Application token doesn't work.

How can i sync users calendars using MS Graph api and Azure

I'm building a service where each user has a calendar, I want to sync users 365 calendar events into their calendar, the tricky part seems to be, that this should be done repeatable by background job on the server, to keep them in sync.
I feel like I've read a bible of documentation from Microsoft, but still gotten nowhere. I eventually stumbled upon this article https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds which allows a server to query the graph api, on behalf of users. This is exactly what I want.
Having created a Azure account, and Active Directory service, I found that only users within the tenant can use this, which makes it rather useless, requiring to add users manually from azure panel.
AADSTS50020: User account 'm#****.com' from identity provider 'live.com' does not exist in tenant 'Default Directory' and cannot access the application 'c0193dea-5145-430a-9c90-325f1229a1fc' in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
So I'm back at square one, how can I achieve what I described?
I'm not looking for a code implementation, merely a description of how to navigate the monstrosity of Microsoft.
Thank you
Update: Accordingly to Marc link. I tried to flick the multi tenant option, and change the endpoint to use common instead of tenant id. Sadly i'm still getting the same error.
You cannot sign-in to AAD with a non-AAD account using the v1 Endpoint. If you want to use a consumer Microsoft Account (#outlook.com, #hotmail.com, #live.com) then you need to use the Converged Auth model provided by the v2 Endpoint.
I have a walkthrough for the v2 Endpoint that you might find helpful: Microsoft v2 Endpoint Primer. It is similar to the v1 Endpoint but you'll need to register via https://apps.dev.microsoft.com rather than the Azure Portal. Also, v2 apps use Scopes instead of Resources and are multi-tenant out of the box.
This is a broad a question for Stack Overflow. That said, you're incorrect about Azure AD. It is absolutely not limited to a single-tenant. You do however need to register it as a multi-tenant application:
How to sign in any Azure Active Directory (AD) user using the multi-tenant application pattern

Authentication from mobile devices with OpenID Connect / Azure AD not working with Microsoft Graph API

I have a website that uses OpenID Connect authentication/ADAL to authenticate users with an Azure AD. The application also uses the Microsoft Graph API to retreive user data from the AD.
Authentication has been working well from all kinds of devices ever since it was implemented a couple of months ago.
But a few weeks ago (on august 23rd, to be exact), authentication from mobile devices stopped working all of a sudden, although no changes was made in the code or (to my knowledge) in the company infrastucture.
In the AuthorizationCodeReceived event handler of my ConfigureAuth method, i aquire an authentication result in this manner:
var authenticationContext = new AuthenticationContext(settings.Authority);
var authenticationResult = authenticationContext.AcquireTokenByAuthorizationCode(context.Code, new Uri(settings.RedirectUri), new ClientCredential(settings.ClientId, settings.ClientSecret), resource);
where resource is the Microsoft Graph API URL.
However, ever since august 23rd, the AcquireTokenByAuthorizationCode throws an AdalServiceException with the message:
AADSTS50097: Device authentication is required.
If I omit the resource parameter in my AcquireTokenByAuthorizationCode call or change it to "https://graph.windows.net", for example, authentication from mobile devices works like a charm. But then I obviously cannot access the MS Graph API.
Is there a way to solve this so that i can access the MS Graph API and have users log on with mobile devices?
Sriram's answer is correct.
The company administrator has enabled conditional access policy for Exchange Online, which at present applies to Microsoft Graph as well. We are aware that this affects applications that use Microsoft Graph for artifacts other than mail/calendar, and are working on decoupling them. The change should roll out in the next few months. Please check with your company administrator if the policy can be relaxed. If not feasible, contact our support channel to request exclusion of Microsoft Graph from policy enforcement

Resources