Unable to update Azure AD user property from SharePoint using #pnp/graph - active-directory

I have created a SharePoint Framework web part using React. After that, I integrated #pnp/graph under that SPFx application. Also, I have given an API access permission request to my SPFx app.
I have fetched all users from the Azure AD group. Now, I need to update the currently logged-in user property under Azure AD. Below is my code snippet,
import { graph } from "#pnp/graph";
public async UpdateCurrentUserProperties(companyName) {
return await graph.me.update({
companyName: companyName
});
}
Below is the reference link,
https://pnp.github.io/pnpjs/graph/users/#update-current-user
I am facing the below error while updating the currently logged-in user profile properties under Azure AD.
Unable to update the specified properties for on-premises mastered Directory Sync objects or objects currently undergoing migration
Can anyone help me with the same?

The error "Unable to update the specified properties for on-premises mastered Directory Sync objects or objects currently undergoing migration" usually occurs if you are trying to update the users which synced from on-premises to Azure AD.
You have to update these users on on-premises environment and then sync it to Azure.
To resolve the error, Try changing it on On-prem server and then sync it to Azure AD.
Please check if your organization uses a hybrid environment and those users are synced from AD, you have to manage them from on-premises Exchange.
Check whether you have given required API permissions.
You can refer this similar case that can give you some pointer.
For more in detail, please find below links:
azure - Set-AzureADuser failing - Stack Overflow
Unable to update the specified properties for on-premises mastered Directory Sync objects - Microsoft Q&A

Related

Can we use Graph API delegated permission for Azure Data Factory?

I am trying to get "/groups" endpoint of Microsoft Graph API in my tenants via Azure Data Factory. I have given "Delegated permission" for my service principal. To my knowledge, when there is no user to act on behalf of, we should use "Application permission".
However, organization requirement does not allow me to use Application permission.
Therefore, when I try to execute my pipeline, I get "insufficient privileges to complete the operation."
Can this be the reason because ADF does not allow to use delegated permissions as there is no user to act on behalf of?
I tried to reproduce the same in my environment to get groups endpoint using graph api from ADF
And got same error:
Insufficient privileges to complete the operation
Make sure you have Microsoft graph permissions to query groups and users.
The user here do not has Data Factory contributor role .
Or make sure you ADF has proper access to the resources .So give it contributor role
And if your are using storage account to store the rest response, make sure user , app or group has Storage blob data contributor role.
Reference:
Copy and transform data from and to a REST endpoint - Azure Data Factory & Azure Synapse | Microsoft Learn

Add user properties to Azure Active Directory for SCIM provisioning (HiBob)

I'm trying to setup a user lifecycle flow that will allow me to create an Azure Active Directory user (Member, not Guest) when an employee is created in our HRIS tool (HiBob). There is a pre-existing integration which is enabled and allows us to get basic information (name, location, etc.).
In the HRIS system we also store some more unique data that I would like to be added to the users AAD profile (maybe an emergency contact for example) that we can then use to provision other applications (like Slack).
My issue is trying to create these custom property fields. I have read about Azure B2C as well as directory schema, custom security extensions and using MS Graph. None of these seem to be totally relevant to my situation.
FYI we are fully cloud, so Azure AD Connect is also not an option.
To store custom data in Azure AD objects such as users you can leverage Azure AD Directory Extensions in tandem with Azure AD Provisioning trough SCIM.

How should I store employee data with Azure AD?

I am setting up a new company and we are using Azure AD. We are remote-first and cloud-only. We do not and will not have an on-premises Active Directory controller.
How is it recommended to store employee data such as birthday, hire date, and social security number? It is unclear how to extend the schema. When I try to fetch a birth date using the Graph API, I get "Error message: This operation target is not yet supported.". When I extend the schema using "External Identities -> Custom User Attributes", I don't see a way to edit those inside the Azure AD portal.
My administrative interface is a Java application built using the Microsoft Graph API. It works fine for the standard fields (e.g., displayName, givenName, surname, etc.).
I am currently integrated with a PostgreSQL database in Azure using the authentication that works against the Azure AD API. That works fine and I can put employee metadata there, but is is not clear if I should.
We can store the employee data like birthday and hire date in azure AD through couple of ways.
One way is to use azure ad connect (if you have on premise active directory) and the other way is using schema extensions. You need to use Microsoft Graph API to work with azure ad schema extension, there is no direct option to extend the schema from azure portal.
Please follow the steps in this doc to Create schemaExtension
Schema extensions are supported for following resource types.
1.contact
2.device
3.event on a user or Microsoft 365 group calendar
4.post of a Microsoft 365 group
5.group
6.message
7.organization
8.user user resource type
Here is the reference article written by #Toni PohI, About Azure AD schema extension Working with Azure AD schema extensions and Microsoft Graph
Using AAD Connect you can flow an extension attribute from AD to the MV attribute employeeHireDate which will export successfully to AAD.
Make sure your extension attribute uses Generalized-Time syntax. These dates are strings in the format "YYYYMMDDhhmmss.0Z".
Then create an inbound sync rule to populate employeeHireDate
This will flow to AAD. This was completed with AAD Connect Version: 2.1.16.0

I'm trying to create scim integration. In Azure databricks email attribute is missing

I would like to test my scim integration with Azure Active Directory.
I created provisioning in DataBricks, but the list of attributes is missing email.
How do I add it?
Update after the answer was accepted: I was trying to use DataBricks in order to test my SCIM implementation for Azure. The right way is to create an app, edit mappings according to the needs and submit the app to the Azure AD.
Your question is unclear. How are you trying to provision from Azure AD to Databricks? You should be adding the Databricks Enterprise App from the gallery (see documentation for exact steps). The gallery app has the mappings preconfigured in a way tailored to Databricks - specifically, it's set to not attempt updates on userName or email attributes as both are immutable in the Databricks system.

On-Premises User Profile Update Using Microsoft Graph API

we have a screen in our application that is used to update Azure AD users through Graph API. If users are created using Azure Portal or Graph API, I'm able to updated user profile using this screen.
But if the user is Created/Sync using AD Connect(e.g in case of O365 Users) while updating these Users Microsoft Graph returns following error:
Unable to update the specified properties for on-premises mastered Directory Sync objects or objects currently undergoing migration
I have following queries:
Is it possible to update a user through Graph API that is created from on-premises to Azure AD?
Is there any settings on azure portal or Ad connect that allow user to be
updated through Graph API?
Also How to tell the difference between if a user is created on-premises or on Azure AD through Microsoft Graph API. Any attribute in Microsoft.Graph.User Class?
To answer your questions:
No this isn't possible because of the way they are synced. If Microsoft would allow changes on both sides, it would have to implement some kind of duplicate change resolution system. So they just blocked changing properties except for some cloud only properties like licenses.
No there isn't because of the above reason
Yes there is, but it's kinda hacky.
To see if a Graph user is created through the sync you should request the User.Read.All scope for your application and then do a request to the Get user endpoint with the select all properties querystring ?$select=*.
The synced users should have the OnPremisesSamAccountName property amongh others that don't appear on a non-synced user.
Once you found out the user is an on-premise user, your application could do an update straight to your AD with the System.DirectoryServices.AccountManagement api.

Resources