I'm trying to find all users that are permitted to access a site in SharePoint Online.
I can do that via the SharePoint REST API using the following request:
https://<tenant>.sharepoint.com/sites/<site>/_api/web/RoleAssignments?$expand=Member/Users,RoleDefinitionBindings
The response contains some hidden technical accounts, users that have been granted permissions explicitly, and the default SharePoint site groups for members and owners.
The SharePoint site member group is presented with the following LoginName:
c:0o.c|federateddirectoryclaimprovider|<UUID>
Where <UUID> is the id of an Azure group. I can then resolve its members using the Graph API. However, there is a user missing here that is listed in the SharePoint UI as an owner of the site.
The SharePoint site owner group, however, is presented with the following LoginName:
c:0o.c|federateddirectoryclaimprovider|<UUID>_o
Where <UUID> is the exact same id as before. So I can't resolve its members using the Graph API as the UUID gives me the member group and the UUID including the suffix is an invalid group identifier.
Furthermore, the SharePoint REST API seems to treat this owner group (as well as the member group) like a user rather than a group, so I couldn't find a way to resolve its members using this API either.
So how can I resolve the actual users that are owners of a site?
Thank you very much!
Isn't it as simple as that?
https://<tenant>.sharepoint.com/sites/<site>/_api/site/owner
The solution is described here: https://learn.microsoft.com/en-us/sharepoint/modern-experience-sharing-permissions#team-site-permissions-and-office-365-groups
When you add owners or members to the Microsoft 365 group, they're given
access to the SharePoint site along with the other group-connected
services. Group owners become site owners, and group members become site
members.
Which means you can retrieve the site owners with the following request:
https://graph.microsoft.com/v1.0/groups/<UUID>/owners
Related
I have an (external to Azure) application to integrate with AzureAD through OIDC. The requirement is to add a custom claim to id_token with a list of groups where the user is an owner in AD.
For example if the user is in the owner of group with id = "123abc", I need to add the following custom claim to id_token.
"ownedGroups": ["123abc"]
If this is not possible is there at least option to add sth like this
"hasOwnedGroups": true
I could not find any relevant example for this in docs. Can you share an example for doing this? If this is not possible in the exactly same way, I 'd like to know the alternative solution for putting information about ownership in id token.
Azure AD does not support Groups as source for custom claims or claims mappings. You can however create directory extensions, update them with any data you want and get them in the token as optional claims.
You've got this great new feature in Azure AD under Entitlement management: Access Packages.
Packages including groups and what more for specific users and roles.
https://learn.microsoft.com/en-us/azure/active-directory/governance/entitlement-management-access-package-create
The issue I'm struggling with, is how can I add users by dynamic group without them having to request access first?
I feel like I'm overseeing something, but as it looks now you can only add a Dynamic Group & the users in the group can request access to the AccessPackages.
Has anyone else dealt with this already?
Please check the references and if below can be worked around in your case.
According to Create a new access package in entitlement management - Azure AD | Microsoft Docs.
If you want to bypass access requests and allow administrators to directly assign specific users to this access package. click None (administrator direct assignments only) in request section to create a policy where users need not request for access. For this group selection is not there.Users won't have to request the access package.
But if you need to select specific dynamic group for policy .
You can create a access package with dynamic groups selected .
You can create a policy separately for the users for dynamic group with require approval disabled and requests disabled.
Then while assignment requests are bypassed and approved even if the policy has request approval.
Even if require approval and requests are enabled in first step, you can set a separate policy by setting the by pass approval to yes.
Note :Dynamic group is to be given the owner role for access packages.
Reference: active-directory-entitlement-management-request-policy | (github)
I'm trying to get the preferred username of a user via the Graph API for Microsoft Office / Azure
If a user logs in via an enterprise application with an id_token I get the preferred_username claim.
This has the user's actual email address.
If I try to look up the user separately by ID, I can't find any way to get that username.
Seems related to Sign-in to Azure Active Directory using email as an alternate login ID (preview).
The user in question is using a GitHub linked account, it likely has an ugly UPN that I would prefer not to be seen anywhere. Instead I would like to use their preferred_username.
Example "ugly" UPN":
***_gmail.com#EXT##***gmail.onmicrosoft.com
To my knowledge, the preferred_username value isn't exposed by Graph in either v1.0 or Beta.
One potential workaround is to use the otherMails property. This is an array, so this may contain multiple entries for a given user. That said, any otherMails entry is likely to be less 'ugly'.
I have a Microsoft Teams tab app and I'm using SSO for authentication. My users are both native and guests. My requirement is to show different screens depending on the type of incoming user (native/guest), so I have to identify the user type first. To ensure security, I first obtain the id token for the incoming user and then validate it first before identifying the user type. Is there any reliable way to identify the incoming user type with just the id token? I don't trust the info in tab context.
If you don't want to use Microsoft Graph API, you could add all the guest user into a security Group and include Groups claim in your token as instructed here. You just need to modify the "groupMembershipClaims" field in application manifest:
"groupMembershipClaims": "SecurityGroup"
Then the ID token will contain the Ids of the groups that the use belongs to like below :
{
"groups": ["1ce9c55a-9826-4e32-871c-a8488144bb32"]
}
You can also Add app roles in your application and receive them in the token.
You can use microsoft graph api(beta) get user.
https://graph.microsoft.com/v1.0/users/{id | userPrincipalName}
If the id token contains objectId of the user, just put the objectId as the parameter of this api. In the response, we can find an attribute userType. The value of this attribute could be Member or Guest.
If the id token doesn't contain objectId of the user, just contains email. We can also put it as the parameter in the graph api, but if the email is a guest user, the api will not get response data. So I asked you if it contains objectId in the comments.
By the way, the attribute userType just exists in the beta version of microsoft graph api but not exist in the v1.0 version microsoft graph api. So if you're not comfortable with beta version, I suggest to use Azure AD graph api(get user) instead of Microsoft graph api.
Hope it helps~
I'm having a problem with Microsoft Graph API... Currently I have a web application that has an openid integration with Microsoft/Azure using the common v2 endpoint.
We are trying to get the signed in user company name and job information. The official docs say that we need to make a request to the MS Graph API.
We are testing it on Microft Graph Explorer but it doesn't seem to work.
We've selected the 'User.Read' as a permission in our app, then tried these endpoints:
https://graph.microsoft.com/v1.0/me/
https://graph.microsoft.com/v1.0/me?$select=companyName,jobTitle
https://graph.microsoft.com/v1.0/users/?$select=companyName,jobTitle
In MS offical doc (https://developer.microsoft.com/en-us/graph/docs/concepts/permissions_reference) on User/Remarks sections, it clearly says that
"On reads, only a limited number of properties are returned by default. To read properties that are not in the default set, use $select"
Is this doc outdated?
I've tried to reach MS support for developers, but they answered saying that I should ask this on Stack Overflow...
So probably there are no official support for developers?
Is it really possible to get the company name and job title from a MS account?
Thanks in advance!
edit. Update question with MS graph explorer screenshots
edit.2. Update screenshot with proper encoding.
Also, it's a MS account not an Azure account, since our web app accepts both of them on the common v2 endpoint.
Update
My goal was trying to get the Work Info section from a MSA account.
The documentation is correct, by default we only return a subset of user properties:
id
userPrincipalName
displayName
givenName
surname
jobTitle
mail
mobilePhone
businessPhones
officeLocation
preferredLanguage
If you want a different set of properties, you can request them using the $select query parameter. The queries you provided in your question should work fine. For example, when I execute https://graph.microsoft.com/v1.0/me?$select=companyName in Graph Explorer (after logging in with my credentials) I get the following:
{
"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#users(companyName)/$entity",
"companyName": "MICROSOFT"
}
Update Regarding MSA
When using Microsoft Graph against a Microsoft Account (MSA) there are several differences in what properties get surfaced. As an MSA is by definition a personal/individual account, organizational properties such as Job Title and Office Location are simply not applicable.