Is there a way in Graph API where advance query able to search group of users based on Email id and User Principal Name.
We are using filter parameter with "in" clause to search users
https://graph.microsoft.com:443/v1.0/users?$count=true&$filter=userPrincipalName in ('abc#xyz.com','pqr#xyz.com','guest#external#xyz.com)
Above URL works charm. But we see Mail instead of userPrincipalName, we are decided to query based on Mail or UserPrincipalName property. Is there any support for graph api to search against Mail and UPN property in single call. I tried with signInNames or otherMails or issuerAssignedId but they are not supported. Any better way for querying both UPN and Mail
• You can use the ‘OR’ in advanced query filter parameter to search for multiple users’ based on ‘UPN’ and ‘mail’ in a single query call as below: -
‘ https://graph.microsoft.com/v1.0/users?$count=true&$filter=mail in ('lobo#def.com') or userPrincipalName in ('abc#xyz.com') ‘
The above query will give the details of the users based on UPN as well as mail attribute and fetch the same data from Azure AD related to the users. It will fetch all the general information that is available in Azure AD.
Please find the below link for more details on using the OR operator: -
https://learn.microsoft.com/en-us/graph/query-parameters#filter-parameter
Related
I have an (external to Azure) application to integrate with AzureAD through OIDC. The requirement is to add a custom claim to id_token with a list of groups where the user is an owner in AD.
For example if the user is in the owner of group with id = "123abc", I need to add the following custom claim to id_token.
"ownedGroups": ["123abc"]
If this is not possible is there at least option to add sth like this
"hasOwnedGroups": true
I could not find any relevant example for this in docs. Can you share an example for doing this? If this is not possible in the exactly same way, I 'd like to know the alternative solution for putting information about ownership in id token.
Azure AD does not support Groups as source for custom claims or claims mappings. You can however create directory extensions, update them with any data you want and get them in the token as optional claims.
I am integrating AzureAD with a SCIM endpoint. So far integration seems to work: AzureAD sends "POST" requests to create users, then later it queries/updates users using their 'id'.
Reminder from SCIM standard (RFC 7643): The 'id' is
A unique identifier for a SCIM resource as defined by the service provider
My SCIM endpoint generates this unique ID upon user first creation. It sends this ID to AzureAD in the reply, as required by the standard. I know that AzureAD stores the ID somewhere, because it uses it in subsequent requests.
My question: where is this ID stored in AzureAD? I need to read it, so I can forward it somewhere else. Using Graph Explorer I tried a lot of properties:
https://graph.microsoft.com/v1.0/me?$select=id,userPrincipalName,extensions,employeeId,externalUserState,identities,externalId
But none of them work. They are empty or do not contain the SCIM id.
Does anyone know if the property is publicly available?
Azure AD Provisioning has an internal data store that is not exposed via any external/customer-facing APIs where this is stored. If the service is evaluating an object that it does not know the SCIM ID value for it will try to locate that using a filtered GET such as GET /Users?filter=userName eq "user#domain.com", but once it has located that object the service will store internally a record stating that object X in Azure AD with objectId value of 123 is matched to object Y in with ID value of 456.
To specifically answer your end goal of "I need to find this value in Azure AD and forward it somewhere else" - this is not possible.
It is not like you think that AAD will save the user id from SCIM.
You can use Provision on demand to understand how it works.
Simple steps:
Click on "Provision on demand" in SCIM enterprise app.
Then select an AAD user and click on "Provision".
After it is executed successfully, you will be able to see the following:
Import user is retrieving User from Azure Active Directory.
Determine if user is in scope is determining if User in scope by evaluating against each scoping filter.
Match user between source and target system is retrieving User from SCIM and matching it with the AAD User in step 1. This is the point that you didn't know before. AAD will Get User by query in this step.
GET /Users?filter=userName eq "{userName}"
Then the user id from SCIM will be returned (As above screenshot shows).
Perform action updates User in SCIM using the id from step 3.
So AAD doesn't store the id from SCIM. It queries the user in SCIM firstly to get the id and then use this id to send update request to SCIM endpoint.
I have a Microsoft Teams tab app and I'm using SSO for authentication. My users are both native and guests. My requirement is to show different screens depending on the type of incoming user (native/guest), so I have to identify the user type first. To ensure security, I first obtain the id token for the incoming user and then validate it first before identifying the user type. Is there any reliable way to identify the incoming user type with just the id token? I don't trust the info in tab context.
If you don't want to use Microsoft Graph API, you could add all the guest user into a security Group and include Groups claim in your token as instructed here. You just need to modify the "groupMembershipClaims" field in application manifest:
"groupMembershipClaims": "SecurityGroup"
Then the ID token will contain the Ids of the groups that the use belongs to like below :
{
"groups": ["1ce9c55a-9826-4e32-871c-a8488144bb32"]
}
You can also Add app roles in your application and receive them in the token.
You can use microsoft graph api(beta) get user.
https://graph.microsoft.com/v1.0/users/{id | userPrincipalName}
If the id token contains objectId of the user, just put the objectId as the parameter of this api. In the response, we can find an attribute userType. The value of this attribute could be Member or Guest.
If the id token doesn't contain objectId of the user, just contains email. We can also put it as the parameter in the graph api, but if the email is a guest user, the api will not get response data. So I asked you if it contains objectId in the comments.
By the way, the attribute userType just exists in the beta version of microsoft graph api but not exist in the v1.0 version microsoft graph api. So if you're not comfortable with beta version, I suggest to use Azure AD graph api(get user) instead of Microsoft graph api.
Hope it helps~
I have large AAD Dynamic group that I need to search and query membership for (100K+ member group) and search for users by name. This group is generated based on a custom attribute on the user in AAD.
I am trying to figure out if I can get this information out the MS Graph or if I need to move these calls to the AAD Graph ?
I've checked the users for extensions and schema data but there doesn't seem to be anything there.
Are custom attributes not replicated in MS Graph?
The problem I am trying to solve is:
I have a people picker that I want to return results that satisfy membership of a this group. The problem is MS Graph doesn't support OData queries of the members of a group on their displayName. Since the group is driving by the custom attribute I was hoping to take a short cut and include that in my query
You may need to get the custom attribute with AAD Graph instead of MS Graph, seems the MS Graph will not return the custom attribute.
Sample of AAD Graph:
GET https://graph.windows.net/{tenant}/users/{objectId}
returns:
{
"odata.metadata": "https://graph.windows.net/{tenant}/$metadata#directoryObjects/Microsoft.DirectoryServices.User/#Element",
"odata.type": "Microsoft.DirectoryServices.User",
"objectType": "User",
...
"extension_917ef9adff534c858b0a683b6e6ec0f3_CreatedTime": 1518602039
}
Here are two posts related to this issue, see : How to get/set custom Azure Active Directory B2C user attributes in ASP.NET MVC? and How to read Azure B2C Custom Attributes with Graph API (works OK with Azure AD Graph)
I'm trying to set up an external active directory GAL on zimbra 8.8.7; My current working filter is
(&(|(displayName=*%s*)(cn=*%s*)(sn=*%s*)(givenName=*%s*)(mail=*%s*))(|(&(objectCategory=person)(objectClass=user)(!(homeMDB=*))(!(msExchHomeServerName=*)))(&(objectCategory=person)(objectClass=user)(|(homeMDB=*)(msExchHomeServerName=*)))(&(objectCategory=person)(objectClass=contact))(objectCategory=publicFolder)(objectCategory=msExchDynamicDistributionList)))
autocomplete filter is
(|(cn=%s*)(sn=%s*)(gn=%s*)(mail=%s*))
LDAP search base
dc=sub,dc=domain,dc=com
search and autocomplete returns all AD users, including admin accounts. What is a correct way to exclude administrators group from ldap search?
the accounts I need to exclude are in OU "Admins" and are members of couple of groups like Buildin "Administrators" and users "Domain Admins", "Enterprise admins", etc
I've tried adding (&(objectCategory=group)(!cn=Admin) but it doesn't seem to be valid.
Decided to post my workaround that is already in production. Couldn't make exclusion rule to work and another task required the real employees group to be created on AD anyway, so ended up adding all people accounts to group Staff and domain GAL search looks like this:
LDAP filter: (&(objectCategory=Person)(sAMAccountName=*)(memberOf=cn=Staff,ou=Groups,dc=dc1,dc=domainname,dc=com))
Autocomplete filter: (|(cn=%s*)(sn=%s*)(gn=%s*)(mail=%s*))
LDAP search base: dc=dc1,dc=domainname,dc=com