I can connect to our legacy company DOMAIN and query Active Directory. This has been my way to get the membership of groups.
We've added Office 365 and I cannot find the new groups added via Office 365 Groups (ie, Teams, etc) in Active Directory.
Is this a thing I should be able to do as an end user? And it so, how?
My preference (and what I've been using) is to Query via Power Query
(IE Excel->Data->Get&Transform->Get Data->From Other Sources->From Active Directory)
• As an end user, you have the default permission to view the groups and its members in an Azure AD tenant so, you can use the Microsoft Graph API explorer to view the groups and its related details in that console.
• Here is the link to access the Microsoft Graph Explorer - https://developer.microsoft.com/en-us/graph/graph-explorer. You will have to login with your credentials in it and enter the below query with ‘GET’ parameter as set to get the list of all groups available in your tenant.
‘GET https://graph.microsoft.com/v1.0/groups’ – Please find the below screenshot for more details.
• Please find the below links for more information: -
https://learn.microsoft.com/en-us/graph/api/group-list?view=graph-rest-1.0&tabs=http
https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/users-default-permissions
Related
Can anybody help me with this, I'm stuck and reading didn't get me anywhere :(
My question is related to Azure Active Directory Group and SQL DW. I want to give database read access to an Azure Active Directory Group (ADD group). I took these steps for that:
I made two groups in ADD as Azure AnalytcisDW Admin Users and Azure AnalytcisDW Database Users, each with a bunch of users.
Then, I went to Azure Portal, selected my SQL DW and added Azure AnalytcisDW Admin Users group as Active Directory Admin (image below).
Then, I checked in SSMS and saw Azure AnalytcisDW Admin Users group is under mater=>Security=>Users (see image below)
Now I want to give Azure AnalytcisDW Database Users group the (database) read permission (using SSMS or anything). I couldn't figure out how. I read a bunch of stuff for it and couldn't find my way through, such as:
Grant Access to SQL Server Table to AD user
Adding Users to Azure SQL Databases
I was able to do the same by using the below commands where db_users(same as your Azure AnalytcisDW Database Users) is the active directory group and I have used an id from db_admin (same as your Azure AnalytcisDW Admin Users) to connect to Synapse.
Ref doc : RoleAssign, AADGroupUser
I am using the Microsoft Graph Explorer to query the list of users. The account I am using for this query is an admin account that is a member of multiple directories.
How can I control which directory to query using the Microsoft Graph API?
First, sign-out the Graph Explorer if you already logged in, then hit https://developer.microsoft.com/en-us/graph/graph-explorer?tenant=xxxxx(xxxxx is the tenant id) or https://developer.microsoft.com/en-us/graph/graph-explorer?tenant=tenantname.onmicrosoft.com, login the account again, then you can list the users in the tenant you specify.
Do AAD Group objects have onPremisesDomainName property, similar to that in User objects. I did not find it in the doc
Just wondering why there isn't a parity with User objects.
The onPremisesDomainName contains the on-premises domainFQDN, also called dnsDomainName synchronized from the on-premises directory.The property is only populated for customers who are synchronizing their on-premises directory to Azure Active Directory via Azure AD Connect.
The domainFQDN and DnsDomainName have been added for Group objects as of version 1.1.553.0. https://learn.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-version-history
There are a number of similar threads worth checking out.
Find Domain Name in Active Directory
Get domain\username from microsoft graph
When I use:
string graphRequest = $"{graphResourceUri}/me/memberOf?api-version=1.6";
I get an empty array because my logged in user isn't a member of any Azure Groups (I'm assuming).
What I want is to get the list of Windows Domain Active Directory groups this user is a member of. Is there no way to retrieve this? I don't care about Azure groups.
I found out that it was because we didn't sync any groups between our Active Directory and Azure, we only synced users. After syncing the necessary AD group now it shows up when I query the user's group member within Azure.
I am using differential query (AzureAD graph API) to detect changes in Azure AD from the last sync. I am getting all users, group memberships, manager changes. Only missing information is Directory Role assignment (e.g Billing administrator, SharePoint administrator etc).
How can I detect a change in roles of any user?
API - https://graph.windows.net/{org}/directoryObjects?api-version=1.5&deltaLink=xxxxxttttxxxxxxxx
First, if you have enabled those Directory Roles, you can use AAD Graph API operations on directory roles to list members of those roles.
GET https://graph.windows.net/myorganization/directoryRoles/{object_id}/$links/members?api-version=1.6
But, This API can also list service principals which assigned this role.