Online Meeting Event is created using MS graph api with attendees outside of organization and not part of azure ad as well.Meeting invite will be sent to attendees mail ids automatically.so is there any way to authenticate whether user entering into lobby as guest will be as attendees added while creating event.
The useCase will be for Scheduling virtual Interview.so basically the attendee will not be part of organization and azure ad as well.
Now the MS Graph API cannot determine whether the guest or anonymous user is an attendee.
But we can identify it by other method.
The login behavior of attendees is as follows: when you have logged in to the attendees account, you will display a login interface that is different from anonymous users. If you are not logged in to the attendees account, you can first enter an anonymous name and then click sign in to log in to the account. The meeting will recognize your attendees, not an anonymous user.
You can require the interviewees to sign in with the email id you invited. In this way you can determine whether this user has joined this meeting as an attendee or not.
Related
Inviting a consumer user to Azure AD B2C has been covered by other Stack Overflow questions & answers, and AFAIK requires the use of custom policies that entail a signed JWT being created and used during invite redemption.
What I'm trying to figure out: In our application, we have differently permissioned user groups and different organisations managed by internal RBAC logic. We identify & authorize users based on their oid claim in the access token that's returned to msal-react/msal-browser and used to authenticate against our backend's API.
In Microsoft Graph, a user can be invited and the API will respond with the created user's oid. However, this is the wrong type of user and not appropriate for B2C scenarios.
With the custom policy route not creating the user object in AAD B2C at the time of invite, and therefore without knowing the user's oid at the time of inviting them to the application, what might be the best way to configure their in-app profile and have them identifiable to the application itself upon first login?
My thought at the moment is to have the application store the emails of users that are invited who have not yet redeemed/signed-in. We can configure the emails claim to be returned upon login, which is checked against the invited emails store when an oid claim is returned that isn't present in the database. This can then trigger a function to update the user's internal id with the oid in their first login's claim.
If this is inadvisable or if there's a better way, I'd be very grateful to hear it.
It would work, or just pre create the user up front via MS Graph API. Then you have an email and objectId available.
You could also put an extension attribute on the account indicating whether the user has redeemed their invite. That would allow you to monitor who has redeemed, and also be a way to provide a different experience depending on if the user has redeemed or not redeemed the link.
I have a Microsoft Teams group tab and I'd like to implement a permission system in which users can do different things in the tab depending on their role in the team (or channel). The context I get from the Teams JavaScript API cannot be trusted, so I have to check group/team/channel role through the MS Graph API.
The only way I've found to check whether a user is an owner or only a member of a team is to call /teams/{groupId}/channels/{channelId}/members. In the response I can see which roles users have and I so I can find out if the current user has owner privileges.
The problem is that this endpoint requires admin consent (I guess because it displays data of other users). I'd like to avoid having to ask for admin consent, however. Is there another way of finding out about the role of a user in a team without admin consent? (As private channels behave differently in Teams, this would be the same as finding out about the role in a channel)
I know that I can get if a user is in a group through the optional group claims that are added to the ID token but this doesn't include the rule inside the group/team/channel.
To read a user's role in a channel currently requires admin consent, the permission needed is ChannelMember.Read.All see list conversation member documentation here. Admin consent is also required to get a member of a team or list members in a team. For your particular use case, I would recommend asking your admin to grant these permissions.
On azure AD b2b, when we are inviting user to use the application, we have possibility to add invited user to group. From what I see here: https://learn.microsoft.com/pl-pl/azure/active-directory/b2b/customize-invitation-api the invitation API does not have such possibility. Is there anything we could do, to send invitation from our application and add invited user to concrete group during the process?
The invitation API does not have such possibility. You need two steps to achieve this. You can integrate them into one behavior.
1.send invitation.
2.Get the user id from step1. Then Add the invited user to a group.
We have leveraged B2B to add 8 domains into one domain. Upon completion of adding other domain users as guest users, they are able to access the SharePoint site successfully. But the user logged in information like login name, Email address & user ID information is empty in SP page context info.
I have tried with a scenario like adding my organization account to the client tenant and verified. I'm able to get the context info about login name, email address & User ID.
Let me know if any one faced similar issue & any configurations to be made at source Azure AD/New Azure AD?
Is there any API, that allows the ability in app context or app+user context, to directly guest a user into a tenant without going through the invitation/redemption workflow?
I see this, https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/resources/invitation, it shows how to suppress the email but it still forces a manual redemption process.
And it looks like the graph API only has "Create User", no "Add Guest". User does have a field userType that could be "Guest", but it seems like this API is geared toward creating new users, so my hunch is this wouldn't work.
Requirement:-
User User1 is trying to invite users from Tenant-B to Tenant-A. The requirement is that there should not be any manual redemption process and redemption should happen automatically.
Solution:-
Add the user User1 to the Tenant-B as a member user (UserType == Member). Now user1 can invite any user from Tenant-B to Tenant-A with out forcing manual redemption.
In the invite API set sendInvitationMessage = false to avoid sending the invitation email.
https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/resources/invitation