How can be added custom attribute for user in Azure AD B2B using API?
A found a way for External Identities but I'm looking for custom attributes regardless of user type.
For example, I want to have the attribute "FavoriteColor" for every user (member or guest)
How can I achieve that?
You can use Microsoft Graph API Create extensionProperty.
Specify the targetObjects as "User".
An example (you can use any of your app registrations for {object id of the app registration}):
Post https://graph.microsoft.com/v1.0/applications/{object id of the app registration}/extensionProperties
{"name":"customAttribute","dataType":"string","targetObjects":["User"]}
It will generate an extension property named extension_{client id of the app registration without "-"}_customAttribute.
Then you can update the extension property for the member or guest user:
Patch https://graph.microsoft.com/v1.0/users/{user id}
{"extension_{client id of the Azure AD application without "-"}_customAttribute":"value"}
Use Microsoft Graph Explorer to have a quick test.
Microsoft Graph auth overview and Microsoft Graph SDK for your reference.
Related
I have an (external to Azure) application to integrate with AzureAD through OIDC. The requirement is to add a custom claim to id_token with a list of groups where the user is an owner in AD.
For example if the user is in the owner of group with id = "123abc", I need to add the following custom claim to id_token.
"ownedGroups": ["123abc"]
If this is not possible is there at least option to add sth like this
"hasOwnedGroups": true
I could not find any relevant example for this in docs. Can you share an example for doing this? If this is not possible in the exactly same way, I 'd like to know the alternative solution for putting information about ownership in id token.
Azure AD does not support Groups as source for custom claims or claims mappings. You can however create directory extensions, update them with any data you want and get them in the token as optional claims.
I have an issue with accessing user data with microsoft graph api.
Context : I have a web app with a calendar inside for my users. I would like to give the user the possibility to synchronise this calendar with their microsoft calendar. I did the same thing with google calendars and it works well.
Problem : I registered an app on azure and setup my code with the correct access to login and get a token from the graph api.
It kinda works but i can only log in with the address i used to create my app on azure.
So lets say my admin address on azure is test#azure.com , then i can log in and access the data i want . But if i try with another address like for example test#customer.com, then it fails and display this message :
I keep looking for a way but the Microsoft graph documentation doesn't seem to talk about this problem.
I tried to add the account as an external user, like the message says (and maybe i did it wrong i'm not really sure of this part) but then i can log in but the data i can access doesn't match the data on the account i tried with, as if adding the user as an external user created a "new" user in my organisation.
What I want : I would like to be able to access the data of any user that try to log in with a microsoft email (if they accept the permissions of course).
It's my first time using the graph api so maybe i'm missing something simple...
Thanks
Based on the So thread reference:
When a user authenticates against your tenant, you only have access to the data controlled by your tenant. In other words, if test1#outlook.com authenticates against yourtenant.onmicrosoft.com tenant, you don't gain access to their outlook.com email.
Reason you're able to see the outlook.com email from Graph Explorer is that Graph Explorer is authenticating against their outlook.com account.
In other way, Graph Explorer is authenticating test1#outlook.com against the outlook.com tenant, not yourtenant.onmicrosoft.com.
When a user authenticates against a given tenant, that token only provides access to data within that single tenant. Microsoft Graph does not allow you to cross tenant boundaries.
Thanks Hong for the comment, you may also set your app registration to "multitenant + personal accounts"
So Reference: MS Graph External User 401 Unathorized
I have large AAD Dynamic group that I need to search and query membership for (100K+ member group) and search for users by name. This group is generated based on a custom attribute on the user in AAD.
I am trying to figure out if I can get this information out the MS Graph or if I need to move these calls to the AAD Graph ?
I've checked the users for extensions and schema data but there doesn't seem to be anything there.
Are custom attributes not replicated in MS Graph?
The problem I am trying to solve is:
I have a people picker that I want to return results that satisfy membership of a this group. The problem is MS Graph doesn't support OData queries of the members of a group on their displayName. Since the group is driving by the custom attribute I was hoping to take a short cut and include that in my query
You may need to get the custom attribute with AAD Graph instead of MS Graph, seems the MS Graph will not return the custom attribute.
Sample of AAD Graph:
GET https://graph.windows.net/{tenant}/users/{objectId}
returns:
{
"odata.metadata": "https://graph.windows.net/{tenant}/$metadata#directoryObjects/Microsoft.DirectoryServices.User/#Element",
"odata.type": "Microsoft.DirectoryServices.User",
"objectType": "User",
...
"extension_917ef9adff534c858b0a683b6e6ec0f3_CreatedTime": 1518602039
}
Here are two posts related to this issue, see : How to get/set custom Azure Active Directory B2C user attributes in ASP.NET MVC? and How to read Azure B2C Custom Attributes with Graph API (works OK with Azure AD Graph)
I am working with School Data Sync(SDS) and Azure Active Directory with Microsoft Graph API with a custom Web App that is being developed.
I require read and write to the SDS objects (class, school etc) created by a SDS sync profile.
Reading https://developer.microsoft.com/en-us/graph/docs/api-reference/beta/api/educationroot_list_schools
and related documentation - I can potentially achieve the above.
Yet the required permissions (
EduRoster.Read.All, EduRoster.ReadWrite.All
)
are not available to be set in the Active Directory Portal (using application > Settings > Required Permissions > Microsoft Graph)
How can I perhaps set the required permissions, perhaps by some other means or through the portal, for my app?
The documentation you posted is right. The documentation shows Permissions's Name directly. Acutally, if you use v2 endpoint application in Microsoft App Registration Portal to choose permissions, you will see these permissions directly.
For this case, the permissions you saw in the Azure portal is the permission's Display String.
For Example:
Application permissions: EduRoster.ReadWrite.All 's Display string is Read and write the organization's roster.
So, you can add these permissions for your scenario:
You can see details about Microsoft Graph Permissions Reference in this documentation.
As per the guidelines specified in the Microsoft Azure Docs, I have configured a custom attribute to sync with Azure AD.
When viewing the Tenant Schema Extension App in the Microsoft Graph Explorer
using /beta/applications/Blocked_Tenant_Schema_Extension App_Id/extensionProperties, I can see the extension property has been registered.
The problem is I can't work out how to view this in the Microsoft Graph for a user.
I have tried using Extensions for a user, but can't see it against that.
I have also tried using Directory Object in the Microsoft Graph https://graph.microsoft.com/beta/directoryObjects/Blocked-User-Id?$select=id,extension_Blocked-App-ID_otherTelephone
If you get the user and $select the extension, it should be returned.
E.g.:
https://graph.microsoft.com/v1.0/users/user#company.com?$select=id,extension_b569610d09e44cddbadeb9beaaaaaaaa_ApiRoles
One important thing to note is that the property has the app's id without dashes.