Get preferred_username with microsoft graph API - azure-active-directory

I'm trying to get the preferred username of a user via the Graph API for Microsoft Office / Azure
If a user logs in via an enterprise application with an id_token I get the preferred_username claim.
This has the user's actual email address.
If I try to look up the user separately by ID, I can't find any way to get that username.
Seems related to Sign-in to Azure Active Directory using email as an alternate login ID (preview).
The user in question is using a GitHub linked account, it likely has an ugly UPN that I would prefer not to be seen anywhere. Instead I would like to use their preferred_username.
Example "ugly" UPN":
***_gmail.com#EXT##***gmail.onmicrosoft.com

To my knowledge, the preferred_username value isn't exposed by Graph in either v1.0 or Beta.
One potential workaround is to use the otherMails property. This is an array, so this may contain multiple entries for a given user. That said, any otherMails entry is likely to be less 'ugly'.

Related

Microsoft Graph external user access

I have an issue with accessing user data with microsoft graph api.
Context : I have a web app with a calendar inside for my users. I would like to give the user the possibility to synchronise this calendar with their microsoft calendar. I did the same thing with google calendars and it works well.
Problem : I registered an app on azure and setup my code with the correct access to login and get a token from the graph api.
It kinda works but i can only log in with the address i used to create my app on azure.
So lets say my admin address on azure is test#azure.com , then i can log in and access the data i want . But if i try with another address like for example test#customer.com, then it fails and display this message :
I keep looking for a way but the Microsoft graph documentation doesn't seem to talk about this problem.
I tried to add the account as an external user, like the message says (and maybe i did it wrong i'm not really sure of this part) but then i can log in but the data i can access doesn't match the data on the account i tried with, as if adding the user as an external user created a "new" user in my organisation.
What I want : I would like to be able to access the data of any user that try to log in with a microsoft email (if they accept the permissions of course).
It's my first time using the graph api so maybe i'm missing something simple...
Thanks
Based on the So thread reference:
When a user authenticates against your tenant, you only have access to the data controlled by your tenant. In other words, if test1#outlook.com authenticates against yourtenant.onmicrosoft.com tenant, you don't gain access to their outlook.com email.
Reason you're able to see the outlook.com email from Graph Explorer is that Graph Explorer is authenticating against their outlook.com account.
In other way, Graph Explorer is authenticating test1#outlook.com against the outlook.com tenant, not yourtenant.onmicrosoft.com.
When a user authenticates against a given tenant, that token only provides access to data within that single tenant. Microsoft Graph does not allow you to cross tenant boundaries.
Thanks Hong for the comment, you may also set your app registration to "multitenant + personal accounts"
So Reference: MS Graph External User 401 Unathorized

Get object identifier of Microsoft account from shared tenant (9188040d-6c67-4c5b-b112-36a304b66dad)

Is there a way to get value of "objectIdentifier" claim for Microsoft account?
Case: I have an app with one form field, email (need's to be Microsoft account). When this email is entered, server (back end) need's to find out value of object identifier (user ID) in common tenant for all Microsoft accounts (section "tid").
Normally, if this was normal tenant in Azure Active Directory I would create Azure AD app and generated client secret for accessing Graph API, directory endpoint. Unfortunately, this is "special" tenant and I don't know is there any API I can call (as application) to get id of user (best option would be GetUserIdByEmail(email)).
I understand this is weird case but life is hard :)
Asking user to login and then retrieving value from token is not an option!
There is no API that I'm aware of where you could query for MS personal accounts' info without logging a user in.
If you think about it, it would be quite an easy source of building a user list for attacks :)
You will need to log them in to get their id, I don't think you can know it in advance.

Restricting Microsoft Graph (or Azure AD Graph) read permissions

Further to the question raised here
Get all user properties from microsoft graph
Yes, I can obtain full user profile data using the graph query but from the perspective of the tenant, can I restrict the graph query to only be able to access the basic profile data?
Azure AD graph has delegated permissions for user.readBasic.all which restricts this. We have a 3rd party app that accesses the Azure directory to retrieve basic data to set up accounts in its user directory and we need to restrict this to the basic data due to the security risk. We cannot rely on the 3rd party just doing the right thing all the time.
So I need a way to set the app to allow app permissions (not delegated as the read occurs every 4 hours without human involvement) for user.readBasic.all.
If you want restrict the returned field from the "user.readBasic.all", the best way is you implement a custom handler(API/Service and so on). No directly official channel to do this now. (user.readBasic allows the app to read the full profile of the signed-in user, because after the user sign-in it means he has authorized the APP to get his information.)
You can check the blog for graph permission for here: https://blogs.msdn.microsoft.com/aaddevsup/2018/05/21/finding-the-correct-permissions-for-a-microsoft-or-azure-active-directory-graph-call/
And for the detail of the "user.readBasic.all" you have pointed from official link(https://developer.microsoft.com/en-us/graph/docs/concepts/permissions_reference#user-permissions) Allows the app to read a basic set of profile properties of other users in your organization on behalf of the signed-in user. This includes display name, first and last name, email address, open extensions and photo. Also allows the app to read the full profile of the signed-in user.

Delegate and impersonate as a user with admin/app credentials

One thing I do currently in an enterprise app is logon to a single admin email account that has delegation over other users and using delegation, we are able to manipulate email/calendar/contacts of users.
I'm looking to use the Microsoft Graph API and I have managed to use admin delegation and gain access to various resources, however last modified (on Onedrive/Sharepoint) is showing the app instead of an individual user.
I understand I can use Oauth and logon as individual users, capture a token and then do what I need under the context of that user, but, I need to do this server side where tasks run. Is there anyway to use admin approved delegation/impersonation from the app so that the users don't have to signin?
e.g. standard that works:
https://graph.microsoft.com/v1.0/sites/my-site.office.com/drive/root:/file.txt:/content
Looking to add a user tag, but this doesn't work:
https://graph.microsoft.com/v1.0/user/{id-of-user}/sites/my-site.office.com/drive/root:/file.txt:/content`
After searching for ages, the closest I have read seems to be in here however, I was wondering if there was a standard way of doing this - I haven't been able to get the JWT part of this working (and not sure if this is even the correct thing I am looking for).

Get domain\username from microsoft graph

We have an application where we store users login name in the format domain\username. We authenticate via windows and then get additional info from our database by matching the domain\username we get from the user to our database.
Now they want to move to the cloud. We authenticate users via apps in Azure AD. However, the user identifier we get back is first.last#domain.com.
I have fiddled around with https://graph.microsoft.com/v1.0/users/email and the select command to try and get the 'old' name. Howev,er I have not yet found out how to get it.
The reason they move to the cloud is that they are merging two ADs. So some users will be DomainA and some DomainB, but in the same tenant. So my first thought was to try and convert the mail to the other format. However, the two different ADs have different naming standards. One has DOMAINA\fila (two first letters from the first name and two first letters from the last name) and the other one has DOMAINB\firlas. Also it feels really ugly to try and solve it that way.
Is it possible to fetch the users loginname formatted as domain\username via Microsoft Graph?
Using the beta edition of Graph, you can obtain the user's domain and username from the onPremisesDomainName and onPremisesSamAccountName properties:
/beta/users?$select=userPrincipalName,onPremisesDomainName,onPremisesSamAccountName
The domain is stored as a FQDN so you'll need to do some translation. For example, domainName.ad.contoso.com might translate to domainName\).
This will give you a workaround so you can match up users with your internal databases. It is however only a temporary solution. Long-term, you really want to migrate to using the userPrincipalName. This is the primary user identifier and guaranteed to be unique within a given tenant.
Azure AD is a little different than the legacy Active Directory. Certain concepts from legacy AD such as Organizational Units (OUs), Group Policy Objects (GPOs), Kerberos Authentication, Lightweight Directory Access Protocol (LDAP), Domain trusts between multiple domains, and several others simply do not exist in the cloud.

Resources