I am using the Microsoft Graph Explorer to query the list of users. The account I am using for this query is an admin account that is a member of multiple directories.
How can I control which directory to query using the Microsoft Graph API?
First, sign-out the Graph Explorer if you already logged in, then hit https://developer.microsoft.com/en-us/graph/graph-explorer?tenant=xxxxx(xxxxx is the tenant id) or https://developer.microsoft.com/en-us/graph/graph-explorer?tenant=tenantname.onmicrosoft.com, login the account again, then you can list the users in the tenant you specify.
Related
I can connect to our legacy company DOMAIN and query Active Directory. This has been my way to get the membership of groups.
We've added Office 365 and I cannot find the new groups added via Office 365 Groups (ie, Teams, etc) in Active Directory.
Is this a thing I should be able to do as an end user? And it so, how?
My preference (and what I've been using) is to Query via Power Query
(IE Excel->Data->Get&Transform->Get Data->From Other Sources->From Active Directory)
• As an end user, you have the default permission to view the groups and its members in an Azure AD tenant so, you can use the Microsoft Graph API explorer to view the groups and its related details in that console.
• Here is the link to access the Microsoft Graph Explorer - https://developer.microsoft.com/en-us/graph/graph-explorer. You will have to login with your credentials in it and enter the below query with ‘GET’ parameter as set to get the list of all groups available in your tenant.
‘GET https://graph.microsoft.com/v1.0/groups’ – Please find the below screenshot for more details.
• Please find the below links for more information: -
https://learn.microsoft.com/en-us/graph/api/group-list?view=graph-rest-1.0&tabs=http
https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/users-default-permissions
I am using microsoft graph api to access groups in azure active directory, I have created 2 groups in AAD named OIC and other named as testing
When I test using microsoft graph explorer, URL that I use
GET https://graph.microsoft.com/v1.0/groups
Response:
{
"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#groups",
"value": []
}
Why do I get empty value for groups even though I have groups in AAD.
I have logged in as admin user.
It seems that you have created groups in a tenant which is not your home tenant.
It means credentials are only owned by a single tenant. The tenant is discovered by Graph Explorer based on domain. You cannot use Graph Explorer to query tenants your account is a guest on, it can only query the tenant that owns the account. It retrieves data from the tenant you (or your app) authenticated against. It cannot query across multiple tenants.
The only way to use those creds with another tenant would be to force the OAuth uri to use that tenants ID instead of common. This isn't supported by Explorer. You'd have to download the source an reengineer the auth process.
Reference SO thread: https://stackoverflow.com/questions/53341544/how-can-i-change-default-tenant-in-microsoft-graph-explorer#:~:text=If%20you%20want%20to%20sign,use%20tenant%20query%20string%20parameter.&text=A%20simple%20url%20to%20go,or%20tenantId%2C%20both%20work).
When I use:
string graphRequest = $"{graphResourceUri}/me/memberOf?api-version=1.6";
I get an empty array because my logged in user isn't a member of any Azure Groups (I'm assuming).
What I want is to get the list of Windows Domain Active Directory groups this user is a member of. Is there no way to retrieve this? I don't care about Azure groups.
I found out that it was because we didn't sync any groups between our Active Directory and Azure, we only synced users. After syncing the necessary AD group now it shows up when I query the user's group member within Azure.
I am using differential query (AzureAD graph API) to detect changes in Azure AD from the last sync. I am getting all users, group memberships, manager changes. Only missing information is Directory Role assignment (e.g Billing administrator, SharePoint administrator etc).
How can I detect a change in roles of any user?
API - https://graph.windows.net/{org}/directoryObjects?api-version=1.5&deltaLink=xxxxxttttxxxxxxxx
First, if you have enabled those Directory Roles, you can use AAD Graph API operations on directory roles to list members of those roles.
GET https://graph.windows.net/myorganization/directoryRoles/{object_id}/$links/members?api-version=1.6
But, This API can also list service principals which assigned this role.
When I log onto the Microsoft Graph Explorer with my Microsoft account and run the following query https://graph.microsoft.com/v1.0/users/ I get the correct user returned.
On Azure AD (using the same login) I created an application with a key and when I sign in through c# using Microsoft.IdentityModel.Clients.ActiveDirectory.ClientCredentials with a token for resource https://graph.microsoft.com and run the same query I get a completely different user. They are out of sync and I'm baffled.
Any ideas? Should I create a new Azure account as I've had the Azure account from day 1 and I'm only doing this now to test for a client request.
Don't create a new Azure account. When you are using Graph Explorer, are you signed in with a user from your Azure AD tenant? If not, Graph Explorer will default to use a demo tenant for your queries.
Also (if you have more than one tenant) you need to make sure that you select the correct tenant as part of the token acquisition (from https://login.microsoftonline.com/{tenantId | tenantDomain}. If you want the results to match between Graph Explorer and your app, the tenant the signed-in user belongs to (for Graph Explorer case) and the tenant used by your app needs to be the same.
UPDATE based on comment below:
I think I know what's going on here. In graph explorer, you are signing in with your personal account - and it's showing you profile data of that personal account, including the unique ID for this account in the Microsoft Account system. In this case you aren't signing into an Azure AD tenant at all. Microsoft Graph supports access from both personal and commercial accounts.
Now, additionally, I'm guessing when you signed up for an Azure subscription, you used this personal account. When you do that, it creates an Azure AD tenant, and creates a guest user in that tenant that is (linked to) your personal account - this account is also configured as an admin account. This mechanism allows you to sign in with your personal account (authenticated by the Microsoft Account system) into an Azure AD tenant, because the personal account maps to this guest user in your tenant. In your application, you are getting an app token to your Azure AD tenant. When you query the tenant for users, you don't see any user with the same id or email address as you did with graph explorer. However if you actually look at the userPrincipalName, you'll see it should be a mangled form of the original email address of your personal account. This indicates that this Azure AD user account in your tenant is a guest/external user (similar to a foreign principal).
Hope this helps,