Assign the claimsMappingPolicy to a servicePrincipal giving error? - azure-active-directory

I have followed the below stackoverflow link ( The answer provided by Allen Wu)
How to add a custom claim and retrieve the same as part of access_token, when the scope is not Graph API in Azure AD?
to add a custom claim in access token. But I am getting an error when I am trying to
Assign the claimsMappingPolicy to a servicePrincipal.
I have opened microsoft graph and executed a POST call like so -
https://graph.microsoft.com/v1.0/servicePrincipals/8b6e2827-b3fa-467b-940d-324c301ca606/claimsMappingPolicies/$ref
with the request body
{
"#odata.id":"https://graph.microsoft.com/v1.0/policies/claimsMappingPolicies/fce7f260-9598-426d-b8c2-7e589b25415b"
}
but I am getting a 409 Response code with the following response preview :
{
"error": {
"code": "Request_MultipleObjectsWithSameKeyValue",
"message": "Request contains property changes that would result in property-uniqueness violation(s). Please retry your request with corrected values.",
"innerError": {
"date": "2020-10-18T06:32:23",
"request-id": "ae69cb4f-716d-4d56-a123-572c76ace2e0",
"client-request-id": "29b0130e-8b7a-d09d-1188-2856c99dad8e"
}
}
}

It means the servicePrincipal has been assigned a claimsMappingPolicy.
If you assign another claimsMappingPolicy to it, you will get the 409 Conflict error.
You need to List assigned claimsMappingPolicy first and then Remove claimsMappingPolicy.
Now you can assign claimsMappingPolicy to the servicePrincipal.

Related

Microsoft Graph API - Create Contact doesn't work

I am attempting to use the Create Contacts endpoint for Microsoft Graph API (Doc is here: https://learn.microsoft.com/en-us/graph/api/user-post-contacts?view=graph-rest-1.0&tabs=http) to register new contact for my user. I created body as described in API documentation but getting the error below:
{
"error": {
"code": "Request_BadRequest",
"message": "A value without a type name was found and no expected type is available. When the model is specified, each value in the payload must have a type which can be either specified in the payload, explicitly by the caller or implicitly inferred from the parent value.",
"innerError": {
"request-id": "daf78520-50e6-444b-97a2-779762b3e6ed",
"date": "2020-01-23T14:20:18"
}
}
}
Requests used:
1. POST https://graph.microsoft.com/v1.0/{{tenant_id}}/contacts;
2. POST https://graph.microsoft.com/v1.0/me/contacts;
Request body example:
{
"givenName": "Yulia",
"surname": "Lukianenko",
"emailAddresses": [
{
"address": "yulia#lukianenko.onmicrosoft.com",
"name": "Yulia Lukianenko"
}
],
"businessPhones": [
"+1 732 555 0102"
]
}
Did somebody meet such kind of issue? How you resolved it?
Thank you in advance for your help!
POST request is incorrect here.
It should be :
https://graph.microsoft.com/v1.0/me/contacts
Also you need to make sure "Contacts.ReadWrite" permission is granted to the app registered in AAD.
P.S: I used the same JSON in your example using graphExplorer and contact was created successfully.

Graph API (Http Status : 412 Precondition Failed - ErrorIrresolvableConflict)

I am using Microsoft Graph to create Calendar Events using Application Credentials where the organizer's email id will be used:
https://graph.microsoft.com/v1.0/users/<organizer_email_id>/calendar/events
Before the Create Event, I am issuing a PATCH to update the organizer's displayName, givenName and surname:
PATCH https://graph.microsoft.com/v1.0/users/{id}
I see the Event gets created, but it is sending the mail with old name and throwing the following error:
HTTP Status code : 412 Precondition Failed.
{
"error": {
"code": "ErrorIrresolvableConflict",
"message": "The send or update operation could not be performed because the change key passed in the request does not match the current change key for the item.",
"innerError": {
"request-id": "a36e60a4-0a18-4574-9f7f-75f6c1cce8b4",
"date": "2020-01-05T14:22:54"
}
}
}
It looks like the Event is reaching before the patch request is commited. I don't want to put any delay between two calls but the only option is before creating the event, fire a get request to confirm that name changed. Is there any other workaround or Microsoft needs to fix the bug if there is any?
It seems to be an old known issue of Exchange.
Usually such issues need to be confirmed by Microsoft engineers.
I believe the most effective way now is to contact the support team and attach your request-id for investigation.

How to update the users birthday

I want to update the birthday of a user using the patch request.
Updating other properties works as expected but the moment the birthday property is included, the following error returned:
The request is currently not supported on the targeted entity set
I already tried to update the user to be sure the permissions are fine.
Application permissions are used.
This PATCH request to /V1.0/users/{id} works:
{
"givenName": "Fridas"
}
Passing this request body however:
{
"givenName":"Fridas",
"birthday" : "2014-01-01T00:00:00Z
}
throws an error
{
"error":
{
"code":"BadRequest",
"message":"The request is currently not supported on the targeted entity set",
"innerError":
{
"request-id":"5f0d36d1-0bff-437b-9dc8-5579a7ec6e72",
"date":"2019-08-13T15:27:40"
}
}
}
When I update the birthday separately, I get a 500 error. Print screens below. Updating the user id works fine, birthday does not.
Same user id is used in the request.
I'm not sure why this happens, but a workaround, albeit an annoying one, is to update birthday separately from other attributes.
E.g.
PATCH https://graph.microsoft.com/v1.0/users/userid
{
"birthday" : "2014-01-01T00:00:00Z"
}
Here is a screenshot from MS Graph Explorer:
In fact, this is a limitation in the current system.
User is a composite type. Under the covers some properties in user are mastered by different services, and we currently don't support updates across multiple services.
"birthday" is not mastered by Azure AD. So we can't update it with other properties mastered by Azure AD in the same call.
It is strongly recommended that you update this property separately. I can update it from my side. So you need a backend engineer to track this request for you.
This seems to affect more than Birthday.
Skills[] and Responsibilities[] are also returning 500 Internal Server Error when using PATCH request via REST API with:
{"skills": ["TESTING", "ANOTHER SKILL"]}
Same happens via the GraphServiceClient - except the result is:
Failed to call the Web Api: InternalServerError
Content: {
"error": {"code": "-1, Microsoft.Office.Server.Directory.DirectoryObjectUnauthorizedAccessException",
"message": "Attempted to perform an unauthorized operation.",
"innerError": {
"request-id": "1c2ccc54-0a0c-468f-a18c-6bdfbad4077d",
"date": "2019-08-28T13:23:55"
}}}
These requests work on the Graph Explorer page, but not via calls to the API.

Filter groupType works on groups but not on memberOf

I can get all unified groups from azure active directory quite easily, especially cause it is explicitly mentioned within the documentation:
GET https://graph.microsoft.com/v1.0/groups?filter=groupTypes/any(c:c+eq+'Unified')
And you can get all groups a user belongs to with this query:
GET https://graph.microsoft.com/v1.0/users/{user-id}/memberOf
Now lets combine those two queries to get all unified groups a user belongs to:
GET https://graph.microsoft.com/v1.0/users/{user-id}/memberOf?filter=groupTypes/any(c:c+eq+'Unified')
and you'll get back:
HTTP Status Code 400
{
"error": {
"code": "BadRequest",
"message": "Filter not supported.",
"innerError": {
"request-id": "{request-id}",
"date": "2018-07-06T07:29:52"
}
}
}
Okay, so groups supports lambda query, so let's expand on that and enhance the filter to also filter on members:
GET https://graph.microsoft.com/v1.0/groups?$filter=groupTypes/any(c:c+eq+'Unified') and members/any(u:u/id+eq+'{user-id}')
But this returns
HTTP Status Code 400
{
"error": {
"code": "Request_UnsupportedQuery",
"message": "Unsupported Query.",
"innerError": {
"request-id": "{request-id}",
"date": "2018-07-06T07:41:47"
}
}
}
So, why isn't any of this supported (also not in beta)?
Please try using the below query to get all unified groups a user belongs to -
GET https://graph.microsoft.com/v1.0/Users/{user-id}/memberOf/$/microsoft.graph.group?$filter=groupTypes/any(c:c+eq+'Unified')
So, why isn't any of this supported (also not in beta)?
$filter is not supported by List memberOf Rest API. We could get that information from List memberOf Rest API document.
This method supports the OData Query Parameters to help customize the response. $filter is not supported.
From List Group Rest API, we could know that there no any properties related to user.
So you try to filter on members is not supported.
As SaurabhSharma-MSFT mentioned that you could use following way to do that.
GET https://graph.microsoft.com/v1.0/Users/{user-id}/memberOf/$/microsoft.graph.group?$filter=groupTypes/any(c:c+eq+'Unified')

"Resource not found for the segment" using Graph subscription beta

Im using the Microsoft Graph to get calendar event with application permission. It works perfectly. Now Im trying to set up a subscription to listen to event changes however the normal v1.0 do not suport this. However beta, at least in the description, say it works.
From the page: https://graph.microsoft.io/en-us/docs/api-reference/beta/api/subscription_post_subscriptions
"Note: the /beta endpoint allows Application permissions as a preview feature for most resources."
So I tried this with the URL:
https://graph.microsoft.com/beta/subscriptions
Sending in a json object like this:
{
"changeType":"created,updated,deleted",
"notificationUrl":"https%3A%2F%2FXXX.com%2Fo365.php",
"resource":"%2Fusers%2Fooom%40xxx.com%2Fevents",
"clientState":"1486588355561",
"expirationDateTime":"2018-11-20T18:23:45.9356913Z"
}
Doing this I get the result:
{
"error": {
"code": "BadRequest",
"message": "Resource not found for the segment '/users/room#xxx.com/events'.",
"innerError": {
"request-id": "d9ca58b1-ee1f-4072-81d5-0f1a25dcdd45",
"date": "2017-02-08T21:26:51"
}
}
}
I have tried all types of combos in the resource but cant get it to work.
Anybody that have an idea on how to do this?
The value of json properties don't need to be url encoded. The resource also doesn't need a '/' in front of "users" (although this isn't what is causing your issue).
Try changing your JSON to:
{
"changeType":"created,updated,deleted",
"notificationUrl":"https://myurl.com/o365.php",
"resource":"users/person#myemail.com/events",
"clientState":"1486588355561",
"expirationDateTime":"2018-11-20T18:23:45.9356913Z"
}
Feel free to respond back if this doesn't address the issue.

Resources