We are trying to remove a guest user from AD using graph api. For that we use the following as describe from the documentation :
https://graph.microsoft.com/v1.0/users/{userPrincipalName}
If the user is a user with an AD domaine that works correctly but for external user with a GMAIL account for instance, the userPrincipalName is formated as below sample :
ex : serge.cal_gmail.com#EXT##xxxx.onmicrosoft.com
When I try to get the ID of that user by fetching first its id using :
https://graph.microsoft.com/v1.0/users/serge.cal_gmail.com#EXT##xxxx.onmicrosoft.com
It returns an error as below :
{ "error": { "code": "Request_ResourceNotFound", "message": "Resource 'serge.cal_gmail.com' does not exist or one of its queried reference-property objects are not present.", "innerError": { "request-id": "da8bdcda-6304-4c3c-93b2-6454433dcba2", "date": "2020-05-15T14:51:46" } } }
Updated :
Based on your comment as a test I have encode manually the userprincipal and test it under POSTMAN, that return the correct user details.
But the issue, is that as I do not know in advance the user ID that will be generated, I am using the userPricipal name of user to fetch the user ID. In Azure AD account, userPrincipal is most of the time the email address, this is what I use the the API call to get user info.
Now for cases of GUEST account which are not based on an external AD, the problem is that the only way I have to fetch the user is by userPrincipal of guest account and when I check my user AD profile, my GUEST userPricipal info is the email address as seen in picture below :
So by using this information to API return the error of resource not found, and this is because if I fetch the user by its ID ( which I do not know except going into the AD manually which is not the goal ) I get user principal formed as below :
So in Azure AD screen the real userPrincipal form of a GUEST user is hidden in a way.
So how can I fetch it correctly ?
1 - use the API normaly as any other by using the email
2 - Then catch the error message
3 in case of error reformat the userPrincipal using the wierd syntax ?
Or Does the API offer the possibilities to fetch Guest Account, then from the guest response list of users I then search for the email adress user I need and gets it ID ?
Thanks for advise
regards
You need to encode the userPrincipalName and then put it in the graph api(I test it in graph explorer). You can go to this page and input the userPrincipalName to encode it and then copy the result to your graph api, the encoded userPrincipalName will be as below:
xxxxxx.com%23EXT%23%40xxxxx.onmicrosoft.com
Hope it helps~
Related
I use Graph Explorer to test it.
API: GET /users/{userPrincipalName}/insights/shared, return 403.
API: GET /users/{userPrincipalName}/insights/used, return 200 and used documents.
Both API required same permission:
Sites.Read.All, Sites.ReadWrite.All
Anyone can help on it?
If you call GET /users/{id | userPrincipalName}/insights/shared, please make sure you have the Sites.Read.All or Sites.ReadWrite.All application permissions (don't forget to grant admin consent for this permission), because no users are logged in at the /users endpoint. Then you need to use the client credential flow to get the access token.
Update:
When you use Graph Explorer to test, because you need to log in as a user, you actually use the token obtained by the userName/Password flow. according to the document: Only the user can make requests using the user's id or principal name.
When you log in to a user, you can only use the id or principal name of the logged in user. You cannot use the id of other users, otherwise, a 403 error will be reported. But when you use other tools such as postman for testing, because you do not log in as a user, but use the application as the service principal to make a request, so, you can get a list of shared documents from other users.
Summarized in one sentence: As long as you are logged in as a user, you can only get the list of shared documents of the logged-in user. If you want to get the list of shared documents from other users, , don't log in users.
I'am trying to call microsoft graph api, I have did the instructions by microsoft documnets as bellow:
1- app registration in azure portal
Supported account types : all microsoft account users
2- calling 'https://login.microsoftonline.com/',tenant_id,'/oauth2/v2.0/authorize' by these parameters:
client_id <- #Application Id - on the azure app overview page
client_secret <-# the secret key for my app from azure portal
scope <- 'https://graph.microsoft.com/.default'
grant_type <- 'password'
username <- 'XXX#outlook.com'
password <- # the user password
tenant_id <-# tenant id for my app from azure portal
but it has this error:
AADSTS50034: The user account {EmailHidden} does not exist in the <tenant_ID> directory. To sign into this application, the account must be added to the directory.
I have registered my app by the same account that I passed through api.
I want to call my todo list from the graph.
based on #MdFaridUddinKiron's response I added some more explanation:
I think something in my domain in azure is wrong, these are some screenshot of it:
1- it shows "common" for endpoints, what should I use? "common" or my tenant:
2- my app authentication tab has some differences, is it important?
3- My domain overview page is look like this:
4- user is added in my active directory 5- user application page:
6- user assigned role:
I tested microsoft graph api successfully by the same user in the graph explorer, I am getting confused how the authentication flow must be.
I just want to call my own todo tasks
As per your comment, please follow the detail steps:
Make sure email you are trying to get token with is exists in azure ad
user list which showed below in details.
https://login.microsoftonline.com/YourTenant.onmicrosoft.com/oauth2/v2.0/token
client_id:b603c7be_Client_id_e61f925
scope:https://graph.microsoft.com/.default
client_secret:NpmwO/KDJ_client_secret:NpmwO_W0kWf1SbnL
username:tenentUser.onmicrosoft.com
password:YourUserPassword
grant_type:password
See the screen shot:
I am getting token as expected
Step: 1
Step: 2
Step: 3
Step: 4
Filter your user from your azure active directory user list as shown below.
Note:
Requested token user must be a tenant user for example YourUser#Yourtenant.onmicrosoft.com
User password must be correct that you are suing to token request.
Make sure your user belong to azure portal on your tenant
Your Client Id belongs to that tenant
Application secret is valid or not expired.
Update:
What should I use? "common" or my tenant?
It depends if you have many tenant in that case you can use common.
For example user need not to remember specific tenant they would
automatically redirected to specific tenant as per the credentials
they given.
For more information you could refer Official document
Feel free to share still you are having problem.
I want to manage my AD Users with an Azure Logic App and i have some trouble when i try to "get user" using the connector "get user" of Azure Active Directory.
"error": {
"code": "ErrorInsufficientPermissionsInAccessToken",
"message": "Exception of type 'Microsoft.Fast.Profile.Core.Exception.ProfileAccessDeniedException' was thrown.",
To "get user", i create a specific AD User (a Guest) with Global administrator role (so the user can create/update AD Users). After i put the Active Directory Connector "get user" and sign in with this user.
Did i miss something ?
Reason Of Your Error:
You are trying with personal account with guest privilege in that case need to set Object ID. I have tested and reproduce it. See the below screen shot:
Resolution Of Error:
Switch your connection like below:
User Tenant User Email:
You could try following way with tenant user credentials Like exampleUser#tenant.onmicrosoft.com instead of example#outlook.com or example#domain.com :
Point To Remember:
Guest user has no privilege to perform this operation but with Object ID it can be done.
User must be tenant specific user for example
exampleUser#tenant.onmicrosoft.com
For more details you could take a look here
I can see you can create app registrations with graph API but is it possible to add users and roles to an app registration?
If you want to assign a user to that application, in one of the specified app roles, you'll need to set the appRoleAssignment on the user . If using Azure AD Graph api , you could use below rest api :
https://graph.windows.net/{tenant-id}/users/{username}/appRoleAssignments?api-version={api-version}
Content-Type:application/json
Authorization: Bearer {token}
{
"id": "RoleID",
"principalId": "UserObjectID",
"principalType": "User",
"resourceId": "servicePrincipalID"
}
id: This is the Id for the Role you are assigning. These Ids can be found in the Application's Manifest. Or you could use below api to get the specific role defined for your application(appRoles claim):
https://graph.windows.net/{tenant}/applications/{ObjectIDOfApplication}?api-version=1.6
principalId :This is the Obeject Id of the User you are assigning the role to.
principalType :If you are assigning this role to a User then this is set to the string User .
resourceId : Service Principal ID of the application . To get service principal id , you could use below api (objectId claim) :
https://graph.windows.net/{tenant}/servicePrincipals?api-version=1.6&$filter=appId eq 'appid'
Application role assignments are available in the Microsoft Graph Beta endpoint: see Update approleassignment
To give you an idea of what could do to add app role assignments to a user, I suggest you look at the Configure.ps1 PowerShell script of the active-directory-dotnet-webapp-roleclaims sample on GitHub, which creates test users of a given role and updates the application registration. This is in PowerShell, but you should be able to adapt it to using MSGraph
We are attempting to be able to provide the ability for a Glass user to request an email to be sent to them from a Timeline Card. On the notify callback Servlet, we are attempting the following to retrieve a user's email address:
String userId = notification.getUserToken();
Credential credential = AuthUtil.getCredential(userId);
Mirror mirrorClient = MirrorClient.getMirror(credential);
Contact contact = MirrorClient.getContact(credential, userId);
We do not get a result back when retrieving an email off of the UserInfo object of a authenticated user. Our application has the following scopes available to the application server:
"https://www.googleapis.com/auth/glass.timeline "
"https://www.googleapis.com/auth/glass.location "
"https://www.googleapis.com/auth/userinfo.profile "
"https://www.googleapis.com/auth/userinfo.email "
"https://www.googleapis.com/auth/contacts"
Are we allowed to retrieve the authenticated user's email address, is there a permission I am missing or is there another means by which to request that data?
The getContact call you are making doesn't have anything to do with the user's email address. You can read up on what Contact is referring to here:
https://developers.google.com/glass/contacts
To get the user's email address, I've successfully used the same auth token used to authorize the Glass mirror API app with the added scope you mention to call this URL:
https://www.googleapis.com/userinfo/email?alt=json
This method seems to stop working after the initial authorization at some point, so be sure to do it when the user first authorizes the app and save off the email.
Although I've also just gotten the email off AppEngine's UserService before as well, which is easier if you happen to be running on AppEngine:
https://developers.google.com/appengine/docs/java/javadoc/com/google/appengine/api/users/UserService
So the question boils down to "Why am I not getting contact info for this userID that I am sending to the Google Mirror service?"
The Mirror service only provides contact information for Contacts that your Glassware has added. See https://developers.google.com/glass/contacts for more about Contacts in Glass and how to add Contacts. Unless you have already added a Mirror Contact with this userId, you won't get anything back.
The Mirror service does not provide direct access to the information from userinfo.info or userinfo.email. You will need to get it out using the OAuth2 libraries first if you want to add them as a Contact for Glass.