I'm trying to create an application in which I need to know whether user invited to Azure Active Directory accepted an invitation or not. I'm using microsoft graph SDK for C# to get information about users from AAD but I cannot find information about invitation status in the resulting user object. In particular, I want to get this piece of information from Azure:
Is there any way to get this info from C# using Microsoft Graph SDK or with direct graph query?
It seems microsoft graph api(v1.0) for get user doesn't have the field to show if the guest accept the inviatation. I checked the document of user properties and didn't find any property which matches "accept invitation". But I found there is a property externalUserState in microsoft graph api(beta version) which can meet your requirements. If you don't mind the stability, you can use the beta version of microsoft graph api. If you will use this api in production environment, I suggest you to use Azure AD graph api. Please refer to the steps below:
As a workaround, we can use Azure AD graph api instead of microsoft graph api. I found there is a property UserState in the response of Azure AD graph api. If we want to request this Azure AD graph api, we need to add the required permissions first.
Don't forget grant admin consent and then request the access token, please note that when request the access token for Azure AD graph, we need to change the scope from https://graph.microsoft.com/.default to https://graph.windows.net/.default.
Then use the access token to request the Azure AD graph api.
https://graph.windows.net/<tenant id>/users/<object id>?api-version=1.6
Get the response of the api and we can find there is a property userState in it. If the guest has accepted, this property will be "Accepted", if the guest hasn't accepted, this property will be "PendingAcceptance".
Hope it helps~
Related
I'm trying to use React and Azure B2C to sign-up a local account (using personal emails).
I'm able to sign-up and login using userflows, however, I cannot get active account information from MsGraph API.
GET https://graph.microsoft.com/v1.0/me 401 (Unauthorized)
Yes ,azure AD b2c supports authentication for personal accounts,
1.
Microsoft Graph supports optional query parameters that you can use to
specify and control the amount of data returned in a response. The
support for the exact query parameters varies from one API
operation to another, and depending on the API, can differ between the
v1.0 and beta endpoints.
Use query parameters to customize responses - Microsoft Graph | Microsoft Docs
Try with GET https://graph.microsoft.com/beta/me/
You can use use $select to control the properties returned,
Ex: /me?$select=displayName,jobTitle
2.
Do make sure to give required claims marked in application claims.
If you want to acquire a token for all the static scopes of a v1.0 application, append ".default" to the app ID URI of the API: app ID/.default
Calling the /me endpoint requires a signed-in user and therefore a delegated permission. Application permissions are not supported when using the /me endpoint.
Article says
Users cannot obtain tokens for Microsoft APIs (e.g. MS Graph API)
using delegated permissions. Applications can obtain tokens for
Microsoft APIs using application permissions (user management
scenarios).
Reference:
microsoft-graph-operations#user-flow-authentication-methods-beta
I am using the acquireUserCode, acquireTokenWithDeviceCode flow found in adal-node library to authenticate my application and user. This process works successfully and I am then able to make MS Graph calls with the returned token. Where I am stuck is using the /users/{id}/drive endpoint. The docs state:
If a user's OneDrive is not provisioned but the user has a license to use OneDrive, this request will automatically provision the user's drive, when using delegated authentication.
My understanding is that the device code is a form of delegated permissions but the drive is not being created. Instead I get a 404 response. The user is properly licensed. In testing I have granted all graph delegated permissions to the application registration and "granted" them through the UI. Any pointers where in the chain I should be looking if this scenario is supported? Thanks!
I want to lookup people Name and email address using their ADID/SAMAccountName/UPN from a console app running with its own credentials and not under my account.
How would I do this with Microsoft Graph?
I was following up on https://github.com/Azure-Samples/active-directory-dotnet-daemon-v2 but that seem to require admin access. (BTW is there an easy way to figure out the admin on my company's graph?)
I did lookup LDAP querying but domain limitations limit the search scope ,and would rather do this via Microsoft Graph.
Accessing Microsoft Graph without user credentials (i.e. using the OAUTH client credentials flow) requires Admin Consent for your application. Typically this consent would be handled by your IT department.
When I try to login for the first time with new user via active directory to graphexplorer.windowsazure.net I get following scopes:
In my apps.dev.microsoft.com I have following permissions:
Why am I getting only these two scopes in access token:
Apps registered via the Application Registration Portal use the Azure AD v2 endpoint which supports incremental consent.
This means that while your app registration determines which scopes can be requested, you still need to specify specific scopes when you make the authorize request. Also, you should avoid requesting all scopes up front, rather incrementally request scopes as needed in the context of specific operations. So start out with your authorize request as you have it, with no extra scopes but when you need to send an email on behalf of the user issue another authorize request like so:
GET https://login.microsoftonline.com/common/oauth2/v2.0/authorize?
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&response_type=code
&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
&response_mode=query
&scope=
https%3A%2F%2Fgraph.microsoft.com%2Fmail.send
&state=12345
For more info on scopes in the v2.0 endpoint check out the Scopes, permissions, and consent in the Azure Active Directory v2.0 endpoint document.
For an example of an app that incrementally requests scopes, check out this Integrate Microsoft identity and the Microsoft Graph into a web application using OpenID Connect sample.
Also note that there 2 different Graph APIs:
Azure AD Graph (endpoint: graph.windows.net, explorer: https://graphexplorer.azurewebsites.net/)
Microsoft Graph (Endpoint: graph.microsoft.com, Explorer: https://developer.microsoft.com/en-us/graph/graph-explorer)
From https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-graph-api:
We strongly recommend that you use Microsoft Graph instead of Azure AD Graph API to access Azure Active Directory resources. Our development efforts are now concentrated on Microsoft Graph and no further enhancements are planned for Azure AD Graph API. There are a very limited number of scenarios for which Azure AD Graph API might still be appropriate; for more information, see the Microsoft Graph or the Azure AD Graph blog post in the Office Dev Center.
I'm not quite sure where that screen shot is coming from, but the URL you're going to is incorrect. The correct URL for Graph Explorer is https://developer.microsoft.com/en-us/graph/graph-explorer.
How to programatically control the attributes that are attached to an AAD Premium user, related to MFA? Using the Graph API (C#, using the SDK), what calls can be made to make a user MFA or not, CRUD on phone numbers, etc?
Thanks.
As far as I know, there is no such API we can get the MFA attributes through Graph REST API, since there is no relative attribute in user entity.
However, we can using the Azure Multi-Factor Authentication SDK to build multi-factor authentication into custom Apps. More detail about this, you can refer here.
These attributes are now available in the Microsoft Graph Beta API. See the documentation at Azure AD authentication methods API overview.