How to get user OID from SUB and application in Azure AD - azure-active-directory

I am trying to retrieve the Azure AD user given a subject id (sub) in an Azure AD registered application. I know the application and the sub, but I cannot find a way to retrieve the oid or upn for the actual user using this information.
Digging around I cannot find anything on retrieving User based on sub and application id in the docs:
https://learn.microsoft.com/en-us/graph/api/resources/user?view=graph-rest-1.0
When reading about the id token it is suggested that sub + tid + oid should be used for synchronizing across services. And looking at sub more specifically says:
The principal about which the token asserts information, such as the user of an app. This value is immutable and cannot be reassigned or reused. It can be used to perform authorization checks safely, such as when the token is used to access a resource, and can be used as a key in database tables. Because the subject is always present in the tokens that Azure AD issues, we recommend using this value in a general-purpose authorization system. The subject is, however, a pairwise identifier - it is unique to a particular application ID. Therefore, if a single user signs into two different apps using two different client IDs, those apps will receive two different values for the subject claim.
https://learn.microsoft.com/sv-se/azure/active-directory/develop/id-tokens
https://learn.microsoft.com/sv-se/azure/active-directory/develop/access-tokens
I also had a look around SO and only found this related answer but it seems to go from OID to SUB:
Getting User's Token Subject Identifier (sub) From Within Azure AD
Can I query the Graph API using application identifier and subject identifier to find the object identifier or upn?
If it is not possible using the Graph API. Is there any way at all to backtrack which Azure AD user has a given subject id for an application?

By design sub is unique for each user per application. So the same user visiting two applications will have a different sub. This is to ensure that applications that don't have the profile scope are not able to map the users profile outside its own data.
There isn't a way to obtain the oid from the sub for this very reason.

Related

Where does AzureAD store the "id" attribute returned by a SCIM endpoint?

I am integrating AzureAD with a SCIM endpoint. So far integration seems to work: AzureAD sends "POST" requests to create users, then later it queries/updates users using their 'id'.
Reminder from SCIM standard (RFC 7643): The 'id' is
A unique identifier for a SCIM resource as defined by the service provider
My SCIM endpoint generates this unique ID upon user first creation. It sends this ID to AzureAD in the reply, as required by the standard. I know that AzureAD stores the ID somewhere, because it uses it in subsequent requests.
My question: where is this ID stored in AzureAD? I need to read it, so I can forward it somewhere else. Using Graph Explorer I tried a lot of properties:
https://graph.microsoft.com/v1.0/me?$select=id,userPrincipalName,extensions,employeeId,externalUserState,identities,externalId
But none of them work. They are empty or do not contain the SCIM id.
Does anyone know if the property is publicly available?
Azure AD Provisioning has an internal data store that is not exposed via any external/customer-facing APIs where this is stored. If the service is evaluating an object that it does not know the SCIM ID value for it will try to locate that using a filtered GET such as GET /Users?filter=userName eq "user#domain.com", but once it has located that object the service will store internally a record stating that object X in Azure AD with objectId value of 123 is matched to object Y in with ID value of 456.
To specifically answer your end goal of "I need to find this value in Azure AD and forward it somewhere else" - this is not possible.
It is not like you think that AAD will save the user id from SCIM.
You can use Provision on demand to understand how it works.
Simple steps:
Click on "Provision on demand" in SCIM enterprise app.
Then select an AAD user and click on "Provision".
After it is executed successfully, you will be able to see the following:
Import user is retrieving User from Azure Active Directory.
Determine if user is in scope is determining if User in scope by evaluating against each scoping filter.
Match user between source and target system is retrieving User from SCIM and matching it with the AAD User in step 1. This is the point that you didn't know before. AAD will Get User by query in this step.
GET /Users?filter=userName eq "{userName}"
Then the user id from SCIM will be returned (As above screenshot shows).
Perform action updates User in SCIM using the id from step 3.
So AAD doesn't store the id from SCIM. It queries the user in SCIM firstly to get the id and then use this id to send update request to SCIM endpoint.

Azure Ad convert sub/NameIdentifier to objectidentifier

I have an application that has stored the openid subject/NameIdentifier to identify users. Now a featurerequest was made that requires retrieving a user from the Microsoft Graph api while the user isn't logged in. Which requires the objectidentifier to find the user. Is there someway to convert the nameidentifier to the objectidentifier without requiring the users to login.
Can I retrieve the nameidentifier with the graph Api
You can't use Nameidentifier to fetch the user information from the Tenant level using GarphApi which is unique only to the application level.
The ID/UPN is the unique across the Tenant which can be used to fetch user information.
The converstion of Sub/Nameidentifier to oid/UPN is not possible as these two are different unique id generated by azure.
In this document you can find more information about sub/oid here

Get object identifier of Microsoft account from shared tenant (9188040d-6c67-4c5b-b112-36a304b66dad)

Is there a way to get value of "objectIdentifier" claim for Microsoft account?
Case: I have an app with one form field, email (need's to be Microsoft account). When this email is entered, server (back end) need's to find out value of object identifier (user ID) in common tenant for all Microsoft accounts (section "tid").
Normally, if this was normal tenant in Azure Active Directory I would create Azure AD app and generated client secret for accessing Graph API, directory endpoint. Unfortunately, this is "special" tenant and I don't know is there any API I can call (as application) to get id of user (best option would be GetUserIdByEmail(email)).
I understand this is weird case but life is hard :)
Asking user to login and then retrieving value from token is not an option!
There is no API that I'm aware of where you could query for MS personal accounts' info without logging a user in.
If you think about it, it would be quite an easy source of building a user list for attacks :)
You will need to log them in to get their id, I don't think you can know it in advance.

Can Azure change a users OID?

we are going to be storing users information in Cosmos. Storing their information against their email address is not an option. Instead, we are looking at storing against OID.
Can Azure change a users OID?
Short Answer: No. oid claim or ObjectId property is immutable as well as Unique, so it should never change as well as uniquely identify the relevant directory object.
Special note only about oid claim for user object.. if a single user exists in multiple tenants, the user will contain a different object ID in each tenant - they are considered different accounts, even though the user logs into each account with the same credentials.
Here are a few reference links for this part:
1. oid claim for User - Azure AD Token Reference
Service principal entity reference in Azure AD Graph API
Service principal entity reference in the beta version for Microsoft Graph API

Authentication Process Get Azure AD group the user is a member of and do logic

Is there a way to get the Group the User is member of so we can process the authentication, or even throw exception so the token will not be created.
The reason we need groups is that we can not create OU in Azure AD whereas we could before in LDAP. We retrieved the distinguished name and therefore had very rich information about said user.
Lastly, we do see that you could create an OU on-premises but read that Graph API would not recognize it or could not retrieve it.
We are attempting to do logic within the SecurityTokenValidated stage of Authentication process and we break the process whenever we try to use:
string UPN = context.AuthenticationTicket.Identity.FindFirst(ClaimTypes.Name).Value
Is this because we are using MSAL?
The best approach for you to take here is to make use of the group claims capability of Azure AD. (And for get OUs. OUs are not represented in Azure AD at all.)
Dushyant Gill's blog post on this is relatively old, but still very much relevant: http://www.dushyantgill.com/blog/2014/12/10/authorization-cloud-applications-using-ad-groups/. In short, the process is:
Enable group claims for your application by setting the groupMembershipClaims property in your application. After setting this, when a user signs in to your application, the list of groups they are a member of will be included in the token (if the number of groups is smaller than the limit).
Update your application's authorization code to make use of the group membership claims (if present).
Update your application to query the Azure AD Graph API if the groups membership claim is not present (i.e. if the "overage" claim is present). This happens only when the user is a member of more than 150-250 groups. (Use the _claim_name and _claim_sources claims as indications that the Graph API needs to be called directly.)
As described in the documentation for Azure AD Graph API permissions, in order for your application to call the getMemberGroups method, the app must have the "Read all groups" permission (Groups.Read.All). This permission requires admin consent, but once consent has been granted, the request can be made using the signed-in user's access token.

Resources