we are going to be storing users information in Cosmos. Storing their information against their email address is not an option. Instead, we are looking at storing against OID.
Can Azure change a users OID?
Short Answer: No. oid claim or ObjectId property is immutable as well as Unique, so it should never change as well as uniquely identify the relevant directory object.
Special note only about oid claim for user object.. if a single user exists in multiple tenants, the user will contain a different object ID in each tenant - they are considered different accounts, even though the user logs into each account with the same credentials.
Here are a few reference links for this part:
1. oid claim for User - Azure AD Token Reference
Service principal entity reference in Azure AD Graph API
Service principal entity reference in the beta version for Microsoft Graph API
Related
Inviting a consumer user to Azure AD B2C has been covered by other Stack Overflow questions & answers, and AFAIK requires the use of custom policies that entail a signed JWT being created and used during invite redemption.
What I'm trying to figure out: In our application, we have differently permissioned user groups and different organisations managed by internal RBAC logic. We identify & authorize users based on their oid claim in the access token that's returned to msal-react/msal-browser and used to authenticate against our backend's API.
In Microsoft Graph, a user can be invited and the API will respond with the created user's oid. However, this is the wrong type of user and not appropriate for B2C scenarios.
With the custom policy route not creating the user object in AAD B2C at the time of invite, and therefore without knowing the user's oid at the time of inviting them to the application, what might be the best way to configure their in-app profile and have them identifiable to the application itself upon first login?
My thought at the moment is to have the application store the emails of users that are invited who have not yet redeemed/signed-in. We can configure the emails claim to be returned upon login, which is checked against the invited emails store when an oid claim is returned that isn't present in the database. This can then trigger a function to update the user's internal id with the oid in their first login's claim.
If this is inadvisable or if there's a better way, I'd be very grateful to hear it.
It would work, or just pre create the user up front via MS Graph API. Then you have an email and objectId available.
You could also put an extension attribute on the account indicating whether the user has redeemed their invite. That would allow you to monitor who has redeemed, and also be a way to provide a different experience depending on if the user has redeemed or not redeemed the link.
I am integrating AzureAD with a SCIM endpoint. So far integration seems to work: AzureAD sends "POST" requests to create users, then later it queries/updates users using their 'id'.
Reminder from SCIM standard (RFC 7643): The 'id' is
A unique identifier for a SCIM resource as defined by the service provider
My SCIM endpoint generates this unique ID upon user first creation. It sends this ID to AzureAD in the reply, as required by the standard. I know that AzureAD stores the ID somewhere, because it uses it in subsequent requests.
My question: where is this ID stored in AzureAD? I need to read it, so I can forward it somewhere else. Using Graph Explorer I tried a lot of properties:
https://graph.microsoft.com/v1.0/me?$select=id,userPrincipalName,extensions,employeeId,externalUserState,identities,externalId
But none of them work. They are empty or do not contain the SCIM id.
Does anyone know if the property is publicly available?
Azure AD Provisioning has an internal data store that is not exposed via any external/customer-facing APIs where this is stored. If the service is evaluating an object that it does not know the SCIM ID value for it will try to locate that using a filtered GET such as GET /Users?filter=userName eq "user#domain.com", but once it has located that object the service will store internally a record stating that object X in Azure AD with objectId value of 123 is matched to object Y in with ID value of 456.
To specifically answer your end goal of "I need to find this value in Azure AD and forward it somewhere else" - this is not possible.
It is not like you think that AAD will save the user id from SCIM.
You can use Provision on demand to understand how it works.
Simple steps:
Click on "Provision on demand" in SCIM enterprise app.
Then select an AAD user and click on "Provision".
After it is executed successfully, you will be able to see the following:
Import user is retrieving User from Azure Active Directory.
Determine if user is in scope is determining if User in scope by evaluating against each scoping filter.
Match user between source and target system is retrieving User from SCIM and matching it with the AAD User in step 1. This is the point that you didn't know before. AAD will Get User by query in this step.
GET /Users?filter=userName eq "{userName}"
Then the user id from SCIM will be returned (As above screenshot shows).
Perform action updates User in SCIM using the id from step 3.
So AAD doesn't store the id from SCIM. It queries the user in SCIM firstly to get the id and then use this id to send update request to SCIM endpoint.
I was not able to find any info on this. Can a user from any AAD domain have the same Object Id as a user from any other domain. Or are these unique across all domains in Azure?
EDIT: Is there a validation process in Azure that checks if a GUID has already been used for the same type of object, such as a RID Master in Windows AD..
Yes, all of the users in Azure has an unique object id no matter where the user comes from because the object id is GUID format, GUID is Globally Unique Identifier, it will generate an unique GUID for each user when add a user to Azure AD.
By the way, there could be two same object id(guid), but it's a very small probability(very very small, for example if you have 100,000,000 users in all of your AAD domains, the probability of exist two same object id is about 1/3.4×10^30, so we can ignore that).
I have an application that has stored the openid subject/NameIdentifier to identify users. Now a featurerequest was made that requires retrieving a user from the Microsoft Graph api while the user isn't logged in. Which requires the objectidentifier to find the user. Is there someway to convert the nameidentifier to the objectidentifier without requiring the users to login.
Can I retrieve the nameidentifier with the graph Api
You can't use Nameidentifier to fetch the user information from the Tenant level using GarphApi which is unique only to the application level.
The ID/UPN is the unique across the Tenant which can be used to fetch user information.
The converstion of Sub/Nameidentifier to oid/UPN is not possible as these two are different unique id generated by azure.
In this document you can find more information about sub/oid here
Is there a way to get value of "objectIdentifier" claim for Microsoft account?
Case: I have an app with one form field, email (need's to be Microsoft account). When this email is entered, server (back end) need's to find out value of object identifier (user ID) in common tenant for all Microsoft accounts (section "tid").
Normally, if this was normal tenant in Azure Active Directory I would create Azure AD app and generated client secret for accessing Graph API, directory endpoint. Unfortunately, this is "special" tenant and I don't know is there any API I can call (as application) to get id of user (best option would be GetUserIdByEmail(email)).
I understand this is weird case but life is hard :)
Asking user to login and then retrieving value from token is not an option!
There is no API that I'm aware of where you could query for MS personal accounts' info without logging a user in.
If you think about it, it would be quite an easy source of building a user list for attacks :)
You will need to log them in to get their id, I don't think you can know it in advance.