Custom Attributes/Properties in AAD .. Finding them in MS Graph - azure-active-directory

I have large AAD Dynamic group that I need to search and query membership for (100K+ member group) and search for users by name. This group is generated based on a custom attribute on the user in AAD.
I am trying to figure out if I can get this information out the MS Graph or if I need to move these calls to the AAD Graph ?
I've checked the users for extensions and schema data but there doesn't seem to be anything there.
Are custom attributes not replicated in MS Graph?
The problem I am trying to solve is:
I have a people picker that I want to return results that satisfy membership of a this group. The problem is MS Graph doesn't support OData queries of the members of a group on their displayName. Since the group is driving by the custom attribute I was hoping to take a short cut and include that in my query

You may need to get the custom attribute with AAD Graph instead of MS Graph, seems the MS Graph will not return the custom attribute.
Sample of AAD Graph:
GET https://graph.windows.net/{tenant}/users/{objectId}
returns:
{
"odata.metadata": "https://graph.windows.net/{tenant}/$metadata#directoryObjects/Microsoft.DirectoryServices.User/#Element",
"odata.type": "Microsoft.DirectoryServices.User",
"objectType": "User",
...
"extension_917ef9adff534c858b0a683b6e6ec0f3_CreatedTime": 1518602039
}
Here are two posts related to this issue, see : How to get/set custom Azure Active Directory B2C user attributes in ASP.NET MVC? and How to read Azure B2C Custom Attributes with Graph API (works OK with Azure AD Graph)

Related

Adding custom claim to id token based on group ownership existence on Azure AD

I have an (external to Azure) application to integrate with AzureAD through OIDC. The requirement is to add a custom claim to id_token with a list of groups where the user is an owner in AD.
For example if the user is in the owner of group with id = "123abc", I need to add the following custom claim to id_token.
"ownedGroups": ["123abc"]
If this is not possible is there at least option to add sth like this
"hasOwnedGroups": true
I could not find any relevant example for this in docs. Can you share an example for doing this? If this is not possible in the exactly same way, I 'd like to know the alternative solution for putting information about ownership in id token.
Azure AD does not support Groups as source for custom claims or claims mappings. You can however create directory extensions, update them with any data you want and get them in the token as optional claims.

How to find Site Owners in SharePoint Online via SharePoint REST API/Graph API

I'm trying to find all users that are permitted to access a site in SharePoint Online.
I can do that via the SharePoint REST API using the following request:
https://<tenant>.sharepoint.com/sites/<site>/_api/web/RoleAssignments?$expand=Member/Users,RoleDefinitionBindings
The response contains some hidden technical accounts, users that have been granted permissions explicitly, and the default SharePoint site groups for members and owners.
The SharePoint site member group is presented with the following LoginName:
c:0o.c|federateddirectoryclaimprovider|<UUID>
Where <UUID> is the id of an Azure group. I can then resolve its members using the Graph API. However, there is a user missing here that is listed in the SharePoint UI as an owner of the site.
The SharePoint site owner group, however, is presented with the following LoginName:
c:0o.c|federateddirectoryclaimprovider|<UUID>_o
Where <UUID> is the exact same id as before. So I can't resolve its members using the Graph API as the UUID gives me the member group and the UUID including the suffix is an invalid group identifier.
Furthermore, the SharePoint REST API seems to treat this owner group (as well as the member group) like a user rather than a group, so I couldn't find a way to resolve its members using this API either.
So how can I resolve the actual users that are owners of a site?
Thank you very much!
Isn't it as simple as that?
https://<tenant>.sharepoint.com/sites/<site>/_api/site/owner
The solution is described here: https://learn.microsoft.com/en-us/sharepoint/modern-experience-sharing-permissions#team-site-permissions-and-office-365-groups
When you add owners or members to the Microsoft 365 group, they're given
access to the SharePoint site along with the other group-connected
services. Group owners become site owners, and group members become site
members.
Which means you can retrieve the site owners with the following request:
https://graph.microsoft.com/v1.0/groups/<UUID>/owners

How to add custom attributes for Azure AD B2B user

How can be added custom attribute for user in Azure AD B2B using API?
A found a way for External Identities but I'm looking for custom attributes regardless of user type.
For example, I want to have the attribute "FavoriteColor" for every user (member or guest)
How can I achieve that?
You can use Microsoft Graph API Create extensionProperty.
Specify the targetObjects as "User".
An example (you can use any of your app registrations for {object id of the app registration}):
Post https://graph.microsoft.com/v1.0/applications/{object id of the app registration}/extensionProperties
{"name":"customAttribute","dataType":"string","targetObjects":["User"]}
It will generate an extension property named extension_{client id of the app registration without "-"}_customAttribute.
Then you can update the extension property for the member or guest user:
Patch https://graph.microsoft.com/v1.0/users/{user id}
{"extension_{client id of the Azure AD application without "-"}_customAttribute":"value"}
Use Microsoft Graph Explorer to have a quick test.
Microsoft Graph auth overview and Microsoft Graph SDK for your reference.

Microsoft Graph AD Users or people API to search all users?

I'm trying to build functionality into my app for 'admins' to assign users from their AD group to certain groups that are further assigned to app-specific roles. Basically a simple management component.
Adding the user with the oid to a group is easy, the problem I'm facing is finding the actual user.
Currently, the only option I'm seeing is making multiple api requests to v1.0/users (999 items max) and grouping them all in memory and then provide a simple search function to narrow it down.
I have also used the v1.0/me/people endpoint to search for users but this does not reveal all users from the AD group, just relevant users they deal with, so not too useful.
Is there any other api endpoint I could tap into to do a search ONLY on members of the same active directory?
Using the startsWith filter on multiple properties is probably the closest we can get to user search in MS Graph at the moment:
https://graph.microsoft.com/v1.0/users?$filter=startswith(displayName,'sarah') or startswith(givenName,'sarah') or startswith(surname,'sarah') or startswith(mail,'sarah') or startswith(userPrincipalName,'sarah')
Ended up switching to the old AD Graph API and implementing a query on the endpoint as follows:
https://graph.windows.net/{ tenant ID }/users?api-version=1.6&$select=mail,displayName,objectId,givenName,surname&$filter=startswith(givenName,'SEARCH TERM') or startswith(surname,'SEARCH TERM')
If a function receives 1 single param, it will search for that parameter in both givenName and surname but you could configure this to search accross any other supported fields.
You could also completely ditch the $select= completely to get the whole data. I didn't want the clutter though and those keys are enough for me.
Instead of going with startswith You may get better experience using search keyword:
https://learn.microsoft.com/en-us/graph/api/user-list?view=graph-rest-1.0&tabs=http#example-6-use-search-to-get-users-with-display-names-that-contain-the-letters-wa-including-a-count-of-returned-objects

Fetch custom attribute from Active Directory into CRM

I have a custom attribute EmployeeNumber in AD, while creating CRM users when I write UserName for e.g Imran.Ahmed it automatically fetches some information from AD and fills form with that information ie first name, last name and phone number etc. Now I have added one more field in CRM to store Employee number in CRM. But CRM is not fetching it from AD.
How can I get information of custom attribute EmployeeNumber from AD to CRM form? I have been searching on internet and found some links that are saying that we have to write a plugin or call Javascript from CRM form but is there any way through which I can automatically get information from AD?
I am not aware of any AD side configurations to sync extra columns into CRM system user record. Or how to add more data to pull in the platform service when you tab out the username. Am sure you are not gonna get that information/control over that integration from Product team.
You can try this codeplex solution by reverse engineering/extending it to achieve the requirement. Or some Graph API calls to achieve it in some timely jobs.
We have our internal HR system to read/sync such data using SSIS + Kingswaysoft connector into CRM.

Resources