Hey I would like to retrieve the Initials of a user in the graph explorer. I synchronized thies field with AD Connect zu Azure AD but in the documentation i dont see any property like that: https://learn.microsoft.com/en-us/graph/api/resources/user?view=graph-rest-1.0
I know the attribute is on Azure AD but how can i retrieve it with the Graph API?
Thanks & best regards
In the AAD, it doesn't define this property Initials, it is a user's attribute in AD not in AAD.
In AD, you could use powershell to get a user's Initials by this:
Get-ADUser "YourUser" -Properties Initials
In MS graph exploerer, I tried Get Https://https://graph.microsoft.com/v1.0/users?$select=Initials for all the user (included synced users from AD), and then the return value is null for all the user.
The return:
Related
I know how to get the tenant id of Azure AD. But i have registred an APP in Azure AD using microsoft graph powershell and i want to obtain tenant id of this registred app using microsoft graph powershell. I tried to get it using the variable i used to create the app registration:
$APP = New-MgApplication -displayName $AppName `
-RequiredResourceAccess #{ ResourceAppId = $GraphResourceId; ResourceAccess = #($resourceAccess) } `
-SignInAudience $SignInAudience `
-PublicClient #{ RedirectUris = $URL }
If i use the variable $App and try to get a property called tenantid, there is nth called like this. $App | Select * did not show any tenantid aswell.
Anyone know how to read the tenantid of this registred azure app using microsoft graph powershell?
Graph API doesn't provide any information about tenant for registered application, so you cannot get tenant id directly.
The registered application is created under the same tenant that the user or application is signed in to.
You can read organization data
Import-Module Microsoft.Graph.Identity.DirectoryManagement
$org = Get-MgOrganization
$org.id is the tenant ID.
Documentation:
Organization
You can get the tenant id, by following below commands , ref doc - https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-how-to-find-tenant#find-tenant-id-with-powershell
Connect-AzAccount
Get-AzTenant
To list all To the tenants for your account, you can use:
GET https://management.azure.com/tenants?api-version=2020-01-01
ref doc - https://docs.microsoft.com/en-us/rest/api/resources/tenants/list
If you want to see the tenant ID associated with an app registration, you can do so through the portal under Azure Active Directory > App Registrations > the app registration > Overview. I don't believe it's possible to get this data via Powershell since Powershell requires both Tenant ID and Application ID to query the application information.
See the doc more info - https://learn.microsoft.com/en-us/partner-center/find-ids-and-domain-names
Hope this helps
Thanks
Is there a way in Graph API where advance query able to search group of users based on Email id and User Principal Name.
We are using filter parameter with "in" clause to search users
https://graph.microsoft.com:443/v1.0/users?$count=true&$filter=userPrincipalName in ('abc#xyz.com','pqr#xyz.com','guest#external#xyz.com)
Above URL works charm. But we see Mail instead of userPrincipalName, we are decided to query based on Mail or UserPrincipalName property. Is there any support for graph api to search against Mail and UPN property in single call. I tried with signInNames or otherMails or issuerAssignedId but they are not supported. Any better way for querying both UPN and Mail
• You can use the ‘OR’ in advanced query filter parameter to search for multiple users’ based on ‘UPN’ and ‘mail’ in a single query call as below: -
‘ https://graph.microsoft.com/v1.0/users?$count=true&$filter=mail in ('lobo#def.com') or userPrincipalName in ('abc#xyz.com') ‘
The above query will give the details of the users based on UPN as well as mail attribute and fetch the same data from Azure AD related to the users. It will fetch all the general information that is available in Azure AD.
Please find the below link for more details on using the OR operator: -
https://learn.microsoft.com/en-us/graph/query-parameters#filter-parameter
How can be added custom attribute for user in Azure AD B2B using API?
A found a way for External Identities but I'm looking for custom attributes regardless of user type.
For example, I want to have the attribute "FavoriteColor" for every user (member or guest)
How can I achieve that?
You can use Microsoft Graph API Create extensionProperty.
Specify the targetObjects as "User".
An example (you can use any of your app registrations for {object id of the app registration}):
Post https://graph.microsoft.com/v1.0/applications/{object id of the app registration}/extensionProperties
{"name":"customAttribute","dataType":"string","targetObjects":["User"]}
It will generate an extension property named extension_{client id of the app registration without "-"}_customAttribute.
Then you can update the extension property for the member or guest user:
Patch https://graph.microsoft.com/v1.0/users/{user id}
{"extension_{client id of the Azure AD application without "-"}_customAttribute":"value"}
Use Microsoft Graph Explorer to have a quick test.
Microsoft Graph auth overview and Microsoft Graph SDK for your reference.
I have a Microsoft Teams tab app and I'm using SSO for authentication. My users are both native and guests. My requirement is to show different screens depending on the type of incoming user (native/guest), so I have to identify the user type first. To ensure security, I first obtain the id token for the incoming user and then validate it first before identifying the user type. Is there any reliable way to identify the incoming user type with just the id token? I don't trust the info in tab context.
If you don't want to use Microsoft Graph API, you could add all the guest user into a security Group and include Groups claim in your token as instructed here. You just need to modify the "groupMembershipClaims" field in application manifest:
"groupMembershipClaims": "SecurityGroup"
Then the ID token will contain the Ids of the groups that the use belongs to like below :
{
"groups": ["1ce9c55a-9826-4e32-871c-a8488144bb32"]
}
You can also Add app roles in your application and receive them in the token.
You can use microsoft graph api(beta) get user.
https://graph.microsoft.com/v1.0/users/{id | userPrincipalName}
If the id token contains objectId of the user, just put the objectId as the parameter of this api. In the response, we can find an attribute userType. The value of this attribute could be Member or Guest.
If the id token doesn't contain objectId of the user, just contains email. We can also put it as the parameter in the graph api, but if the email is a guest user, the api will not get response data. So I asked you if it contains objectId in the comments.
By the way, the attribute userType just exists in the beta version of microsoft graph api but not exist in the v1.0 version microsoft graph api. So if you're not comfortable with beta version, I suggest to use Azure AD graph api(get user) instead of Microsoft graph api.
Hope it helps~
Is there a way to get value of "objectIdentifier" claim for Microsoft account?
Case: I have an app with one form field, email (need's to be Microsoft account). When this email is entered, server (back end) need's to find out value of object identifier (user ID) in common tenant for all Microsoft accounts (section "tid").
Normally, if this was normal tenant in Azure Active Directory I would create Azure AD app and generated client secret for accessing Graph API, directory endpoint. Unfortunately, this is "special" tenant and I don't know is there any API I can call (as application) to get id of user (best option would be GetUserIdByEmail(email)).
I understand this is weird case but life is hard :)
Asking user to login and then retrieving value from token is not an option!
There is no API that I'm aware of where you could query for MS personal accounts' info without logging a user in.
If you think about it, it would be quite an easy source of building a user list for attacks :)
You will need to log them in to get their id, I don't think you can know it in advance.