Is possible to query the Microsoft Graph API using an application to collect audit log information for events such as logon/logoff, User creations/deletions, Group membership changes, etc.? I have been looking through the Graph API reference and it does not seem straight forward to me.
Or should we be continuing to use the Azure AD Graph API? We are trying to get data from Office 365 AAD and Azure Government AAD. We are already pulling data from the Office 365 Management API which has an Active Directory feed but not sure that will include everything we are looking for.
You can use Azure AD Audit Log API provided by Microsoft Graph to access the audit and sign-in logs to track user sign-in activities. However, this API is currently in Beta so take care with where and how you use it.
In order to work with user accounts, you can use the User API's which provide the capability to create, update, and delete users.
For Group management, take a look at Working with groups in Microsoft Graph.
Also, I would suggest looking through the Get access tokens to call Microsoft Graph documentation for acquiring access tokens in order to call Microsoft Graph API's and refer to GitHub repo for various Graph samples.
Related
Microsoft has the tutorial showing how to use Data Factory to extract Office 365 data, but that seems to only extract Outlook email information?
Is there a way to use Data Factory (and a tutorial hopefully) to connect to Azure AD and extract all the Active Directory users? Microsoft Graph API has the commands to do that, but I wasn't clear if that was the only way or if Data Factory can connect to it directly (like the O365 connector it has)?
Microsoft has the tutorial showing how to use Data Factory to extract Office 365 data, but that seems to only extract Outlook email information?
According to the Microsoft documentation,not only email information,there are many other information such as address book contacts, calendar events, user information, mailbox settings, and so on.
So you can get user information which contains aboutMe,companyName,etc. when you choose BasicDataSet_v0.User_v1 in dataset.(All properties you can get,please refer to this documentation)
By the way,your tenant admin need to opt-in to Microsoft Graph data connect if you do this.And there is no AAD connector.
Hope this can help you.
I used Azure Logic Apps and got through Azure AD group (get members) then used Office 365 Connector to Get Manager there is also another option get direct reports. If you are using Logic apps please make sure to turn the pagination on so you get all users.
This is were I started but once I get going I was able to figure it out myself
https://eax360.com/query-azure-active-directory-using-graph-api-logic-apps/
In our Azure active directory, we have 3 different office 365 subscriptions, each with some 20 odd users. And my license is part of one of those subscriptions. I've created an application under "App registrations" and given Microsoft Graph API permissions. When I call any Graph API, it returns only the data for the subscription that I am part of. How the API determines this, since there is no email account related info in the API requests. I would assume an app in the Azure AD can access all the subscriptions in the same tenant. Is there a way to fetch data across all the office 365 subscriptions?
as per your response on what you meant by subscription, you should have no issue accessing user data through regular graph calls, for example if you call the https://graph.microsoft.com/v1.0/users endpoint you should see all 60ish users,
make sure your app api permissions are correct. it sounds like under api permissions of your application registration, you may have given it delegated permissions instead of than applications permissions. if you are using delegated permissions, then you have to make sure that your user has the correct role assignment in azure ad. otherwise just switch to application permissions
if you have them set correctly, then as Allen Wu stated, please specify an example graph endpoint you are trying to get information from and maybe a screenshot of your api permissions page of your app registration.
Every documentation or tutorial I follow on how to programatically access Outlook's API seems to point to the same pattern:
Application redirects user to Azure so he can authorize (OAuth) the app access to his account's data.
Every time Azure Active Directory is mentioned as a cloud-based credential/access manager.
I'm having a hard time to understand why exactly AD is even needed. And even if it is, that means that should a company desire to integrate an application with the employees calendars, for example, they would need to have an AD just for authentication purposes? Does this make sense if I want to publish an application on Azure for any kind of customer?
Every Office 365 customer has an Azure AD for authentication. If you want to get at users contacts in O365 you have to authenticate using Azure AD.
If you want to get at contacts in Outlook.com, Microsoft provides the same authentication flow for Microsoft Accounts (MSA) that Outlook.com uses.
This means you can use the same authentication flow and call the Microsoft Graph to get contacts no matter if they are an Office 365 user or an Outlook.com user. Your app does the same auth flow and makes the same calls.
I'm building a service where each user has a calendar, I want to sync users 365 calendar events into their calendar, the tricky part seems to be, that this should be done repeatable by background job on the server, to keep them in sync.
I feel like I've read a bible of documentation from Microsoft, but still gotten nowhere. I eventually stumbled upon this article https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds which allows a server to query the graph api, on behalf of users. This is exactly what I want.
Having created a Azure account, and Active Directory service, I found that only users within the tenant can use this, which makes it rather useless, requiring to add users manually from azure panel.
AADSTS50020: User account 'm#****.com' from identity provider 'live.com' does not exist in tenant 'Default Directory' and cannot access the application 'c0193dea-5145-430a-9c90-325f1229a1fc' in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
So I'm back at square one, how can I achieve what I described?
I'm not looking for a code implementation, merely a description of how to navigate the monstrosity of Microsoft.
Thank you
Update: Accordingly to Marc link. I tried to flick the multi tenant option, and change the endpoint to use common instead of tenant id. Sadly i'm still getting the same error.
You cannot sign-in to AAD with a non-AAD account using the v1 Endpoint. If you want to use a consumer Microsoft Account (#outlook.com, #hotmail.com, #live.com) then you need to use the Converged Auth model provided by the v2 Endpoint.
I have a walkthrough for the v2 Endpoint that you might find helpful: Microsoft v2 Endpoint Primer. It is similar to the v1 Endpoint but you'll need to register via https://apps.dev.microsoft.com rather than the Azure Portal. Also, v2 apps use Scopes instead of Resources and are multi-tenant out of the box.
This is a broad a question for Stack Overflow. That said, you're incorrect about Azure AD. It is absolutely not limited to a single-tenant. You do however need to register it as a multi-tenant application:
How to sign in any Azure Active Directory (AD) user using the multi-tenant application pattern
maybe I can find the solution deep inside the developer documetation found here. But not on the surface, so I hope someone can ask the following question.
We do replicate data from on-premise active-directory to our database to store users, groups, units and configure features- and role-permissions to our applications. As we can't (at least not to start from scratch) authorize all features calling the azure-active-directory API I like to know if it is possible to replicate the needed objects from azure-ad like I can do from ad?
If yes, if someone has a link to any reference you will make my day while I continue seek for this information.
Thanks.
Yes, we are able to replicate the data from Azure AD through the Azure AD Graph REST. However the Azure AD is a different with Active Directory on-premise. For example, there is no organizational units.
You can check the exposed object in Azure Active Directory via the link below:
Entity and complex type reference | Graph API reference
And to get started with Azure AD Graph REST, you can refer Azure Active Directory Graph API. Also since Microsoft is working on Microsoft Graph, if there is no such object in the Azure AD Graph REST, you may also check the Microsoft Graph REST.