When I use:
string graphRequest = $"{graphResourceUri}/me/memberOf?api-version=1.6";
I get an empty array because my logged in user isn't a member of any Azure Groups (I'm assuming).
What I want is to get the list of Windows Domain Active Directory groups this user is a member of. Is there no way to retrieve this? I don't care about Azure groups.
I found out that it was because we didn't sync any groups between our Active Directory and Azure, we only synced users. After syncing the necessary AD group now it shows up when I query the user's group member within Azure.
Related
I can connect to our legacy company DOMAIN and query Active Directory. This has been my way to get the membership of groups.
We've added Office 365 and I cannot find the new groups added via Office 365 Groups (ie, Teams, etc) in Active Directory.
Is this a thing I should be able to do as an end user? And it so, how?
My preference (and what I've been using) is to Query via Power Query
(IE Excel->Data->Get&Transform->Get Data->From Other Sources->From Active Directory)
• As an end user, you have the default permission to view the groups and its members in an Azure AD tenant so, you can use the Microsoft Graph API explorer to view the groups and its related details in that console.
• Here is the link to access the Microsoft Graph Explorer - https://developer.microsoft.com/en-us/graph/graph-explorer. You will have to login with your credentials in it and enter the below query with ‘GET’ parameter as set to get the list of all groups available in your tenant.
‘GET https://graph.microsoft.com/v1.0/groups’ – Please find the below screenshot for more details.
• Please find the below links for more information: -
https://learn.microsoft.com/en-us/graph/api/group-list?view=graph-rest-1.0&tabs=http
https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/users-default-permissions
I am using the Microsoft Graph Explorer to query the list of users. The account I am using for this query is an admin account that is a member of multiple directories.
How can I control which directory to query using the Microsoft Graph API?
First, sign-out the Graph Explorer if you already logged in, then hit https://developer.microsoft.com/en-us/graph/graph-explorer?tenant=xxxxx(xxxxx is the tenant id) or https://developer.microsoft.com/en-us/graph/graph-explorer?tenant=tenantname.onmicrosoft.com, login the account again, then you can list the users in the tenant you specify.
Do AAD Group objects have onPremisesDomainName property, similar to that in User objects. I did not find it in the doc
Just wondering why there isn't a parity with User objects.
The onPremisesDomainName contains the on-premises domainFQDN, also called dnsDomainName synchronized from the on-premises directory.The property is only populated for customers who are synchronizing their on-premises directory to Azure Active Directory via Azure AD Connect.
The domainFQDN and DnsDomainName have been added for Group objects as of version 1.1.553.0. https://learn.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-version-history
There are a number of similar threads worth checking out.
Find Domain Name in Active Directory
Get domain\username from microsoft graph
On a Windows 10 Azure AD Joined device the local Administrators group includes:
AzureAD\Admin (S-1-12-1-38678509…)
S-1-12-1-3346315821-114…
S-1-12-1-445845933-119…
Note that in this example the device was joined to Azure AD via Settings after already being set up with a local admin account.
That list would include the Azure AD user that performed the join and I assume the Azure AD global administrator role and Azure AD device administrator role. (based on info here https://learn.microsoft.com/en-us/azure/active-directory/devices/assign-local-admin)
It seems that the SIDs are being generated by Azure AD and are pushed (along with other bits of info) to the client in an ID token (based on info here https://jairocadena.com/2016/02/01/azure-ad-join-what-happens-behind-the-scenes/comment-page-1/#comment-3506)
However I can't find any tools that show a SID associated with an Azure AD entity. Does Azure AD in fact generate these SIDs and if so, is there any way to expose them to verify which SIDs match an entity?
I found an answer to this old question, and i think there are still people who can benefit from the answer. Before getting to the truth i tried to convert those SIDs to AAD usernames. Only to discover there is no SIDs in AAD only (cloud only) users.
https://www.petervanderwoude.nl/post/managing-local-administrators-via-windows-10-mdm/
Every Azure AD joined device contains two SIDs (one representing the Global administrator role and one representing the Device administrator role) that are by default part of the local administrators.
AAD Joinded device Administrator group
The SID of the Azure AD user is S-1-12-1- followed by the unsigned integer representation (4 parts) of the Azure AD Object ID.
https://kb.policypak.com/kb/article/862-how-do-i-get-azure-ad-sids-and-use-them-with-item-level-targeting/
If you want to get the user SID on the device, you could run the below command:
wmic useraccount get name,sid
It will return the local user list:
To get the SID for the current logged in domain user, you could run the command:
whoami /user
The return like this:
I am using differential query (AzureAD graph API) to detect changes in Azure AD from the last sync. I am getting all users, group memberships, manager changes. Only missing information is Directory Role assignment (e.g Billing administrator, SharePoint administrator etc).
How can I detect a change in roles of any user?
API - https://graph.windows.net/{org}/directoryObjects?api-version=1.5&deltaLink=xxxxxttttxxxxxxxx
First, if you have enabled those Directory Roles, you can use AAD Graph API operations on directory roles to list members of those roles.
GET https://graph.windows.net/myorganization/directoryRoles/{object_id}/$links/members?api-version=1.6
But, This API can also list service principals which assigned this role.