I have two directories in a single login of Azure.
When I hit the Graph Explorer API to get the users, it automatically goes to the default AD.
https://graph.microsoft.com/v1.0/users
I want to switch the directory and then get the users.
I just found this documentation where an app needs to be registered and you provide directory name in the tenant.
Please help.
The document you found is for the registered app to communicate with Azure AD. It's not for Graph Explorer.
As I known, it's not possible to switch Directory in Graph Explorer. I test both Microsoft Graph and Azure AD Graph. I can only get users from the Default Directory.
My suggestion is that you can login Graph Explorer with another account which has another default directory.
You can also feedback Microsoft Graph in this UserVoice Forum.
Hope this helps!
This information came from: https://stackoverflow.com/questions/60931681/how-to-query-another-azure-active-directory-tenant-from-graph-explorer
Today that's possible if you pass the tenant query string parameter like this:
https://developer.microsoft.com/en-us/graph/graph-explorer?tenant=mydomainname.onmicrosoft.com
Note that you need to logout before going to this URL with the tenant query string. It'll ask you to login again. After login you can issue queries against the other tenant you have access to (not your home tenant where your account was originally created on).
Related
I have created an App under Azure B2C tenant.
The app is using a custom sign-in/sign-up policy to log in to local users.
However, my app has an admin view, where I would want the log-in users to be able to create accounts for whoever needs access within the app. I have seen that this is possible using Azure Ms Graph API.
However, I keep getting an InvalidAuthenticationToken Error, when I try to call Ms Graph API.
error:
code: "InvalidAuthenticationToken"
innerError: {date: "2021-08-11T14:25:09", request-id: "8a49ae82-a669-4bb4-af6e-b698e095dadc", client-request-id: "8a49ae82-a669-4bb4-af6e-b698e095dadc"}
message: "Invalid x5t claim."
I couldn't find any solution online. Is this even possible? And if there's a way around it, how can I do it?
Thank you!.
It would help if you went into more detail on your use case.
You have a B2C local account and you want to create users in AAD or in B2C?
If in B2C, yes you can do this as per this article.
If in AAD, see here.
Make sure that your application has the correct permissions.
I have a graph API app and want it to be accessible to every user for authorizing.
The app is made to be a multi-tenant application that should be available to everyone (see screenshot)1.
When a user who is not added to the azure active directory tries to access to grant permissions to the app, they get this error saying "the user is not added to the azure active directory, and the user needs to be added as a tenant to the app"
I am using this link for oauth access https://login.microsoftonline.com/DIRECTORY_ID/oauth2/v2.0/authorize?client_id=CLIENT_ID2&response_type=code&redirect_uri=http://localhost:3000/auth/callback&response_mode=query&scope=offline_access Channel.Create Channel.ReadBasic.All ChannelMessage.Send Team.ReadBasic.All Group.ReadWrite.All&state=12345
error message from graph app
You are using a tenant specific endpoint which will not support personal account. You need to use a common endpoint(login.microsoftonline.com/common/oauth2/v2.0/).
Based on your URL you have shared, you can use below example syntax,
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=CLIENT_ID2&response_type=code&redirect_uri=http://localhost:3000/auth/callback&response_mode=query&scope=offline_access
Also, Please refer to similar question here.
Every documentation or tutorial I follow on how to programatically access Outlook's API seems to point to the same pattern:
Application redirects user to Azure so he can authorize (OAuth) the app access to his account's data.
Every time Azure Active Directory is mentioned as a cloud-based credential/access manager.
I'm having a hard time to understand why exactly AD is even needed. And even if it is, that means that should a company desire to integrate an application with the employees calendars, for example, they would need to have an AD just for authentication purposes? Does this make sense if I want to publish an application on Azure for any kind of customer?
Every Office 365 customer has an Azure AD for authentication. If you want to get at users contacts in O365 you have to authenticate using Azure AD.
If you want to get at contacts in Outlook.com, Microsoft provides the same authentication flow for Microsoft Accounts (MSA) that Outlook.com uses.
This means you can use the same authentication flow and call the Microsoft Graph to get contacts no matter if they are an Office 365 user or an Outlook.com user. Your app does the same auth flow and makes the same calls.
I originally posted the following on github: https://github.com/OfficeDev/office-js/issues/323, but they suggested I post on stack overflow.
I have an Azure Active Directory v2 application which lists some SharePoint delegated permissions:
I have a Word Online Addin that uses the V2 app. I tried adding the SharePoint permissions as scopes in the Office Manifest such as
<Scope>AllSites.Read</Scope>
However, I get the following message after attempting to grant consent inside Word Online:
Is this error expected? Ultimately I wanted to enable single sign on in Office (Similar to https://learn.microsoft.com/en-us/office/dev/add-ins/develop/sso-in-office-add-ins but for CSOM, not Graph). I was able to get this to work for Graph permissions.
First, let me clarify that the SSO API is still in-preview. In production, you should be using Dialog API to login the user but it does not provide SSO.
Now coming to the in-preview SSO API - Have you tried any of the SharePoint scopes owned by Graph? Adding that to the manifest should work. Currently, we do not support any other scope other than Graph. But there is no reason why the same token can be used to access SharePoint provided you use Graph scopes.
I'm building a service where each user has a calendar, I want to sync users 365 calendar events into their calendar, the tricky part seems to be, that this should be done repeatable by background job on the server, to keep them in sync.
I feel like I've read a bible of documentation from Microsoft, but still gotten nowhere. I eventually stumbled upon this article https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds which allows a server to query the graph api, on behalf of users. This is exactly what I want.
Having created a Azure account, and Active Directory service, I found that only users within the tenant can use this, which makes it rather useless, requiring to add users manually from azure panel.
AADSTS50020: User account 'm#****.com' from identity provider 'live.com' does not exist in tenant 'Default Directory' and cannot access the application 'c0193dea-5145-430a-9c90-325f1229a1fc' in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
So I'm back at square one, how can I achieve what I described?
I'm not looking for a code implementation, merely a description of how to navigate the monstrosity of Microsoft.
Thank you
Update: Accordingly to Marc link. I tried to flick the multi tenant option, and change the endpoint to use common instead of tenant id. Sadly i'm still getting the same error.
You cannot sign-in to AAD with a non-AAD account using the v1 Endpoint. If you want to use a consumer Microsoft Account (#outlook.com, #hotmail.com, #live.com) then you need to use the Converged Auth model provided by the v2 Endpoint.
I have a walkthrough for the v2 Endpoint that you might find helpful: Microsoft v2 Endpoint Primer. It is similar to the v1 Endpoint but you'll need to register via https://apps.dev.microsoft.com rather than the Azure Portal. Also, v2 apps use Scopes instead of Resources and are multi-tenant out of the box.
This is a broad a question for Stack Overflow. That said, you're incorrect about Azure AD. It is absolutely not limited to a single-tenant. You do however need to register it as a multi-tenant application:
How to sign in any Azure Active Directory (AD) user using the multi-tenant application pattern