How could I use AAD Graph API to determine whether guest invitations are allowed for a tenant? Specifically I'm looking for information about how to attain the settings listed here: https://learn.microsoft.com/en-us/azure/active-directory/active-directory-b2b-delegate-invitations#control-who-can-invite.
AFAIK, both Azure AD Graph and Microsoft Graph doesn't support this feature at present. If you want this feature in the future, you can submit the feedback from Feedback for Azure Active Directory or Feedback for Microsoft Graph.
Related
I am looking for an Office365 API which enables me to edit the "multi factor authentication" flag for a particular user.
Currently I can do this via logging in to the azure portal (see attached)Check the image for what I am looking for
Currently this is not available via api. I found a vote in azure feedback https://feedback.azure.com/forums/34192--general-feedback/suggestions/32683693-add-mfa-status-to-user-entity-info-returned-by-gra
If MFA authentication needs to be enforced, maybe an alternative would be to have a conditional access policy requiring MFA for a group of users (e.g. the baseline MFA for admins) and check that the user is a member of that group using Graph API.
I'm trying to create an application in which I need to know whether user invited to Azure Active Directory accepted an invitation or not. I'm using microsoft graph SDK for C# to get information about users from AAD but I cannot find information about invitation status in the resulting user object. In particular, I want to get this piece of information from Azure:
Is there any way to get this info from C# using Microsoft Graph SDK or with direct graph query?
It seems microsoft graph api(v1.0) for get user doesn't have the field to show if the guest accept the inviatation. I checked the document of user properties and didn't find any property which matches "accept invitation". But I found there is a property externalUserState in microsoft graph api(beta version) which can meet your requirements. If you don't mind the stability, you can use the beta version of microsoft graph api. If you will use this api in production environment, I suggest you to use Azure AD graph api. Please refer to the steps below:
As a workaround, we can use Azure AD graph api instead of microsoft graph api. I found there is a property UserState in the response of Azure AD graph api. If we want to request this Azure AD graph api, we need to add the required permissions first.
Don't forget grant admin consent and then request the access token, please note that when request the access token for Azure AD graph, we need to change the scope from https://graph.microsoft.com/.default to https://graph.windows.net/.default.
Then use the access token to request the Azure AD graph api.
https://graph.windows.net/<tenant id>/users/<object id>?api-version=1.6
Get the response of the api and we can find there is a property userState in it. If the guest has accepted, this property will be "Accepted", if the guest hasn't accepted, this property will be "PendingAcceptance".
Hope it helps~
We use CloudFoundry UAA for our applications authentication system. We use Microsoft Azure AD as the Identity Provider.
We've run across an issue where users with over 150 AD groups stop getting their groups passed in the SAML token due to Microsoft having a 150 AD group limitation in Azure (We're also ensuring we only send SecurityGroups in the claims info.) Microsoft converts the group claims to a graph endpoint in the SAML token if a user has over 150 AD groups. Microsofts term for this is "overage claim". Our UAA does not appear to know how to handle graph endpoints or "overage claims".
Does UAA support SAML graph endpoints for group claims information? We use this to auto map users from their AD groups to our UAA groups and it's critical to get this working. For now we manually add our UAA groups to our users Shadow profiles as a workaround.
I cannot find information on if UAA supports this and how to enable it.
As of the date of this response UAA does not support graph endpoints. Pivotal has now entered the feature into their tracker. No ETA on delivery.
For a workaround solution you can use AD roles. As noted on this guide:
https://joonasw.net/view/using-groups-vs-using-app-roles-in-azure-ad-apps
tracker reference:
https://www.pivotaltracker.com/n/projects/997278/stories/168080479
Git issue:
https://github.com/cloudfoundry/uaa/issues/1082
Is possible to query the Microsoft Graph API using an application to collect audit log information for events such as logon/logoff, User creations/deletions, Group membership changes, etc.? I have been looking through the Graph API reference and it does not seem straight forward to me.
Or should we be continuing to use the Azure AD Graph API? We are trying to get data from Office 365 AAD and Azure Government AAD. We are already pulling data from the Office 365 Management API which has an Active Directory feed but not sure that will include everything we are looking for.
You can use Azure AD Audit Log API provided by Microsoft Graph to access the audit and sign-in logs to track user sign-in activities. However, this API is currently in Beta so take care with where and how you use it.
In order to work with user accounts, you can use the User API's which provide the capability to create, update, and delete users.
For Group management, take a look at Working with groups in Microsoft Graph.
Also, I would suggest looking through the Get access tokens to call Microsoft Graph documentation for acquiring access tokens in order to call Microsoft Graph API's and refer to GitHub repo for various Graph samples.
How to programatically control the attributes that are attached to an AAD Premium user, related to MFA? Using the Graph API (C#, using the SDK), what calls can be made to make a user MFA or not, CRUD on phone numbers, etc?
Thanks.
As far as I know, there is no such API we can get the MFA attributes through Graph REST API, since there is no relative attribute in user entity.
However, we can using the Azure Multi-Factor Authentication SDK to build multi-factor authentication into custom Apps. More detail about this, you can refer here.
These attributes are now available in the Microsoft Graph Beta API. See the documentation at Azure AD authentication methods API overview.