maybe I can find the solution deep inside the developer documetation found here. But not on the surface, so I hope someone can ask the following question.
We do replicate data from on-premise active-directory to our database to store users, groups, units and configure features- and role-permissions to our applications. As we can't (at least not to start from scratch) authorize all features calling the azure-active-directory API I like to know if it is possible to replicate the needed objects from azure-ad like I can do from ad?
If yes, if someone has a link to any reference you will make my day while I continue seek for this information.
Thanks.
Yes, we are able to replicate the data from Azure AD through the Azure AD Graph REST. However the Azure AD is a different with Active Directory on-premise. For example, there is no organizational units.
You can check the exposed object in Azure Active Directory via the link below:
Entity and complex type reference | Graph API reference
And to get started with Azure AD Graph REST, you can refer Azure Active Directory Graph API. Also since Microsoft is working on Microsoft Graph, if there is no such object in the Azure AD Graph REST, you may also check the Microsoft Graph REST.
Related
Microsoft has the tutorial showing how to use Data Factory to extract Office 365 data, but that seems to only extract Outlook email information?
Is there a way to use Data Factory (and a tutorial hopefully) to connect to Azure AD and extract all the Active Directory users? Microsoft Graph API has the commands to do that, but I wasn't clear if that was the only way or if Data Factory can connect to it directly (like the O365 connector it has)?
Microsoft has the tutorial showing how to use Data Factory to extract Office 365 data, but that seems to only extract Outlook email information?
According to the Microsoft documentation,not only email information,there are many other information such as address book contacts, calendar events, user information, mailbox settings, and so on.
So you can get user information which contains aboutMe,companyName,etc. when you choose BasicDataSet_v0.User_v1 in dataset.(All properties you can get,please refer to this documentation)
By the way,your tenant admin need to opt-in to Microsoft Graph data connect if you do this.And there is no AAD connector.
Hope this can help you.
I used Azure Logic Apps and got through Azure AD group (get members) then used Office 365 Connector to Get Manager there is also another option get direct reports. If you are using Logic apps please make sure to turn the pagination on so you get all users.
This is were I started but once I get going I was able to figure it out myself
https://eax360.com/query-azure-active-directory-using-graph-api-logic-apps/
I have crawlers running on VMs in Azure. After work is finished the Data crawled needs to be distributed to users across the internet depending on their access level. What I need help with:
1. How to onboard users? My idea was to use Azure AD
2. How to organize pipeline from the crawlers to end users but some access rules and data filters need to be applied before using. What is the most effective way? My idea was to use Azure Functions and then Azure siglalR so my clients (desktop, mobile) can get data very fast. All that would be organized as a Logical app?
Please help. I am just starting my programming experience so sorry if my question is naive.
How to onboard users?
Azure AD would be a good choice for you. With Azure AD, it will be convenient to manage the users.
How to organize pipeline from the crawlers to end users but some access rules and data filters need to be applied before using.
Based on the description you provided, you will expose the data crawled as rest api, right? If so, you can integrate your api with Azure AD, then you can control the user access as you need. You can add app roles in your application and assign users and groups to roles, then different users will have different roles to access your api.
Reference:
How to: Add app roles in your application and receive them in the token
Integrating with Azure Active Directory
first of all, I'm absolutely new to Azure, so if my questions sound uneducated, that's the reason.
I'm looking for a guide or better—an understanding of how much effort is involved to provide automated user provisioning and de-provisioning as a SaaS provider as per here.
At the moment, my SaaS is not listed in the Azure Active Directory application gallery and instead, my clients enable SSO (Single Sign-On) by configuring single sign-on to applications that are not in the Azure Active Directory application gallery as per here.
In an ideal scenario, my clients will continue configuring single sign-on to applications that are not in the Azure Active Directory application gallery. That being said after they successfully configure the integration should enable automated user provisioning and de-provisioning with my SaaS.
Right, where do I start? :)
You have two options: SCIM 2.0, or Microsoft Graph. You can use one or the other individually, or both together.
Option 1: SCIM 2.0
Start here: Using System for Cross-Domain Identity Management (SCIM) to automatically provision users and groups from Azure Active Directory to applications
Azure AD natively supports SCIM 2.0, a standardized way of exchanging identity information that could also work with other SCIM-compatible systems.
One advantage is that there's a chance you can re-use this work for a different identity source system. Another is that the Azure AD provisioning service will take care of filtering and only sending you the users and groups the customer has assigned to the app.
A disadvantage is that you will be more constrained to the schema and protocol of SCIM 2.0, as compared to what you could get with native integration with Microsoft Graph.
Option 2: Microsoft Graph
Start here: Use delta query to track changes in Microsoft Graph data
The Microsoft Graph API has two change-tracking features which your app can make use of to sync changes to users and groups: change notifications (you get a ping every time something changes) and delta query (you retrieve all changes since the last time you checked).
The advantage here is you have much greater control over the sync process and options, and you'll have the option to provide very rich integrations (if relevant) with Office 365 and other Microsoft cloud services.
Is possible to query the Microsoft Graph API using an application to collect audit log information for events such as logon/logoff, User creations/deletions, Group membership changes, etc.? I have been looking through the Graph API reference and it does not seem straight forward to me.
Or should we be continuing to use the Azure AD Graph API? We are trying to get data from Office 365 AAD and Azure Government AAD. We are already pulling data from the Office 365 Management API which has an Active Directory feed but not sure that will include everything we are looking for.
You can use Azure AD Audit Log API provided by Microsoft Graph to access the audit and sign-in logs to track user sign-in activities. However, this API is currently in Beta so take care with where and how you use it.
In order to work with user accounts, you can use the User API's which provide the capability to create, update, and delete users.
For Group management, take a look at Working with groups in Microsoft Graph.
Also, I would suggest looking through the Get access tokens to call Microsoft Graph documentation for acquiring access tokens in order to call Microsoft Graph API's and refer to GitHub repo for various Graph samples.
In Azure AD graph API it is possible to create new users in your organizational directory.
Is it possible to add existing Microsoft accounts as users to your organizational directory? (This feature is available through Azure portal)
If yes, what would be the API call?
Not possible today to do that programmaticay. Sorry!
Just to clarify and to add to what Vittorio said:
Yes, it is possible to create new users in your organization directory. The reccommended pathway to do this is with the Graph API. Note that these users will be users from the tenant you are creating them, not external users or MSAs. Check out our documentation here:
https://msdn.microsoft.com/Library/Azure/Ad/Graph/api/users-operations#CreateUsers
Unfortunately we do not currently support creating MSA users or external users in your organizational directory. However, we are aware of this feature request, and it is on our backlog of to-do work items. You will likely see this as a feature that we expose via the Graph API, so keep a look out!
Thanks,
Shawn Tabrizi