When I log onto the Microsoft Graph Explorer with my Microsoft account and run the following query https://graph.microsoft.com/v1.0/users/ I get the correct user returned.
On Azure AD (using the same login) I created an application with a key and when I sign in through c# using Microsoft.IdentityModel.Clients.ActiveDirectory.ClientCredentials with a token for resource https://graph.microsoft.com and run the same query I get a completely different user. They are out of sync and I'm baffled.
Any ideas? Should I create a new Azure account as I've had the Azure account from day 1 and I'm only doing this now to test for a client request.
Don't create a new Azure account. When you are using Graph Explorer, are you signed in with a user from your Azure AD tenant? If not, Graph Explorer will default to use a demo tenant for your queries.
Also (if you have more than one tenant) you need to make sure that you select the correct tenant as part of the token acquisition (from https://login.microsoftonline.com/{tenantId | tenantDomain}. If you want the results to match between Graph Explorer and your app, the tenant the signed-in user belongs to (for Graph Explorer case) and the tenant used by your app needs to be the same.
UPDATE based on comment below:
I think I know what's going on here. In graph explorer, you are signing in with your personal account - and it's showing you profile data of that personal account, including the unique ID for this account in the Microsoft Account system. In this case you aren't signing into an Azure AD tenant at all. Microsoft Graph supports access from both personal and commercial accounts.
Now, additionally, I'm guessing when you signed up for an Azure subscription, you used this personal account. When you do that, it creates an Azure AD tenant, and creates a guest user in that tenant that is (linked to) your personal account - this account is also configured as an admin account. This mechanism allows you to sign in with your personal account (authenticated by the Microsoft Account system) into an Azure AD tenant, because the personal account maps to this guest user in your tenant. In your application, you are getting an app token to your Azure AD tenant. When you query the tenant for users, you don't see any user with the same id or email address as you did with graph explorer. However if you actually look at the userPrincipalName, you'll see it should be a mangled form of the original email address of your personal account. This indicates that this Azure AD user account in your tenant is a guest/external user (similar to a foreign principal).
Hope this helps,
Related
We implemented SSO on Snowflake and with SCIM, we're able to provision users in Snowflake
Now, I want it to work like SQL Server authentication where I can add users to the same AD group and create a single login on SQL Server for this AD group. To revoke login permissions I just remove the user from the AD group. To give a new person access I just add them to it.
I would like also to map a role to a group, so, for instance, if I could link an Azure AD Group to a Snowflake Role [Read-Only User for Database X], as soon as I'm adding a user Y in Azure AD Group, this user Y will have automatically read-only access to Database X
Is it possible ?
Regards,
This same concept is possible in Snowflake as well with SAML SSO (for authorization) and SCIM (to sync users and their corresponding roles to SF). The details for this are here:
https://docs.snowflake.com/en/user-guide/admin-security-fed-auth-configure-idp.html
https://community.snowflake.com/s/article/HOW-TO-Setup-SSO-with-Azure-AD-and-the-Snowflake-New-URL-Format-or-Privatelink
https://docs.snowflake.com/en/user-guide/scim-azure.html
Both these together will ensure that the user created on Azure AD will be possible to login with the AAD credentials and the SCIM will ensure that the relevant role management is on the AAD side which is reflected exactly as-is on the SF side.
I am using microsoft graph api to access groups in azure active directory, I have created 2 groups in AAD named OIC and other named as testing
When I test using microsoft graph explorer, URL that I use
GET https://graph.microsoft.com/v1.0/groups
Response:
{
"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#groups",
"value": []
}
Why do I get empty value for groups even though I have groups in AAD.
I have logged in as admin user.
It seems that you have created groups in a tenant which is not your home tenant.
It means credentials are only owned by a single tenant. The tenant is discovered by Graph Explorer based on domain. You cannot use Graph Explorer to query tenants your account is a guest on, it can only query the tenant that owns the account. It retrieves data from the tenant you (or your app) authenticated against. It cannot query across multiple tenants.
The only way to use those creds with another tenant would be to force the OAuth uri to use that tenants ID instead of common. This isn't supported by Explorer. You'd have to download the source an reengineer the auth process.
Reference SO thread: https://stackoverflow.com/questions/53341544/how-can-i-change-default-tenant-in-microsoft-graph-explorer#:~:text=If%20you%20want%20to%20sign,use%20tenant%20query%20string%20parameter.&text=A%20simple%20url%20to%20go,or%20tenantId%2C%20both%20work).
We're getting a 400 error with the message "Tenant does not have a SPO license" when we try to access the Sharepoint-endpoints in the Microsoft Graph v1.0 API.
We've registered our Azure AD app and assigned Application Permissions (as opposed to Delegated) for the relevant endpoints, as we need to access the endpoints server to server (ie. outside the context of an authenticated user).
The tenant is connected to an Office 365 Business subscription, that we can assign to users, but the tenant in this case is the directory itself and we don't see how we can assign a subscription to that.
It seems there is precious little information available regarding this, and most of it applies to the delegated permissions scenario.
Any help would be greatly appreciated.
If you have purchased an O365 Business subscription, you may still need to be assign SPO (SharePoint Online) license for specific AAD user/ O365 user.
Use your admin account to log into O365 admin center and select a user and assign SPO license.
After clicking on "Edit", you can choose a SharePoint license to assign it to the user.
I used Graph explorer->Logged in with Global administrator -> Modify Permissions-> chose User.ReadWriteAll,Group.ReadWriteAll,Directory.AccessAsUser.All and then select "access to your entire organization" and logged in again with global administrator
I get below error.
Selected user account does not exist in tenant 'Microsoft' and cannot
access the application 'de8bc8b5-d9f9-48b1-a8ad-b748da725064' in that
tenant. The account needs to be added as an external user in the
tenant first. Please use a different account.
How can I add permissions to global administrator user?
Since your account is a guest in the tenant, you could not use the account to query the tenant, even if you are a global admin.
For more details, refer to this post.
Credentials are only owned by a single tenant. The tenant is discovered by Graph Explorer based on domain. You cannot use Graph Explorer to query tenants your account is a guest on, it can only query the tenant that owns the account. The only way to use those creds with another tenant would be to force the OAuth uri to use that tenants ID instead of "common". This isn't supported by Explorer. You'd have to download the source an reengineer the auth process
I have a multitenant ASP.NET application using OpenIdConnect and Azure AD as an Identity provider for Office 365. When the user is authenticated I receive my claims in ClaimsPrincipal.Current.
I wanted to identify a user and store this id reference in my database. I asked this question.
It was replied that
When trying to identify a user uniquely [NameIdentifier] should be your go-to choice.
But it seems that the NameIdentifier claim, http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier
depends on the application. Precisely, if I create another application in Azure AD then, the NameIdentifier will not be the same for the same real Office365 user. Keep in mind that the we may have to create another Azure AD manifest (because we could need other scopes) and we should be able to find back the same end-users.
Meanwhile, I remarked another claim: ObjectIdentifier http://schemas.microsoft.com/identity/claims/objectidentifier
It seems that ObjectIdentifier, is the same for all Azure AD-secured application for a given Office 365 user.
Can you explain precisely the difference between those two claims? And more importantly, can you confirm that the ObjectIdentifier can be used as an "universal" identifier for a user in any Office 365 subscription.
Precisely, if I create another application in Azure AD then, the NameIdentifier will not be the same for the same real Office365 user.
I made a quick test as following:
Register a multi-tenant-webapp and single-tenant-webapp in AD Contoso.
Log in with user1#contoso.onmicrosoft.com and get the name identifier in both web applications, it turns out the name identifier are the same in both applications. So the name identifier should be able to identify users cross applications, but it can not be used to identify the user in Azure AD.
For the object identifier, it is a GUID which you can used to identify a user in Azure AD. For example, you can use object identifier to query the user in Azure AD.
Powershell:
$msolcred = get-credential
connect-msolservice -credential $msolcred
get-msoluser -ObjectId "{guid:object_identifier}"
And more importantly, can you confirm that the ObjectIdentifier can be used as an "universal" identifier for a user in any Office 365 subscription.
Based on my understanding, the object identifier is a GUID which can identify for a user in Office 365 subscriptions.
Or to put it another way:
The NameIdentifier is the GUID of the Application which is registered in Azure AD. This won't change whether it's a single or multi-tenant application. It won't matter if you are using client credentials (i.e. AppId and AppSecret) to authenticate AS the application or using logging using real user credentials (i.e. delegated), the NameIdentifier will remain the same.
The ObjectIdentifier is the User Principal Name (UPN) for the user when using delegation or Service Principal Name (SPN) of the application when using client creds.
The reason you see different ObjectIdentifier values when an application is multi-tenant is that there is a separate and unique SPN in EACH TENANT which points back to the ApplicationGUID in the tenant where the application is registered. This SPN is used to assign rights to the application against resources in each tenant.