I am using Microsoft Graph API delta query to track changes in my Azure AD.
I want to obtain only changed properties. So I have set 'ocp-aad-dq-include-only-changed-properties' header value to 'true' to get only changed properties. But even after using this header I am receiving all user properties.
Is there any other option to get only changed properties? or Do I need to use any other header?
Given below the detail description of the operations that I am trying.
Example:
Initial Delta request
GET https://graph.microsoft.com/v1.0/users/delta?$select=displayName,givenName,surname
Headers:
ocp-aad-dq-include-only-changed-properties : true
Response:
In the initial response, I am getting all users.
DeltaLink request after updating 'displayName' attribute
GET https://graph.microsoft.com/v1.0/users/delta?$deltatoken=KhFiGlAZqewNAThmCVnNxqPu5gOBegrm1CaV
Headers:
ocp-aad-dq-include-only-changed-properties : true
Here I have added 'ocp-aad-dq-include-only-changed-properties' header still I am getting all attributes of the User
Response:
{
"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#users",
"#odata.deltaLink": "https://graph.microsoft.com/v1.0/users/delta?$deltatoken=o8xFasdpZ7QDP14TyDfj9AeibJxMlXAtgB0Nb",
"value": [
{
"businessPhones": [],
"displayName": "jhon4",
"givenName": null,
"jobTitle": null,
"mail": null,
"mobilePhone": null,
"officeLocation": null,
"preferredLanguage": null,
"surname": null,
"userPrincipalName": "jhon.smith#testdomain.onmicrosoft.com",
"id": "942h93c9-af17-6sad2d98cc8"
}
]
}
Update Request
PATCH https://graph.microsoft.com/v1.0/users/jhon.smith#testdomain.onmicrosoft.com
Payload:
{
"displayName": "jhon4",
}
The ocp-aad-dq-include-only-changed-properties header is a feature of the Azure AD Graph API and isn't supported in Microsoft Graph.
While they're extremely similar, these two APIs have several distinct features differences (such as this one). You can read more about the differences (and the overall plan) at Microsoft Graph or the Azure AD Graph.
to get only the changed properties, use this header:
prefer:return=minimal
Related
I'm attempting to get user details for a particular enterprise application in Azure AD, using the Microsoft Graph API.
I'm able to successfully retrieve users of the application using:
https://graph.microsoft.com/v1.0/servicePrincipals/{objectId}/appRoleAssignedTo
However, the users details are left out; such as, contact details, email. It also has a duplicate entry for each role assigned to a user.
I'm able to get these user details if I query:
https://graph.microsoft.com/v1.0/users
However, this retrieves all users in the organization, and I've not been successful with filtering the list in the query for a given application.
Using the $expand operator does not seem implemented either.
Seems like this would be a common use case for an application; Who are my users and what are their roles and details? How would one best approach this with the Graph API?
Individually,
You can get the appRoles of an Azure AD application using the below query.
https://graph.microsoft.com/v1.0/serviceprincipals/07fce81e-8069-4ccb-9775-63f96d1f4e53
and check the appRoles property.
And you can get the user details using the below query.
https://graph.microsoft.com/v1.0/users/4ef105cc-508b-41c4-a5d2-7d41f2244c4c
And you can get the group details using the below query.
https://graph.microsoft.com/v1.0/groups/0023c709-3556-4296-a6ab-6df2a0a1113c
In your case you need to call the same call that you specified
https://graph.microsoft.com/v1.0/servicePrincipals/07fce81e-8069-4ccb-9775-63f96d1f4e53/appRoleAssignedTo
This will return all the users and groups assigned app roles and you can pull the principal id from these app role assignment objects as shown below which are nothing but the userid of the user that the role was assigned to and in the groups case its the group id of the group which gives the group details.
You can differentiate user and group by principaltype and according to that you can call the above http calls(User or group) and get those details.
The duplicate ones need to be coded on our end to avoid it.
My Example JSON Data:-
For getting users and groups assigned app roles
GET https://graph.microsoft.com/v1.0/servicePrincipals/07fce81e-8069-4ccb-9775-63f96d1f4e53/appRoleAssignedTo
{
"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#servicePrincipals('07fce81e-8069-4ccb-9775-63f96d1f4e53')/appRoleAssignedTo",
"value": [
{
"id": "zAXxTotQxEGl0n1B8iRMTPwz3O48iw9Oq3aFtqfYVjA",
"deletedDateTime": null,
"appRoleId": "00000000-0000-0000-0000-000000000000",
"createdDateTime": "2020-06-01T19:21:01.4268687Z",
"principalDisplayName": "Nishant Singh",
"principalId": "4ef105cc-508b-41c4-a5d2-7d41f2244c4c",
"principalType": "User",
"resourceDisplayName": "testspaquestion",
"resourceId": "07fce81e-8069-4ccb-9775-63f96d1f4e53"
},
{
"id": "Y3tbwNOvDkqKK9yLxJ5wp2-uBAbApk9LoMs6AN_7iSs",
"deletedDateTime": null,
"appRoleId": "00000000-0000-0000-0000-000000000000",
"createdDateTime": "2020-06-01T18:47:47.2702435Z",
"principalDisplayName": "Sruthi J",
"principalId": "c05b7b63-afd3-4a0e-8a2b-dc8bc49e70a7",
"principalType": "User",
"resourceDisplayName": "testspaquestion",
"resourceId": "07fce81e-8069-4ccb-9775-63f96d1f4e53"
},
{
"id": "CccjAFY1lkKmq23yoKERPBqNLldhOdBAm0lJzewK0Nk",
"deletedDateTime": null,
"appRoleId": "00000000-0000-0000-0000-000000000000",
"createdDateTime": "2020-07-23T17:34:53.9538274Z",
"principalDisplayName": "Bgroup",
"principalId": "0023c709-3556-4296-a6ab-6df2a0a1113c",
"principalType": "Group",
"resourceDisplayName": "testspaquestion",
"resourceId": "07fce81e-8069-4ccb-9775-63f96d1f4e53"
}
]
}
After querying the above, pull the principalid of each record and accordingly call user endpoint or group endpoint according to principaltype.
Get https://graph.microsoft.com/v1.0/users/4ef105cc-508b-41c4-a5d2-7d41f2244c4c //principalId
Let me know if you have any queries.
When running a POST with addKey using the old Azure AD Graph API (v1.6),
https://graph.windows.net/tenant_id/applications/app_oid/addKey?api-version=1.6, I get a response body with a return value containing the keyId of the newly created keyCredential:
"statusCode": 200,
"body": {
"odata.metadata": "https://graph.windows.net/tenantid/$metadata#Collection(Microsoft.DirectoryServices.KeyCredential)",
"value": [
{
"customKeyIdentifier": "A053F5114BC7F7C07F700CF2C4ACE47BBFD82D23",
"endDate": "2022-06-08T14:34:03Z",
"keyId": "fbbaf346-168a-4c90-97ca-346bcd43988d",
"startDate": "2020-06-08T14:34:03Z",
"type": "AsymmetricX509Cert",
"usage": "Verify",
"value": null
}
]
},
When running a POST with addKey using the latest version of the Microsoft Graph API (Microsoft Graph REST API v1.0),
https://graph.microsoft.com/v1.0/applications/app_oid/addKey,
I get a response body without the return value containing the keyId of the newly created keyCredential (the new keyCredential is created and can be seen in the list of keyCredentials belonging to the application, in the Azure portal):
"statusCode": 200,
"body": {
"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#microsoft.graph.keyCredential"
}
Is there a way to get a return value containing the keyId (like in the Azure AD Graph API v1.6 example above) in the response?
According to the Ms graph document, you get odata.context by using
POST https://graph.microsoft.com/v1.0/applications/{id}/addKey
and you can get the key Id of the key credential by using the below query.
https://graph.microsoft.com/v1.0/applications/id
Currently it is not possible to get the keyId in the returnvalue from addKey using Microsoft Graph REST API v1.0, according to MSFT. Uservoice can be raised.
My application was designed to add a user to my Azure AD B2C using Azure AD Graph API. I also handled the case where I'd be calling the add user graph API with an email ID that already exists in AD. I was looking for the error message in the response body to handle this. Has there been any change w.r.t the response message?
POST
https://graph.windows.net/{tenant}/users?api-version=1.6
Request Body :
{
"accountEnabled": true,
"signInNames": [
{
"type": "EmailAddress",
"value": "TestGraphApiCreatedUser#TestGraphApiCreatedUser.com"
}],
"displayName": "TestGraphApiCreatedUser",
"mailNickname": "TestGraphApiCreatedUser",
"passwordProfile" : {
"forceChangePasswordNextLogin": false,
"password": "vhkjds#fceu456VCHU"
},
"creationType": "LocalAccount",
"passwordPolicies": "DisablePasswordExpiration"
}
If a user already exists with the given email address, the error I was getting earlier was
{
"odata.error": {
"code": "Request_BadRequest",
"message": {
"lang": "en",
"value": "Another object with the same value for property signInName already exists."
}
}
}
Now, for the same flow, I'm getting below error :
{
"odata.error": {
"code": "Request_BadRequest",
"message": {
"lang": "en",
"value": "Another object with the same value for property userPrincipalName already exists."
}
}
}
Is there any difference between the two error messages. Since there isn't any error code, I had hard coded the whole error message. Now that there is a slight change in the message, I've to update my code. How can I handle this in a better way?
I didn't check to confirm if they changed the error message, but it wouldn't surprise me at all if they did. The userPrincipalName may be coming from the underlying AAD, maybe MS changed the B2C implementation and now it exposes an error message from there?
In your particular case, a better option may be to check if the email address exists in B2C just before calling the API to create the new user. It's an extra API call, but it shouldn't matter much unless you're creating many users at a time, e.g. in a batch. You'll still have to handle the user creation call failure, but if it happens you could just return a generic error message.
The same question was asked here and remains unanswered. I can add a custom attribute as follows:
{
"name": "new_secure_claim",
"dataType": "Boolean",
"targetObjects": ["User"]
}
I post this data to the Azure AD Graph API end point with needed headers:
https://graph.windows.net/{tenant}.onmicrosoft.com/applications/{objectId of b2c-extensions-app}/extensionProperties?api-version=1.6. I get a response with the extension just created. I can even see the extension when I query the graph to get all extensions for the b2c-extensions-app (notice the top one below):
{
"odata.metadata": "https://graph.windows.net/melangeauth.onmicrosoft.com/$metadata#directoryObjects/Microsoft.DirectoryServices.ExtensionProperty",
"value": [{
"odata.type": "Microsoft.DirectoryServices.ExtensionProperty",
"objectType": "ExtensionProperty",
"objectId": "b7a36f93-8d7a-463f-8d3e-88f449243ea6",
"deletionTimestamp": null,
"appDisplayName": "",
"name": "extension_8588c037999f4d058cc08e2e5f99de30_new_secure_claim",
"dataType": "Boolean",
"isSyncedFromOnPremises": false,
"targetObjects": ["User"]
}, {
"odata.type": "Microsoft.DirectoryServices.ExtensionProperty",
"objectType": "ExtensionProperty",
"objectId": "b6c6d55f-21a8-4403-a68f-f858966077bf",
"deletionTimestamp": null,
"appDisplayName": "",
"name": "extension_8588c037999f4d058cc08e2e5f99de30_manager_admin_authorization",
"dataType": "Boolean",
"isSyncedFromOnPremises": false,
"targetObjects": ["User"]
}, {
"odata.type": "Microsoft.DirectoryServices.ExtensionProperty",
"objectType": "ExtensionProperty",
"objectId": "2642596f-5706-47fb-abdb-6d0d012a3006",
"deletionTimestamp": null,
"appDisplayName": "",
"name": "extension_8588c037999f4d058cc08e2e5f99de30_manager_admin",
"dataType": "Boolean",
"isSyncedFromOnPremises": false,
"targetObjects": ["User"]
}, {
"odata.type": "Microsoft.DirectoryServices.ExtensionProperty",
"objectType": "ExtensionProperty",
"objectId": "ee2c66e3-ced4-4bc8-90d5-e2b18690a56b",
"deletionTimestamp": null,
"appDisplayName": "",
"name": "extension_8588c037999f4d058cc08e2e5f99de30_manager_ads_admin",
"dataType": "Boolean",
"isSyncedFromOnPremises": false,
"targetObjects": ["User"]
}
]
}
But, when I go to the "Azure AD B2C/User attributes" blade in my B2C directory in the Azure portal (https://portal.azure.com/#blade/Microsoft_AAD_B2CAdmin/TenantManagementMenuBlade/manageUserAttributes), I cannot see that extension attribute. I also cannot see it when I go to add claims to return for a policy.
What do I need to do differently in the adding of a custom extension to the b2c-extensions-app application in order for me to see if in the Azure portal User attributes blade?
Well, hmm.
It gets complicated when people things in an undocumented way. For sake of simplicity I would encourage you to stay with defining your extensions with the portal. If you just want to do that (and seems you want). Because there is much more than just registering an extension with the Graph.
To understand why is that, you have to more deeply understand how B2C ticks from the inside. You get overview when you dive into custom policies. However custom policies are, as it stays in the docs, for identity pros who know what are they doing. Straight to the point, the claims schema is defined in so called base policy. It is not just defined in the Graph, but also backed in the base policy. There is XML schema which dictates what a B2C must do and how it should do it. And all the claims (and custom attributes) are also defined in that schema. So when you change something regarding this schema in the portal (adding new attribute), it is registered with the Graph API, but it is also updated in the claims definition schema, which is kept separately.
That's why when you manually register an extension with the Graph it just does not show up in the portal.
I do not expect that you jump and begin learning Custom policies, because for your case you just do not need them. But I hope that having to define your custom attributes in the portal is not a big of an issue for you.
I have a Google App Engine project (an API) working against a Google Cloud SQL instance. I have a exact copy of both, the API and the SQL instance, running local.
When I execute the project on development (local), I can explore the API just fine. Yet, when I go on deployment, all the calls return empty.
This is the API code (Java):
#ApiMethod(
name = "test.users.list",
path = "test/users/list",
httpMethod = "get"
)
public UserList testUserList ()
{
UserList users = UserList.getAll();
return users;
}
This is what it returns local:
{
"users": [
{
"id": "3",
"firstName": "Test",
"lastName": "User",
"email": "test#test.com",
"password": "12fc892642c48a8227410f5b6722e1edeeefedfb",
"logins": 0,
"lastLogin": 0,
"roles": [
{
"id": "1",
"name": "user",
"loaded": true
}
],
"fullName": "Test User",
"admin": false,
"lastLoginDat": "1969-12-31T21:00:00.000-03:00",
"loaded": true
},
{
"id": "6",
"firstName": "Test",
"lastName": "User 2",
"email": "test2#test.com",
"password": "c5bc2a33ddffcfb3d61779ab44d7d933e1336b02",
"logins": 0,
"lastLogin": 0,
"fullName": "Test User 2",
"admin": false,
"lastLoginDat": "1969-12-31T21:00:00.000-03:00",
"loaded": true
}
]
}
This is what it returns on the server explorer:
{
"kind": "myapp#usersItem",
"etag": "\"l4AE0sdQvyB-SkumpjWQFJVUZzo/MSGC-asdfasdf\""
}
Some insight:
I have access (through MySQL Workbench) to the local SQL instance and the Google Cloud SQL external instance.
Both, local and external SQL instances, are equal to each other.
I've also guaranteed access to the project I'm using to hit the DB (trough the Google Cloud panel).
I don't really know what to do or check. I've searched for something similar but couldn't find anything related.
Any thought is appreciated.
As Jan pointed out, GAE local and production are two separate stories. But I'm gonna give you something even better than this particular solution, which is the tools to resolve this and further problems:
1. Go to Console > Compute > App Engine > Versions, and make sure the backend version you uploaded is the right one (take a look at the time it was uploaded) and is selected or default.
2. Create an API test method that does a rather basic operation against the DB, but without calling other methods nor using try/catch blocks. You're trying to raise a exception here, if any. All the code you need to hit the DB and return the data should be inside that method.
3. Go to the explorer panel, and execute your test method. If it works, then your problem is not in the connection, but in the logic. Use the same approach of (2) to test the logic.
4. If the method doesn't work, go to: Console > Monitoring > Logs. There you'll find the exception trace.