I am currently attempting to pull sign in data from both an Office365 E5 trial account, and also an office365 developer account via the Windows graph api, as per https://learn.microsoft.com/en-us/azure/active-directory/active-directory-reporting-api-sign-in-activity-reference and I am currently getting the following error back:
{
"odata.error": {
"code": "Authentication_RequestFromNonPremiumTenantOrB2CTenant",
"message": {
"lang": "en",
"value": "Api request is not from premium licensed tenant or b2c tenant"
},
"requestId": "905d2565-30f5-4554-932e-273f5117199e",
"date": "2017-05-25 06:55:33Z"
}
}
Is it possible to get this information from the API without having to sign up to a premium Active Directory subscription?
No ,refer to Azure Active Directory sign-in activity report API reference(Prerequisites section):
Prerequisites
To access this report through the reporting API, you must have:
1.An Azure Active Directory Premium P1 or P2 edition
2.Completed the prerequisites to access the Azure AD reporting API.
So you need Azure Active Directory Premium P1 or P2 edition to call sign-in activity report API .
If anyone is looking for a way to do this for a developer/trial account for free, I ended up using the Azure AD trial in order to retrieve the sign in data.
Related
Is it possible to use Azure AD and Core Identity Roles together? Basically the user will log into the App using AD, which I have that done already. But as they use the app, thier roles will be based on the AspNetRoles and AspNetUsersRoles tables. I was thinking that I would have to use the ClaimsPrincipal factory to extend the claims object that is created when the user logs in.
By using the ASP.NET identity you can manage the user locally in your database, and user Azure AD as external identity provider which enable the AAD accounts to login in your application. You can identify the user and link it to the user in your local database. You can then also manage the roles with your local users and Azure AD users.
Read more here.
Create a new application with Individual User Accounts.
Install this package : Microsoft.AspNetCore.Authentication.AzureAD.UI
services.AddDbContext(options => options.UseSqlServer(
Configuration.GetConnectionString("DefaultConnection"))); services.AddDefaultIdentity() .AddEntityFrameworkStores();
services.AddAuthentication(sharedOptions => }).AddAzureAD(options =>
Configuration.Bind("AzureAd", options)).AddCookie();
Update appsettings.json "AzureAd": { "Instance": "https://login.microsoftonline.com/",
"Domain": "xxx.onmicrosoft.com", "TenantId": "xxxxxx-xxxxx-4f08-b544-b1eb456f228d",
"ClientId": "xxxxx-xxxxx-4717-9821-e4f718fbece4", "CallbackPath": "/signin-oidc",
"CookieSchemeName": "Identity.External" },
It depends on the user to choose login with local authentication or Azure AD Authentication.
I am using microsoft graph api to access groups in azure active directory, I have created 2 groups in AAD named OIC and other named as testing
When I test using microsoft graph explorer, URL that I use
GET https://graph.microsoft.com/v1.0/groups
Response:
{
"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#groups",
"value": []
}
Why do I get empty value for groups even though I have groups in AAD.
I have logged in as admin user.
It seems that you have created groups in a tenant which is not your home tenant.
It means credentials are only owned by a single tenant. The tenant is discovered by Graph Explorer based on domain. You cannot use Graph Explorer to query tenants your account is a guest on, it can only query the tenant that owns the account. It retrieves data from the tenant you (or your app) authenticated against. It cannot query across multiple tenants.
The only way to use those creds with another tenant would be to force the OAuth uri to use that tenants ID instead of common. This isn't supported by Explorer. You'd have to download the source an reengineer the auth process.
Reference SO thread: https://stackoverflow.com/questions/53341544/how-can-i-change-default-tenant-in-microsoft-graph-explorer#:~:text=If%20you%20want%20to%20sign,use%20tenant%20query%20string%20parameter.&text=A%20simple%20url%20to%20go,or%20tenantId%2C%20both%20work).
We're getting a 400 error with the message "Tenant does not have a SPO license" when we try to access the Sharepoint-endpoints in the Microsoft Graph v1.0 API.
We've registered our Azure AD app and assigned Application Permissions (as opposed to Delegated) for the relevant endpoints, as we need to access the endpoints server to server (ie. outside the context of an authenticated user).
The tenant is connected to an Office 365 Business subscription, that we can assign to users, but the tenant in this case is the directory itself and we don't see how we can assign a subscription to that.
It seems there is precious little information available regarding this, and most of it applies to the delegated permissions scenario.
Any help would be greatly appreciated.
If you have purchased an O365 Business subscription, you may still need to be assign SPO (SharePoint Online) license for specific AAD user/ O365 user.
Use your admin account to log into O365 admin center and select a user and assign SPO license.
After clicking on "Edit", you can choose a SharePoint license to assign it to the user.
I have a script to retrieve logs from Office 365 Management API. Everything was fine, but now an error appears:
{
"error": "invalid_resource",
"error_description": "AADSTS500014: Resource 'https://manage.office.com' is disabled.",
"error_codes": [500014],
"timestamp": "2019-03-18 15:27:00Z",
"trace_id": "ff9e93b4-xxx-xxx-xxx-de4d5aa76e00",
"correlation_id": "0d2275d8-xxx-xxx-xxx-0a5ff2652163"
}
I can't find anything about this error in the Office API documentation.
The error message says the resource (Office 365 Management API) is not enabled for your tenant for which you are trying to get access token.
To check and enable it- follow the below steps
Azure portal > Enterprise application.
Search "Office 365 Management API"- Select it
Check Properties - if "Enabled for users to sign-in" is not enabled- Enable it.
I hope this will work for you and Users on your tenant will be able to get token for this resource.
When I log onto the Microsoft Graph Explorer with my Microsoft account and run the following query https://graph.microsoft.com/v1.0/users/ I get the correct user returned.
On Azure AD (using the same login) I created an application with a key and when I sign in through c# using Microsoft.IdentityModel.Clients.ActiveDirectory.ClientCredentials with a token for resource https://graph.microsoft.com and run the same query I get a completely different user. They are out of sync and I'm baffled.
Any ideas? Should I create a new Azure account as I've had the Azure account from day 1 and I'm only doing this now to test for a client request.
Don't create a new Azure account. When you are using Graph Explorer, are you signed in with a user from your Azure AD tenant? If not, Graph Explorer will default to use a demo tenant for your queries.
Also (if you have more than one tenant) you need to make sure that you select the correct tenant as part of the token acquisition (from https://login.microsoftonline.com/{tenantId | tenantDomain}. If you want the results to match between Graph Explorer and your app, the tenant the signed-in user belongs to (for Graph Explorer case) and the tenant used by your app needs to be the same.
UPDATE based on comment below:
I think I know what's going on here. In graph explorer, you are signing in with your personal account - and it's showing you profile data of that personal account, including the unique ID for this account in the Microsoft Account system. In this case you aren't signing into an Azure AD tenant at all. Microsoft Graph supports access from both personal and commercial accounts.
Now, additionally, I'm guessing when you signed up for an Azure subscription, you used this personal account. When you do that, it creates an Azure AD tenant, and creates a guest user in that tenant that is (linked to) your personal account - this account is also configured as an admin account. This mechanism allows you to sign in with your personal account (authenticated by the Microsoft Account system) into an Azure AD tenant, because the personal account maps to this guest user in your tenant. In your application, you are getting an app token to your Azure AD tenant. When you query the tenant for users, you don't see any user with the same id or email address as you did with graph explorer. However if you actually look at the userPrincipalName, you'll see it should be a mangled form of the original email address of your personal account. This indicates that this Azure AD user account in your tenant is a guest/external user (similar to a foreign principal).
Hope this helps,