Azure Active Directory Premium MFA Attributes via Graph API? - azure-active-directory

How to programatically control the attributes that are attached to an AAD Premium user, related to MFA? Using the Graph API (C#, using the SDK), what calls can be made to make a user MFA or not, CRUD on phone numbers, etc?
Thanks.

As far as I know, there is no such API we can get the MFA attributes through Graph REST API, since there is no relative attribute in user entity.
However, we can using the Azure Multi-Factor Authentication SDK to build multi-factor authentication into custom Apps. More detail about this, you can refer here.

These attributes are now available in the Microsoft Graph Beta API. See the documentation at Azure AD authentication methods API overview.

Related

Azure AD SSO with SAML edit Attributes & Claims via Microsoft Graph API

I have an application set up in Azure AD with Single Sign-On with SAML. I need to be able to edit the Attributes & Claims programmatically via the Microsoft Graph API. I've scoured the API documentation but cannot seem to find a way to access Attributes & Claims with it.
Not sure if it matters, but specifically, I'm trying to edit the conditions of a specific claim.
For now, editing attributes & claims through graph API is only possible through custom claim policy. Please refer to this article on how to edit claims in SAML app through graph API
Please note that once you configure claims mapping policy via Graph API, you will not be allowed to edit the claims in Azure portal any longer, which is by design.
Hope this helps. Thanks!

Can I use my personal (local) account to authenticate into Azure B2C React MSAL app?

I'm trying to use React and Azure B2C to sign-up a local account (using personal emails).
I'm able to sign-up and login using userflows, however, I cannot get active account information from MsGraph API.
GET https://graph.microsoft.com/v1.0/me 401 (Unauthorized)
Yes ,azure AD b2c supports authentication for personal accounts,
1.
Microsoft Graph supports optional query parameters that you can use to
specify and control the amount of data returned in a response. The
support for the exact query parameters varies from one API
operation to another, and depending on the API, can differ between the
v1.0 and beta endpoints.
Use query parameters to customize responses - Microsoft Graph | Microsoft Docs
Try with GET https://graph.microsoft.com/beta/me/
You can use use $select to control the properties returned,
Ex: /me?$select=displayName,jobTitle
2.
Do make sure to give required claims marked in application claims.
If you want to acquire a token for all the static scopes of a v1.0 application, append ".default" to the app ID URI of the API: app ID/.default
Calling the /me endpoint requires a signed-in user and therefore a delegated permission. Application permissions are not supported when using the /me endpoint.
Article says
Users cannot obtain tokens for Microsoft APIs (e.g. MS Graph API)
using delegated permissions. Applications can obtain tokens for
Microsoft APIs using application permissions (user management
scenarios).
Reference:
microsoft-graph-operations#user-flow-authentication-methods-beta

How to add custom attributes to an AAD user and include it the JWT token sent to the client application?

I am trying to create an AAD App Registration that includes additional claims in the JWT tokens that are returned to the client application.
The idea is that a SalesRepID fields need to be added to each of the AAD users. Then the SalesRepID be included in JWT claims through application manifest configuration.
Is this possible? What are the steps? An article or a code sample that shows how to do this would be a great help?
It's possible.
1) Add custom attribute by using Register an extension. (Please note that it only supports v1.0 application)
2) Set values for custom attributes.
3) Modify application manifest of the Azure AD application and return the extension property as claims.
Besides, Microsoft strongly recommends that you use Microsoft Graph instead of Azure AD Graph API to access Azure Active Directory resources. For how to add custom attribute to Azure AD user with Microsoft Graph API, please refer to: Add custom data to users using open extensions.

Microsoft-graph-api, SSO and ADAL mobile sdk

I have developed few iOS/Android app using Azure Ad SDK 'ADAL'.
The app works properly for SSO feature and other login mechanisms. However now I want to add 'new contact' using Azure ad access token. But I came to know that Azure ad graph is no longer supported hence latest Microsoft Graph is suggested sdk for the same.
My issue is: The most important feature according to me is the Single Sign-On feature with respect to mobile apps SDK Azure ad SDK offers API for most convenient login user experience. Thus you are free to pick account from Authenticator app (if present) or any other app in the device which is already logged in.
But Microsoft Graph SDK does not support Authenticator app available on the mobile phone. And prompts user a Login screen though he has already logged in to other app having outlook/Microsoft login
Please help me with some more information on this use case so that I can migrate to Microsoft graph from Azure Ad app.
I have a huge tradeoff as follow
1. Azure ad supports SSO but does not support Latest Graph features like: Adding new contact in 'My Contacts'
2. Microsoft Graph being Latest library/SDK has all features EXCEPT SSO.
Please provide me answers for these question of any suggestion if I am missing anything.
The Graph SDKs do not contain any helpers for authentication/authorization. For that you need to use either ADAL or MSAL to acquire tokens to use with Microsoft Graph (to instantiate a GraphClient object). Please take a look at some of our Microsoft Graph samples. [NOTE the Azure AD Graph SDK also relied on ADAL or other mechanisms to acquire tokens and does not do this for you]. Here are the iOS samples: https://github.com/search?q=ios+sample+user:microsoftgraph&type=Repositories
Also Azure AD Graph does not support personal contacts - this is ONLY supported by Microsoft Graph.
If you want to see an integrated client library, where token acquisition is implicitly taken care of as part of GraphClient instantiation then please post a request on UserVoice for this feature.
Hope this helps,

Microsoft Graph Explorer consent screen is giving wrong scopes

When I try to login for the first time with new user via active directory to graphexplorer.windowsazure.net I get following scopes:
In my apps.dev.microsoft.com I have following permissions:
Why am I getting only these two scopes in access token:
Apps registered via the Application Registration Portal use the Azure AD v2 endpoint which supports incremental consent.
This means that while your app registration determines which scopes can be requested, you still need to specify specific scopes when you make the authorize request. Also, you should avoid requesting all scopes up front, rather incrementally request scopes as needed in the context of specific operations. So start out with your authorize request as you have it, with no extra scopes but when you need to send an email on behalf of the user issue another authorize request like so:
GET https://login.microsoftonline.com/common/oauth2/v2.0/authorize?
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&response_type=code
&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
&response_mode=query
&scope=
https%3A%2F%2Fgraph.microsoft.com%2Fmail.send
&state=12345
For more info on scopes in the v2.0 endpoint check out the Scopes, permissions, and consent in the Azure Active Directory v2.0 endpoint document.
For an example of an app that incrementally requests scopes, check out this Integrate Microsoft identity and the Microsoft Graph into a web application using OpenID Connect sample.
Also note that there 2 different Graph APIs:
Azure AD Graph (endpoint: graph.windows.net, explorer: https://graphexplorer.azurewebsites.net/)
Microsoft Graph (Endpoint: graph.microsoft.com, Explorer: https://developer.microsoft.com/en-us/graph/graph-explorer)
From https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-graph-api:
We strongly recommend that you use Microsoft Graph instead of Azure AD Graph API to access Azure Active Directory resources. Our development efforts are now concentrated on Microsoft Graph and no further enhancements are planned for Azure AD Graph API. There are a very limited number of scenarios for which Azure AD Graph API might still be appropriate; for more information, see the Microsoft Graph or the Azure AD Graph blog post in the Office Dev Center.
I'm not quite sure where that screen shot is coming from, but the URL you're going to is incorrect. The correct URL for Graph Explorer is https://developer.microsoft.com/en-us/graph/graph-explorer.

Resources