I've registered an application (Any Azure AD directory - Multitenant) in Microsoft Azure AD to be able to work with MS Graph API for creating the groups and teams programmatically. Now I'm able to call the MS Graph API and create the groups. The issue I'm having right now is I have a naming policy like this <Department> - <Group name> in Azure AD and as I call the MS Graph API with the application identity and as I don't have any department for my app, the department part is always empty. I would like to know if there is a way to set department or other attributes for the app in Azure AD?
Thank you in advance!
There is no option to add attribute for the app in azure ad.
We are having on premise employee directory and now planning to move to Azure AD. How we can sync the details of all employees to Azure using graph API, and provide them access to hardware and network.
We basically want to sync Entries, Computer, user, Group, InetOrgPerson, OU present in local AD to Azure AD.
Graph REST API which details how to do the sync operation is provided here:
https://learn.microsoft.com/en-us/graph/api/resources/synchronization-overview?view=graph-rest-beta
I have been using Sharepoint Online REST API to integrate with my O365 AddIn app which is working perfectly fine for my Old O365 tenant.
However I am getting an error while I am trying to call any API with the Bearer token that I get for my new O365 tenant app.
{"error":"invalid_request","error_description":"Token type is not allowed."}
Is the auth token URL changed for new tenants, or is it something else.
I am using https://accounts.accesscontrol.windows.net/{{tenant_id}}/tokens/OAuth/2
Azure Access Control (ACS), a service of Azure Active Directory (Azure AD), got retired on November 7, 2018. This retirement doesn't impact the SharePoint Add-in model, which uses the https://accounts.accesscontrol.windows.net hostname (which isn't impacted by this retirement).
Check out Impact of Azure Access Control retirement for SharePoint add-ins.
Note that, you can connect SharePoint directly to Azure AD using token issuance policies.
SharePoint 2013, 2016, and SharePoint Online customers have long used ACS for authentication purposes in the cloud, on-prem, and hybrid scenarios. Some SharePoint features and use cases will be affected by ACS retirement, while others will not. The below table summarizes migration guidance for some of the most popular SharePoint feature that leverage ACS:
Authenticating users from Azure AD
Previously, Azure AD did not support SAML 1.1 tokens required by SharePoint for authentication, and ACS was used as an intermediary that made SharePoint compatible with Azure AD token formats. Now, you can connect SharePoint directly to Azure AD using token issuance policies.
App authentication & server-to-server authentication in SharePoint on-prem or SharePoint Online – SharePoint add-in registrations done through appregnew.aspx etc.
Not affected by ACS retirement; no changes necessary.
Low trust authorization for SharePoint add-ins (provider hosted and SharePoint hosted)
Not affected by ACS retirement; no changes necessary.
SharePoint cloud hybrid search
Not affected by ACS retirement; no changes necessary.
We had the same issue when using app-only, ClientID / ClientSecret based authentication in a tenant, that was recently created. In our old tenant (created in 2013) we could use the same authentication method without any problem. As it turned out, new tenants have a standard setting in DisableCustomAppAuthentication property, that disable this kind of auth., however it can be overriden using this command:
Set-SPOTenant -DisableCustomAppAuthentication $false
Source:
https://sharepoint.stackexchange.com/questions/284402/sharepoint-online-authorization-issue-token-type-is-not-allowed
https://sharepoint.stackexchange.com/questions/286693/getting-invalid-request-token-type-is-not-allowed-error-while-accessing-lists
Furthermore:
https://learn.microsoft.com/en-us/sharepoint/dev/solution-guidance/security-apponly-azureacs
Azure Access Control (ACS), a service of Azure Active Directory (Azure
AD), has been retired on November 7, 2018. This retirement does not
impact the SharePoint Add-in model, which uses the
https://accounts.accesscontrol.windows.net hostname (which is not
impacted by this retirement). For more information, see Impact of
Azure Access Control retirement for SharePoint Add-ins. For new
tenants, apps using an ACS app-only access token is disabled by
default. We recommend using the Azure AD app-only model which is
modern and more secure. But you can change the behavior by running
‘set-spotenant -DisableCustomAppAuthentication $false' (needs the
latest SharePoint admin PowerShell).
More details:
https://www.koskila.net/literally-breaking-changes-to-app-authentication-on-sharepoint-%F0%9F%98%B5/
I've logged into Windows 10 using my office 365 account and running WindowsIdentity.GetCurrent() gives me AzureAD\\LocTrang and Sid.
When I look into ADSI CN=ForeignSecurityPrincipals I can see the Sid. But pulling down the users from office 365 Azure Active Directory I could not find any correlation between my office 365 account and what WindowsIdentity has given me.
I know they're not the same but I need to find the connection between office 365 account and my Windows account which I've logged in using my office 365 account.
You need to check the attributes used to match users when AAD Connect is run.
AAD Connect syncs AD users up to Azure AD.
Normally UPN is used.
You also need to check what attributes are synched up since if they are not synched, they won't be in Azure AD.
I found lot of threads regarding this but not sure if they are still valid at this point of time i.e. Jun 2019
This link which was updated on Jul 2017 says You must use Azure AD Graph API'to manage users in Azure AD B2C directory
But at the same time this link says As of February 2019, we started the process to deprecate some earlier versions of Azure Active Directory Graph API in favor of the Microsoft Graph API.
I found this link which has road map for AAD Graph and Micorsoft Graph. But still not clear weather we should use Microsoft Graph or Azure AD Graph for B2C tenant. I couldn't find any example how to fetch User attributes using Microsoft Graph
Question
Should I still keep on using 'Azure AD Graph'if I am dealing with B2C tenant?
You must use Azure AD Graph API to manage users in an Azure AD B2C tenant since Microsoft Graph doesn't support a few of the user properties (including the creationType property) that are used by Azure AD B2C.