Is it possible to extract from Microsoft Graph to fetch what user has created a specific 365 group? I need to get which user created specific team site.
Best R, Thomas
For non admins users you can use this:
https://graph.microsoft.com/v1.0/groups/{group object id}/createdOnBehalfOf
For every user you can use the List directoryAudits operation with the following query and extract initiatedBy/user/id from each returned record.
https://graph.microsoft.com/v1.0/auditLogs/directoryAudits?$filter=category eq 'GroupManagement' and activityDisplayName eq 'Add group'
A react application queries the Microsoft Graph to discover if a user is a member of a particular active directory group. Right now, there's this route:
https://graph.microsoft.com/v1.0/me/memberOf
The above does work in the application. It returns a (fairly sizable) object containing all of the user's groups, so I could iterate through the list, but it would be nice to directly check if the user is a member of a single group.
Given that I can already see the list of all groups, this doesn't seem like it should be difficult, but I'm not finding the route to do so.
Am I missing something obvious?
Thanks.
P.S. It would be nice if I could do this without requiring administrator permission on the application registration.
If you already know the group's ID, you can get the members of that group, and check whether the user is a member. I.e. the inverse of what you are doing now.
Or, if you have both the user's and the group's ID, you can filter like this:
https://graph.microsoft.com/v1.0/users/48d31887-5fad-4d73-a9f5-3c356e68a038/memberOf?$filter=id eq '1e770bc2-3c5f-487f-871f-16fbdf1c8ed8'
The first ID is the user, and the filter's ID is the group.
If it is for the currently signed in user, you can shorten it to
https://graph.microsoft.com/v1.0/me/memberOf?$filter=id eq '1e770bc2-3c5f-487f-871f-16fbdf1c8ed8'.
If the user isn't a member of the given group, you will get a return code Request_ResourceNotFound
Sometimes, I do a request to get the value of several fields for a given user.
Here is an example of such a request that works for a given user(the id corresponds to a user of type "Member"):
https://graph.microsoft.com/v1.0/users/bba8407c-2f05-4e91-b27e-a207689a085f?$select=passwordProfile,aboutMe,accountEnabled,assignedLicenses,assignedPlans,birthday,businessPhones,city,companyName,country,department,displayName,givenName,hireDate,imAddresses,interests,jobTitle,mail,mailboxSettings,mailNickname,mobilePhone,mySite,officeLocation,onPremisesImmutableId,onPremisesLastSyncDateTime,onPremisesSecurityIdentifier,onPremisesSyncEnabled,passwordPolicies,pastProjects,postalCode,preferredLanguage,preferredName,provisionedPlans,proxyAddresses,responsibilities,schools,skills,state,streetAddress,surname,usageLocation,userPrincipalName,userType
No problem here. But doing the same request for another user of type "Guest", I get an Http 400 (bad request). Here is a request that fails, even if the format is exactly the same:
https://graph.microsoft.com/v1.0/users/3e3fac9d-ad76-4f9a-b86c-b4691a524572?$select=passwordProfile,aboutMe,accountEnabled,assignedLicenses,assignedPlans,birthday,businessPhones,city,companyName,country,department,displayName,givenName,hireDate,imAddresses,interests,jobTitle,mail,mailboxSettings,mailNickname,mobilePhone,mySite,officeLocation,onPremisesImmutableId,onPremisesLastSyncDateTime,onPremisesSecurityIdentifier,onPremisesSyncEnabled,passwordPolicies,pastProjects,postalCode,preferredLanguage,preferredName,provisionedPlans,proxyAddresses,responsibilities,schools,skills,state,streetAddress,surname,usageLocation,userPrincipalName,userType
So the request syntax is identical, the only part that changes is the user id. But the second one returns "Bad Request - Error in query syntax". What is going on here? Why can I not do that request for guest users?
I can reproduce this problem for any tenant. It never works for any guest user.
Request-id of the failing request: 49e80d99-5074-4404-900f-e1d14889bf2b
it appears that some of those properties are unavailable for guest users. If you want to fetch non-guest users, you can use $filter syntax such as https://graph.microsoft.com/v1.0/users?$filter=userType eq 'Member'
I am looking at these blueprints: https://github.com/awslabs/aws-apigateway-lambda-authorizer-blueprints/blob/master/blueprints/nodejs/index.js
What is the principalId for and how is it generated?
I see the code like this:
// this could be accomplished in a number of ways:
// 1. Call out to OAuth provider
// 2. Decode a JWT token inline
// 3. Lookup in a self-managed DB
var principalId = 'user|a1b2c3d4'
The questions I have are:
Is it unique per user? I have a dynamodb where the users table has a unique user Id.
How do I use it in lambda as an environment variable in the AWS lambda console?
What is the main purpose of it in the autnorizer?
Thanks for reading and responding.
Yes, please see: https://forums.aws.amazon.com/thread.jspa?messageID=703105
Based on the answers to the other 2 questions you probably don't want this to be an environment variable, unless I'm misinterpreting what you're asking.
See above forum post
The principalId is intended to represent the long term identifier for whatever entity is being authorized to make the API call.
I would like to receive both a webhook url and the list of channels but have been unable to with the following scopes:
'channels:read,incoming-webhook' (This only has the single channel that was selected)
'channels:list,incoming-webhook' (This says: OAuth Error: invalid_scope: Invalid scope channels:list)
How can I get this information in one oauth?
Here is another site I used to try to troubleshoot this issue.
channels.list is a method and so you you have to make another 'get' to get this data. Here is an example: https://api.slack.com/methods/channels.list/test