is there a way to add an external member to the group [not the guest user who is part of the ADD]
the graph api seems to accept only the ADDconversation member ,
is it possible to add an external user ?
You need to invite them first, you can do so via the Azure AD (preview) module:
To send an invitation to your test email account, run the following PowerShell command (replace "John Doe" and john#contoso.com with your test email account name and email address):
New-MgInvitation -InvitedUserDisplayName "John Doe" -InvitedUserEmailAddress John#contoso.com -InviteRedirectUrl "https://myapplications.microsoft.com" -SendInvitationMessage:$true
The command sends an invitation to the email address specified.
Ref: https://learn.microsoft.com/en-us/azure/active-directory/external-identities/b2b-quickstart-invite-powershell
Or the corresponding Graph API endpoint:
POST https://graph.microsoft.com/v1.0/invitations
Content-type: application/json
{
"invitedUserEmailAddress": "admin#fabrikam.com",
"inviteRedirectUrl": "https://myapp.contoso.com"
}
Ref: https://learn.microsoft.com/en-us/graph/api/invitation-post?view=graph-rest-1.0&tabs=http
Related
We have a requirement to create office 365 user with mail account through create_user graph api. But user has been created successfully but mail account did not created.
Let us know api name to create user with mail account directly through api.
Microsoft Graph API doesn't has the feature. For mailbox creation, you need to use Exchange PowerShell to do it using New-Mailbox cmdlet. You can automate the Exchange PowerShell with .Net as well :)
For example,
$password = Read-Host "Enter password" -AsSecureString
New-Mailbox -UserPrincipalName chris#contoso.com -Alias chris -Database "Mailbox Database 1" -Name ChrisAshton -OrganizationalUnit Users -Password $password -FirstName Chris -LastName Ashton -DisplayName "Chris Ashton" -ResetPasswordOnNextLogon $true
To do this through the graph API you need to have a license that has Exchange Online as a service plan like Microsoft 365 F3 (SPE_F1), assign your new user one these licenses on creation and a Mailbox will be created for them:
Post the following:
{
"addLicenses": [
{
"skuId": "your SPE_F1 skuId number"
}
],
"removeLicenses": []
}
to:
https://graph.microsoft.com/v1.0/users/{user - id}/assignLicense/
Hello we are attempting to invite people (assign permissions for driveItems), that are members of the directory (tenant) using their IDs as returned by the /users endpoint. But unfortunately this results in the following error: One of the provided recipients could not be found.
The body of a request:
{'recipients': [{'objectId': u'21509bcb-d48c-4d66-8222-9da2c5ed2f7c'}],
'requireSignIn': True,
'roles': ['read'],
'sendInvitation': True}
The response:
{u'error': {u'code': u'itemNotFound',
u'innerError': {u'date': u'2018-03-09T02:42:46',
u'request-id': u'a0f919f2-02f6-4a95-ac60-18b8a3522ba2'},
u'message': u'One of the provided recipients could not be found'}
Using a users email works but the weird thing about that is, when we retrieve the driveItem's permissions after the invite the permission for that user doesn't contain the email BUT the ID with which we tried initially to invite him (and that fails).
Are the IDs, that must be specified for objectId, different or is this an internal issues?
I want the standard openid claims from the scope profile with the ADFS service on Windows 20016.
My request call look like:
https://myserver/adfs/oauth2/authorize?
response_type=code&
client_id=123456&
redirect_uri=http://localhost/bar&
scope=openid%20email%20profile
The id_token contains the follow:
{
aud=123456,
sub=xyz,
upn=bob#company.local,
unique_name=COMPANY\bob,
auth_time=1518686971,
iss=https://adfs.company.local/adfs,
exp=1518690571,
iat=1518686971,
sid=S-1-5-21-123-456-789-098
}
The app was registered with the powershell line:
Add-AdfsClient -Name "foo" -ClientId "123456" -RedirectUri #("http://localhost/")
How can I get the claims like email, given_name and family_name?
Have you tried configuring this with the wizard because you can define claims rules on the Web API?
If that doesn't suit, have a look here at some examples.
I am trying to add an alternate email with Microsoft Graph API from a.Net Core app.
The user class in Microsoft Graph does not provide a property for adding an additional mail id.
You can using Azure AD Graph to add the mail id to the otherMails. Here is sample to update the this property:
PATCH: https://graph.windows.net/{tenant}/me?api-version=1.6
authorization: bearer {access_token}
{
"otherMails":["test#test.com"]
}
Refer the links below for the user entity and update user REST:
Entity and complex type reference | Graph API reference
Update User
Here is the C# code to retrieve the alternate email
Select(u => new {
u.DisplayName,
u.Mail,
u.UserPrincipalName,
u.OtherMails
})
.GetAsync();
You can get the alternate email from the "otherMails" property on a User in the Graph API Docs.
Note that this is only returned on a Select, so you need to include the query parameter "$select=otherMails" to see it.
GET https://graph.microsoft.com/v1.0/users/USER_ID?$select=otherMails
authorization: bearer {access_token}
{
"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#users(otherMails)",
"#odata.id": "https://graph.microsoft.com/v2/YOUR_AAD_TENANT/directoryObjects/USER_ID/Microsoft.DirectoryServices.User",
"otherMails": [
"altEmail#website.com"
]
}
Gmail API fails for one domain when retrieving messages with this error:
com.google.api.client.googleapis.json.GoogleJsonResponseException: 403 OK
{
"code" : 403,
"errors" : [ {
"domain" : "global",
"message" : "Delegation denied for <user email>",
"reason" : "forbidden"
} ],
"message" : "Delegation denied for <user email>"
}
I am using OAuth 2.0 and Google Apps Domain-Wide delegation of authority to access the user data. The domain has granted data access rights to the application.
Seems like best thing to do is to just always have userId="me" in your requests. That tells the API to just use the authenticated user's mailbox--no need to rely on email addresses.
I had the same issue before, the solution is super tricky, you need to impersonate the person you need to access gmail content first, then use userId='me' to run the query. It works for me.
here is some sample code:
users = # coming from directory service
for user in users:
credentials = service_account.Credentials.from_service_account_file(
SERVICE_ACCOUNT_FILE, scopes=SCOPES)
####IMPORTANT######
credentials_delegated = credentials.with_subject(user['primaryEmail'])
gmail_service = build('gmail', 'v1', credentials=credentials_delegated)
results = gmail_service.users().labels().list(userId='me').execute()
labels = results.get('labels', [])
for label in labels:
print(label['name'])
Our users had migrated into a domain and their account had aliases attached to it. We needed to default the SendAs address to one of the imported aliases and want a way to automate it. The Gmail API looked like the solution, but our privileged user with roles to make changes to the accounts was not working - we kept seeing the "Delegation denied for " 403 error.
Here is a PHP example of how we were able to list their SendAs settings.
<?PHP
//
// Description:
// List the user's SendAs addresses.
//
// Documentation:
// https://developers.google.com/gmail/api/v1/reference/users/settings/sendAs
// https://developers.google.com/gmail/api/v1/reference/users/settings/sendAs/list
//
// Local Path:
// /path/to/api/vendor/google/apiclient-services/src/Google/Service/Gmail.php
// /path/to/api/vendor/google/apiclient-services/src/Google/Service/Gmail/Resource/UsersSettingsSendAs.php
//
// Version:
// Google_Client::LIBVER == 2.1.1
//
require_once $API_PATH . '/path/to/google-api-php-client/vendor/autoload.php';
date_default_timezone_set('America/Los_Angeles');
// this is the service account json file used to make api calls within our domain
$serviceAccount = '/path/to/service-account-with-domain-wide-delagation.json';
putenv('GOOGLE_APPLICATION_CREDENTIALS=' . $serviceAccount );
$userKey = 'someuser#my.domain';
// In the Admin Directory API, we may do things like create accounts with
// an account having roles to make changes. With the Gmail API, we cannot
// use those accounts to make changes. Instead, we impersonate
// the user to manage their account.
$impersonateUser = $userKey;
// these are the scope(s) used.
define('SCOPES', implode(' ', array( Google_Service_Gmail::GMAIL_SETTINGS_BASIC ) ) );
$client = new Google_Client();
$client->useApplicationDefaultCredentials(); // loads whats in that json service account file.
$client->setScopes(SCOPES); // adds the scopes
$client->setSubject($impersonateUser); // account authorized to perform operation
$gmailObj = new Google_Service_Gmail($client);
$res = $gmailObj->users_settings_sendAs->listUsersSettingsSendAs($userKey);
print_r($res);
?>
I wanted to access the emails of fresh email id/account but what happened was, the recently created folder with '.credentials' containing a JSON was associated with the previous email id/account which I tried earlier. The access token and other parameters present in JSON are not associated with new email id/account. So, in order make it run you just have to delete the '.credentails' folder and run the program again. Now, the program opens the browser and asks you to give permissions.
To delete the folder containing files in python
import shutil
shutil.rmtree("path of the folder to be deleted")
you may add this at the end of the program
Recently I started exploring Gmail API and I am following the same approach as Guo mentioned. However, it is going to take of time and too many calls when we the number of users or more. After domain wide delegation my expectation was admin id will be able to access the delegated inboxes, but seems like we need to create service for each user.