Email aliases not coming back from graph API users endpoint - microsoft-graph-api

We are seeing a few users for which the graph API returns only a primary email despite knowing that there are multiple SMTP addresses configured for these users. We are observing this on the List Users endpoint as well as the Get User endpoint.
When using the $select parameter to include the otherMails and proxyAddresses properties, both come back as empty arrays. Microsoft365 admins for the tenant to which these users belong have provided us with screenshots demonstrating that some of these users have at least one email alias configured in addition to their primary email.
I'm curious if there's any scenario in which it would be expected that otherMails and proxyAddresses would be empty despite the presence of aliases on a user? Or if there's a particular way in which the request to the List/Get users endpoints must be crafted to get these fields to come back non-empty. According to the docs it seems like a collision between SMTP addresses across directory objects might cause this, but I'm certain that's not the case for all of the users for which we're seeing this issue.

Related

What JWT claims from Azure AD tokens can be safely used for user mappings?

We use OAuth 2.0 to obtain JWT tokens from an Azure AD. In our application, we have used the value of the 'upn' claim to identify an associated internal username.
The Azure AD Token Reference documents the upn claim as a "User Principal Name", which as far as I understand is a username following the addr-spec format (i.e. user#domain). This works well for users created within the Azure AD Tenant. To my surprise, however, the upn claim seems to be gone if the authenticated user is sync'ed from a different AD. This behavior does not seem to be documented anywhere.
Where can I find documentation on when the upn is guaranteed to be in a token?
What are reliable alternative claims that I can use instead? Preferably claims guaranteed to be of the form "user/domain", as that matches our model best. I have considered the following:
unique_name: I have only observed this to be equal to upn, but I am not sure where it comes from. Confusingly, the token reference says: This value is not guaranteed to be unique within a tenant and is designed to be used only for display purposes. (emphasis mine)
email: This too seems to be equal to upn, but again, where is it sourced from? In the management portal, I have tried putting a different value in every email related field associated with the user, but none of them seem to be propagated to this claim. It therefore appears that this field is not actually an email.
I want to be absolutely sure that our application will be able to handle all tokens issued by Azure AD, so I am hesitant to use any of the above claims unless I have some documentation that explains their actual semantics.
Where can I find documentation on when the upn is guaranteed to be in a token?
There is no such document about how this claim is guaranteed. Based on the test, it is as you mentioned that only be issued when the users is not a external user.
What are reliable alternative claims that I can use instead? Preferably claims guaranteed to be of the form "user/domain", as that matches our model best. I have considered the following:
We can use the oid claim to map the users. This claim is contains a unique identifier of an object in Azure AD. This value is immutable and cannot be reassigned or reused. Use the object ID to identify an object in queries to Azure AD.
And if you have any feedback about the Azure document, you can try to submit the feedback from Is this page is helpful? at the right bottom page to help improving the document.
While it is fairly common for a User’s UPN and primary email address to be the same thing, that isn’t guaranteed (nor is the existence of UPN as you’ve noticed). So you should operate under the assumption that UPN != email address. If you need to know the email address, you should make a Graph call and search using the oid.

Track anonymous users without forcing users to go through authentication proccess

I want to track all users (both authenticated users and anonymous users) , so far the solution i found are not good.
First of all, we can use a cookie but as we all know its not a reliable solution, second of all we, can use browser finger printing, but until this moment I did not find any solution for server side.
I found this solution valve but it is for client side and this one browserFingerPrint , I want an approach which user does not find any token in request , I want to create the key in server side so I can track users.
Does any one know any solution?
note : my server side technology is Asp.net Mvc
use case : users can comment on m site and also they can like or dislike comments, I want to allow all users to do this and also I want to track users before action (like or dislike)
No, there is no solution for what you want that doesn't use some form of a "token" which fingerprints anonymous users.
Let's see why.
An anonymous browser sends a series of bits of data, such as IP, browser agent and other headers. These should never be used to identify a user because they can be easily forged. They can be OK for tracking, and for most purposes IP address or some hash based on IP address and browser agent is sufficient. However this won't do for things which require security, such as commenter identification.
For commenter identification, it is necessary to prevent fraud. This is typically achieved by giving a unique token to each user. This can be transmitted in many forms, off the top of my head: cookies, headers, query string, POST parameters, or client certificates. However it does require a token issued by the server. If the client can generate a token from scratch, then it follows it can generate a fake token.

What the "primary" email of a user in Asana

Asana accounts can have multiple emails associated to them, but getting a user from the API only returns 1 email. So which one will it return? Is there a concept of a primary email?
https://app.asana.com/api/1.0/users/me
Great question. Users typically have multiple email addresses when they are in multiple domains. If the API call has a domain context, such as GET /workspaces/:id/users the email addresses for each user will be their registered domain email for the workspace identified. This goes for querying followers of projects and tasks as they can only exist in a single domain.
However, when your query does not have a domain context, such as GET /users/me the behavior is a bit more undefined. The reply will not change from call to call unless the user has changed that email address, but there is not a notion of a "primary" email address you, as an API consumer, can apply to that response.
Hope that helps.

IBM Connections user ids

I'm currently confused by the IDs identifying a user in Connections, and their link to the underlying LDAP directory.
So far, I identified several ids:
email: simple but not reliable as email access might have been disabled by the admin. This is particularly true for Connections cloud.
snx:userid: UUID generated by Connections, but this is the chicken and egg. To find the userid, you need to first get access to a profile document, or some data retrieved from Connections
key: also generated by Connections, but I don't get the pattern. On Greenhouse, it is yet another UUID in x-profile-key, different from the userid above. On other systems, it seems to be based on the user name.
subscriberId: The "lotuslive id" used by Connections cloud.
Can someone explain the relationship between snx:userid, key and subscriberId, on-prem and on the cloud, and what they are for? I can't find any clear documentation around it. The API doc says that some times we should pass the key, and some times the id.
Also is the LDAP directory on prem. We are querying the LDAP directory (WAS federated directory, also used by Connections) to get a list of users based on a group. But then, how can we access their Connections profiles from the LDAP result? Is their an attribute to read? We are currently using the email, but as said earlier, this will not work if email access in disabled, like in Greenhouse.
I can explain part of it. the snx:userid is an abstraction used to uniquely identify a person - even if their email changed, name changed, or any other ldap specific id changed. The snx:userid is I believe 64bit.
I thought the Key is the same as snx:userid.
SubscriberId is based on the Business Support Services long id, and includes a scope so that each environment has a unique id.
I think I described the first part of your question on the relationship.
For the second bit, we don't augment LDAP with the snx:userid.
You may want to look at User SPI and java.lang.String getExtID()
http://www-10.lotus.com/ldd/lcwiki.nsf/xpAPIViewer.xsp?lookupName=IBM+Connections+5.0+API+Documentation#action=openDocument&res_title=User_SPI_ic50&content=apicontent
Hopefully this will help clear up some of the confusion and break down their relationships and uses.
snx:userid — This is actually not “generated” by Connections, but rather is associated with an LDAP attribute that is defined during the population process. Generally it is defaulted to an LDAP attribute that is and will always be unique to a user so that it can be used to identify a user in the LDAP if other content has changed. In some cases you’ll see this as the GUID of the LDAP (the default setting on-prem), though other times you’ll see this as a different value, like on the cloud for example. The cloud has this set this to the subscriberId.
subscriberId — This is generated and based on our Business Support Services as Paul mentioned. It is used as the true unique identified for a “subscriber” (user) to the environment, since the environment is MT and users need to be scoped. This was chosen over the default GUID as a unique identifier for a variety of logistical reasons.
key — This is generated by Connections itself during the population process. It is used to define the users profile within the context of Profiles and provides Connections with the ability to associate content with a user when the users LDAP information has been altered. It provides a separation of identity and helps facilitate user content synchronization for Connections.
Unfortunately there isn't a clear cut way to perform that lookup though, especially when you take something like Connections Cloud or Greenhouse into account. They have email disabled for a variety of security reasons. Generally speaking though, the userId is the GUID for the ldap, unless it is very explicitly redefined and configured so, but again you'd really have to know the environment in order to know that information. In a nutshell I think it has to be a configuration parameter for the app per environment if email is disabled.

Rails API Authentication From Multiple Devices

I have a restful API that is going to accessed by multiple organizations. Their data is going to always be separate. I am using rails 4.0, emberjs, and phonegap. There are going to multiple devices accessing the API for a single organization at any point in time.
My question is how to properly design my API with these multiple organizations and devices in mind.
Current Solution:
The user must authenticate with the organization name and password. This is done over HTTPS with basic auth. After that the user is given a token that ember stores and is used for each subsequent request. Since there are multiple devices multiple API tokens can be associated with an organization. Rails uses the token to get the organization id with every request so the url /members only outputs the members related to the organization the token belows to. Thoughts on this?
Requiring every restful resource to be started with organization/id/resource seemed insecure and unwieldy to me so that is why I chose my current solution.
A Better Way?
What is a better way of doing this? Should I give each organization a subdomain and pass that back along with the token and use the token only for security and the subdomain for identifying the organization? Or should I just stick with organization/id/resource?
You are right, the token itself should not contain any "organization" part - it's insecure, as well as adding subdomain in the way you've proposed.
Instead of that you can add Organization field to the Token object (or table - depends on how you track tokens). Once you received the token you're able to get the Organization.

Resources