I fetched users from O365 api. I got both users O365 & Exchange users. How I can fetch only O365 users using graph apis?
Or How we can differenciate users of o365 & exchange users?
Are the Exchange Online users cloud only and the Exchange Server users synced from AD? If so, you can look at the various onPremises attributes available in the beta endpoint. If the account is synced from AD they will have values, if cloud they will be null.
For example, here's a cloud user:
"onPremisesDomainName": null,
"onPremisesImmutableId": null,
"onPremisesLastSyncDateTime": null,
"onPremisesSecurityIdentifier": null,
"onPremisesSamAccountName": null,
"onPremisesSyncEnabled": null,
"onPremisesUserPrincipalName": null,
Versus a synced user:
"onPremisesDomainName": "example.com",
"onPremisesImmutableId": "khaeSOCUHOSUsCHUBVeqqQ==",
"onPremisesLastSyncDateTime": "2018-09-08T00:55:43Z",
"onPremisesSecurityIdentifier": "S-1-5-21-3245132666-154143651436-123413245-12341234",
"onPremisesSamAccountName": "jdoe",
"onPremisesSyncEnabled": true,
"onPremisesUserPrincipalName": "jdoe#example.com",
Related
I am getting the following output from the /userinfo endpoint
{
"sub": "XXXX#gmail.com",
"aud": [
"XXXXXXXXX"
],
"nbf": 1646097620.000000000,
"scope": [
"openid",
"profile",
"email"
],
"iss": "https://XXXXXX/authServer",
"exp": 1646097920.000000000,
"iat": 1646097620.000000000
I need the username and the email to be visible.
Could any one help me on this ?
We are working on reference documentation, including how-to guides for cases such as this one. See How-to: Customize the OpenID Connect 1.0 UserInfo response #537, and feel free to up-vote that issue if it would be helpful to you.
In the meantime, check out the configuration in OidcUserInfoTests which demonstrates how to customize the claims returned by the User Info endpoint. For example, you can simply map all of the claims from the JWT (access token), or you can map only specific claims.
You may also be interested in seeing the DefaultOidcUserInfoMapper. The default strategy used is to map the standard claims from the id_token that are resolvable by the granted OIDC scope(s). Since in your example, you have profile and email, you can also provide an OAuth2TokenCustomizer to add the associated claims to the id_token when it is created, and they will automatically show up in the User Info endpoint. See OidcTests for an example of customizing the id_token.
if I have a service account set up and am initializing the app in a firebase function with the service account credentials to do some database maintenance work, how can I restrict the rules in the database so that only the service account is able to access that path in the database, how can I go about it?
The only available options in the auth object appear to be token, uid, and provider.
The only fields available in the service account json file are:
{
"type": "service_account",
"project_id":
"private_key_id":
"private_key":
"client_email":
"client_id":
"auth_uri":
"token_uri"
"auth_provider_x509_cert_url"
"client_x509_cert_url"
}
Service accounts always bypass all security rules. It's not possible to write any security rules that limit the permissions of a backend SDK initialized with a service account.
I am using Client application (Client credentials grant) with defined permissions Application.ReadWrite.All and User.ReadWrite.All (both are included in Bearer token) to change accountEnabled to false for a user, like here:
{
"accountEnabled": false,
"city": "C234",
"country": "AFG",
"displayName": "Steve Rogers",
"givenName": "Steve",
"jobTitle": "Azure",
"mailNickname": "steve",
"postalCode": "Z345",
"streetAddress": "S123",
"surname": "Rogers",
"userPrincipalName": "steve#***.onmicrosoft.com",
"id": "aec...278",
"mobilePhone": null
}
But all requests ends with 403
{
"error": {
"code": "Authorization_RequestDenied",
"message": "Insufficient privileges to complete the operation.",
"innerError": {
"request-id": "e7a...e42",
"date": "2019-04-10T08:21:12"
}
}
}
Documentation doesn't contain any restrictions or requirements of additional permissions. Is it a bug in Graph API?
Thank you guys, I was able to find a root cause - you can't disable a user in Admin role. I was unlucky and select several users and all of them were in Admin role.
https://learn.microsoft.com/en-us/graph/permissions-reference#remarks-2
On my side, it works. The following is my process:
Use the client credential to get bearer token:
To parse the bearer token:
2. Use this bearer token to call ms graph api:
Check the disabled user in the azure portal:
No Its mandatory to grant permission for accessing this API on azure portal.
Make sure you have set required permissions access on portal of your calling API. Also user must not have any directory role in portal.
If you are admin in your AAD, You could grant permission for
users in organization by click Grant permission button.
Then you could use your code (client credential flow to get the
token) and query users information . If you check the claims in
access token issued by azure ad , you could find Directory.Read.All
permission in roles claim
In given reference same thread answered there You could refer here .
Note For Client Credentials code example you could check here
If you still have any query feel free to ask in comment. Thank you.
Having issues accessing graph resources for a specific user. Most have no issues. This specific user authenticates with our client via their school Outlook account which I am assuming is where the issue lies.
Our service attempts to create a specific folder using the /me/contactFolders endpoint. When we make the post, we get the error that the resource could not be discovered. Digging in a bit, I decided to login with their account to the Graph explorer and could not query endpoints such as, /me/contacts, /me/contactFolders, /me/events, etc.. None of the examples provided worked to fetch any data. I am assuming this has to do with permissioning of the users account, but I am not sure what permissions they would need to access both calendars and contacts (we are setting scopes and delegated permissions correctly as this problem is only associated with a couple users).
This is the error message that I received when trying to query graph:
{
"error": {
"code": "ResourceNotFound",
"message": "Resource could not be discovered.",
"innerError": {
"request-id": "5cfd7b28-a915-42cf-9bce-a8a2509c3f1f",
"date": "2018-12-20T18:48:34"
}
}
}
Any help in diagnosing this issue would be greatly appreciated!!
If you couldn't decode the token then you're most likely facing one of the following issues:
You obtained the token incorrectly
You're attempting to decode the Authorization Code rather than the Access Token (i.e. the string you get from 1st OAuth step rather than the 2nd).
The token is for Microsoft Account (a.k.a. MSA, lesser aka as an Xbox or Outlook.com account).
You can only decode tokens issued by Azure AD (AAD). School accounts (i.e. those ending in .edu) are basically the same as Work accounts, they're owned and managed by an Azure Active Directory.
In terms of checking which services are provisioned for the current User, you can obtain these from the /me endpoint so long as you have requested either the User.Read or User.ReadWrite scope. Note that this information isn't included by default so you'll need to specifically request the provisionedPlans. For example, the following query will return the current user's id, userPrincipalName, and their list of provisionedPlans (i.e. services):
https://graph.microsoft.com/v1.0/me/?$select=id,userPrincipalName,provisionedPlans
The results are pretty self-explanatory but in your particular case you're looking for a service named exchange (there are often more than one but they should all reflect the same status):
{
"#odata.context": "https://graph.microsoft.com/v1.0/$metadata#users(id,userPrincipalName,provisionedPlans)/$entity",
"id": "48d31887-5fad-4d73-a9f5-3c356e68a038",
"userPrincipalName": "MeganB#M365x214355.onmicrosoft.com",
"provisionedPlans": [
{
"capabilityStatus": "Enabled",
"provisioningStatus": "Success",
"service": "exchange"
},
I'm creating a web app in MVC c# where you can login using your AD account and read secrets. The problem is that there are lots of Key Vaults - each with specific permissions. I've managed to do this with one particular vault and list the secrets in the vault using the vault URL using an AD login.
I would like to be able to list the vaults that the user has access too. I understand this is very easy to do in Powershell but I cannot find out how to do this in C#.
Is there a way to do this? Thanks!
As far as I know, there is no such REST we can get all the key vaults across the different subscription at present.
As a workaround, we need to list Key Vault under all the subscriptions and resource group. And check the accessPolicies to see whether the Key Vault is accessible.
For example an accessPolicie likes below, we can check whether users' object match the objectId in accessPolicie.
{
"tenantId": "",
"objectId": "",
"permissions": {
"keys": [],
"secrets": [
"Get"
],
"certificates": []
}
},
To list Key Vault under all the subscriptions and resource group you can refer the REST below:
GET: https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroup}/providers/Microsoft.KeyVault/vaults?api-version=2015-06-01
authorization: bearer {access_token}
And if you have any idea or feedback about Azure, you can submit them from here.