We would like to store some extra metadata in the Office365 groups "CustomAttribute..." properties. However most of our processes are based on Graph Api and looks like that these properties are not exposed with a standard call:
https://graph.microsoft.com/v1.0/groups/GUID
doesn't contain these properties, and
https://graph.microsoft.com/v1.0/groups/GUID?$select=id&$expand=customAttribute1
gives Parsing OData Select and Expand failed: Could not find a property named 'customAttribute1' on type 'microsoft.graph.group'error.
I can query this property with PowerShell, but I'd rather use Graph. Can somebody please help me how to get this info out of Graph?
Related
I need to retrieve from Microsoft Graph all users that are members of all 3 groups from my list. How can I do that in a single request?
I would use $filter inside $expand of memberOf property on users' endpoint.
https://graph.microsoft.com/v1.0/users?$expand=memberOf($filter=id+eq+'{group1-id}' and id+eq+'{group2-id}' and id+eq+'{group3-id}')
But from my testing it looks like $filter is ignored, and all users are returned.
The second option
https://graph.microsoft.com/v1.0/users?$expand=memberOf&$filter=memberOf/any(r:r/id eq '{group1-id}' and r/id+eq+'{group2-id}' and r/id+eq+'{group3-id}')&$count=true
with request header ConsistencyLevel:eventual returns
the error Request_UnsupportedQuery with the message Multiple filter clauses are not supported on an 'Any' operation on a simple property.
Currently, there is no functional way how retrieve all users that are members of all specified groups.
I'm trying to retrieve a list of Microsoft 365 Groups that have guest members via Graph.
I can get a full list of groups and then filter client-side, but the documentation says that the "members" property is queryable in the $filter clause, so I thought I'd be able to do something like this:
/beta/groups?$filter=members/any(x:x/userType eq 'Guest')
However, this is returning the following error:
Property 'members' does not exist as a declared property or extension property
Has anyone managed to pull this off? Or can someone confirm that it's not possible to filter a list of groups based on its members? Is there any way to do this without filtering client side?
Thanks!
Answering my own question, as I've heard from the PM in charge of this part of Graph.
https://twitter.com/merill/status/1550312453111955456?s=20&t=i9RNt7-E2fXNCSoDxESO4w
Unfortunately member is not available as a filter option for the group object so you will need to manually query each group.
Hopefully this gets added at some point, but for now I'm going to have to get the full list of groups and filter client-side.
Following query in MS Graph Explorer displays signed-in user's profile and its manager Diego Siciliani
https://graph.microsoft.com/v1.0/me?$expand=manager
But you may notice in the response it is returning tons of attributes of manager object, as well. Some of these attributes are objects (such as assignedPlans) themselves and have their own attributes, as well.
Question: How can we filter the above query so it returns user profile (that it is already doing) along with ONLY the following attirbute value the user's manager: "displayName": "Diego Siciliani"
Remark: Following query returns the error shown below: https://graph.microsoft.com/v1.0/me?$expand=manager($select=displayName)
Invalid $select properties
Please use the below query to get user and his manager details
https://graph.microsoft.com/v1.0/users/userid?$expand=manager($levels=max;$select=id,displayName)&$select=id,displayName&$count=true
ConsistencyLevel eventual
Update https://graph.microsoft.com/v1.0/me?$expand=manager($levels=max;$select=displayName)&$count=true
It is known issue from Microsoft that nested $select combined with $expand doesn't work (i.e. $expand=some_path($select=some_field) does not work with Microsoft Graph API).
See: https://learn.microsoft.com/en-us/graph/known-issues#query-parameter-limitations
$expand:
No support for nextLink
No support for more than 1 level of expand
No support with extra parameters ($filter, $select)
I wish they would implement it because right now we either have to pull a lot of extra data (e.g. for managers), or we have to make a lot of requests per user to retrieve just the field we want.
There's a solution that deal with batch requesting but it requires a json solution: https://learn.microsoft.com/en-us/graph/json-batching?view=graph-rest-1.0
I have an enterprise application in our Azure AD tenant, and I would like to check if a specific group is assigned to this application or not.
To list all appRoleAssignments for the application I can do this:
GET /beta/servicePrincipals/{id}/appRoleAssignments
where {id} is the ID of the enterprise application. This returns a list of appRoleAssignment objects. I would like to filter this list on a specific group as the list can potentially be quite large. I have tried to use the $filter query parameter, but I can't seem to get that working. I have tried the following:
$filter=principalId eq '{groupId}'
which does not work. I'm getting this error message:
{
"error": {
"code": "BadRequest",
"message": "Invalid filter clause",
"innerError": {
"request-id": "<id>",
"date": "<date>"
}
}
}
Is there any way to filter the list?
I can potentially do this the other way around, by fetching all appRoleAssignments the group is assigned to, by doing the following request:
GET /beta/groups/{groupId}/appRoleAssignments
but I seem to be having the same issue here, there is no way to use $filter to filter on the specific enterprise application I want to check for.
If filtering does not work, is there any other endpoint I can use so I won't have to do pagination in the client?
Yes, this is possible.
The confusion here is caused by the fact that in Microsoft Graph beta, the principalId and resourceId properties of an AppRoleAssignment entity are declared as Edm.Guid, rather than the more familiar Edm.String.
Using Microsoft Graph beta
To retrieve all app role assignments for a given group, to a given resource app, using Microsoft Graph API (with newlines for legibility):
GET https://graph.microsoft.com/beta/groups/{group-id}/appRoleAssignments
?$filter=resourceId eq {resource-id}
Where:
{group-id} is the group's object ID
{resource-id} is the service principal object ID of the resource app
Important: Note the absence of single quotes (') surrounding {resource-id}. This is required when the attribute being filtered on is of type Edm.Guid.
With sample values, this query look like this:
GET https://graph.microsoft.com/beta/groups/75c647eb-8ff0-478d-b131-6c1bd4071841/appRoleAssignments
?$filter=resourceId eq ddd57b26-e13e-4db4-93d3-996f382251df
I'd also like to take the opportunity to clarify a possible confusion I noticed in the question. Using Microsoft Graph beta:
The appRoleAssignments navigation on users, groups and service principals will return the app role assignments which the user, group or service principal has been granted (i.e. where the user/group/service principal is the principalId of the returned AppRoleAssignment).
The appRoleAssignedTo navigation on a service principal will return the app role assignments where the service principal in question is the resource app exposing the app role (i.e. where the service principal is the resourceId of the returnd AppRoleAssignment).
Using Azure AD Graph 1.6
Note: In general, the recommendation is to use Microsoft Graph. Only use Azure AD Graph if the capability is not available on Microsoft Graph v1.0 and you require a production-ready API. You should plan to move to Microsoft Graph as soon as the capability is made available in v1.0.
To retrieve all app role assignments for a given group, to a given resource app, using Azure AD Graph API (with newlines for legibility):
GET https://graph.windows.net/{tenant-id}/groups/{group-id}/appRoleAssignments
?$filter=resourceId eq guid'{resource-sp-id}'
&api-version=1.6
Where:
{tenant-id} is the tenant ID or a verified domain name
{group-id} is the group's object ID
{resource-sp-id} is the service principal object ID of the resource app
principalId does not support $filter.
Reference here.
I'm using getRecentFiles MS Graph API and I'd like to filter out only certain file types (by file extension). However, when I try $filter query parameter it is ignored. Documentation on the method doesn't mention anything like this.
Is this behavior expected or is it a bug?
I believe that is expected as no OData query parameters link is not present on the page (when OData query parameters are supported, then its listed in a paragraph).
I have not managed to make it work, neither for drive item properties (eg. id, creation date) nor for nested properties (remoteItem/name or remoteItem/createdBy/user).