I am attempting to create user social accounts for Microsoft logins on my B2C tenant without using the sign up userflow. When the sign up userflow is ran and you register a Microsoft Account a user is created in the tenant with a source of "Microsoft Account".
I have been experimenting with the Microsoft Graph API using the create user post request where in i can create a working local account fine but am having issues creating a Microsoft user that works with the B2C Login using the examples in the link below. I don't think I have a valid issuerAssignedId for the Microsoft accounts I am creating and I am not actually trying to migrate existing accounts. The user record is created in B2C when the post request is ran but when i try to log in using the microsoft account it is responding back with AADB2C99002: User does not exist.
https://learn.microsoft.com/en-us/graph/api/user-post-users?view=graph-rest-1.0&tabs=http#example
Not exact values but example of payload i am using:
{
"displayName": "Test Name",
"identities": [
{
"signInType": "emailAddress",
"issuer": "mytenant.onmicrosoft.com",
"issuerAssignedId": "test#outlook.com"
},
{
"signInType": "federated",
"issuer": "live.com",
"issuerAssignedId": "test#outlook.com"
}
],
"passwordProfile" : {
"password": "password-value",
"forceChangePasswordNextSignIn": false
},
"passwordPolicies": "DisablePasswordExpiration"
}
Is there a way I can achieve this? Thanks.
I don't think I have a valid issuerAssignedId for the Microsoft
accounts I am creating and I am not actually trying to migrate
existing accounts.
You cannot use Microsoft Graph API to create an MSA which doesn't exist.
Although the user record is created in B2C when the post request is ran, it is only a record as you mentioned.
The real identity authentication process is done by MSA rather than B2C.
So AADB2C99002: User does not exist is the expected behavior in this case.
You can set a non-existing MSA while calling this Microsoft graph endpoint, but it will not create an MSA in the MSA IDP side. So you cannot log in with it.
The best practice is to create the MSA in advance and use it for this Graph call.
Related
We are trying to identify Sharepoint sites user has access to using Graph API. This is working just fine for internal users. However when we try this for external user (already guested in Azure AD), we are getting below error -
"error": {
"code": "itemNotFound",
"message": "Item not found",
"innerError": {
"date": "2022-06-20T16:28:01",
"request-id": "cde68280-5538-40c3-af60-6602bd7c1214",
"client-request-id": "ef1f7a56-caf4-e1f2-b2b0-57577fa96f03"
}
}
We have tried to use Graph Explorer https://developer.microsoft.com/en-us/graph/graph-explorer and it's the same error there as well.
if you are using the /common endpoint a guest user has its own shadow tenant and wont be pointing to the AAD tenant it has been invited into, thus they cannot access resources like a normal member could, plus they have limitied default permissions and that does not include groups/site access unless they have been added to the area as a direct member.
However, if you are defining the tenant id in the authority then the above is not relevent.
You are right, I tried to do the same thing.
My workaround solution is testing with MS Graph Explorer, its worked for me, then you can code the same requests to talk to Graph API. Here are the steps:
Get your tenant Id using this site : https://www.whatismytenantid.com/
Open MS Graph Explorer like this : https://developer.microsoft.com/en-us/graph/graph-explorer?tenant=tenantId
Sign in to MS Graph Explorer with the guess account
You should see the name of your guess signed in with your tenant if not sign out and sign in again.
Unfortunately, You won't be able to lists the SharePoint Sites using https://graph.microsoft.com/v1.0/sites?search=* (honestly I do not know why, maybe because the guest has only a Family account ? Its worked fine with a user in the same org.
You need to know the siteId, then you can list the document libraries, folders, files, etc... using a request like this : https://graph.microsoft.com/v1.0/sites/siteId/drives
I wish I can get the siteId from MS Graph Explorer for a guest user, but looks like it is not possible. BTW, doing the same on Google WorkSpace is a no brainer using shared drives, not like Microsoft at all...
I am setting up microsoft graph auth and API calls for the firs time in a new app.
i can successfully authenticate a user, return access and refresh tokens, then make the first call to get my profile info.
I can even make this call as the app and not a 'user'.
where i am running into issues is making calls to get my calendar by adding /calendars to the end of my profile call. when I do this I get this error:
{
"error": {
"code": "OrganizationFromTenantGuidNotFound",
"message": "The tenant for tenant guid '1dd120fe-cbd9-492b-b36d-12e4aa856cf3' does not exist.",
"innerError ": {
"oAuthEventOperationId ": " ae00f89a - 1 d34 - 4299 - af82 - 93 d5c0409ada ",
" oAuthEventcV ": " mJu0K0YLfbqLxFewMqMcug .1 .1 ",
"errorUrl ": "https: //aka.ms/autherrors#error-InvalidTenant",
"requestId": "ae055090-cad5-4b0f-ad7b-9c0731c75bd4",
"date": "2021-09-15T16:18:10"
}
}
}
as a note, I get the same error when making the call as either the user whose calendar I am requesting or as the application.
in the application I do have the permissions set like this
and for reference, here is the URL I am calling that works
https://graph.microsoft.com/v1.0/users/d4d0b2ef-6a3b-4254-b8bb-eb358194458b
and the one that does not
https://graph.microsoft.com/v1.0/users/d4d0b2ef-6a3b-4254-b8bb-eb358194458b/calendars
here is a video demonstrating the issue and granted permissions.
https://vimeo.com/605796641
It could be because Azure AD you created does not have Office 365. Thus it cannot have calendars. /users works because that is an Azure AD endpoint.
If you want to access calendars for your development O365 tenant, register the app in your O365 AAD tenant that you got when you created the development tenant
Follow the steps below -
You need a Microsoft office 365 account with a subscription, can get this by applying for one on office 365 develop.
Upon creating one, follow the instructions and add the apps to it.
Go to Azure Portal and log in with your office 365 account.
Create an app under AAD -> App registration
Try to access https://graph.microsoft.com/v1.0/users/{user_id}/calendars.
I have a office 365 account and Iwant to access my emails
I followed Microsoft graph documentation
https://learn.microsoft.com/en-us/graph/api/user-list-mailfolders?view=graph-rest-1.0&tabs=http
I have selected the permissions asked as you see below :
Permissions Image
I have requested the token and the following request does not work :
GET https://graph.microsoft.com/v1.0/me/mailFolders
{
"error": {
"code": "ErrorAccessDenied",
"message": "Access is denied. Check credentials and try again."
}
}
But when I use the next one , it works :
GET https://graph.microsoft.com/v1.0/users('xxx.yyy#zzz.onmicrosoft.com')/mailFolders('Inbox')/messages
I need to use the first endpoint which everybody is using on the internet , I can't get why I doesn't work for me
In Graph, the /me/ endpoint is an alias for the currently signed in user (based on the token). An application without a user present will not be able to query /me/, and should instead specify the user id of the user of interest (/users/user id).
If you call this endpint /me/mailFolders which means listing the mailFolders of the currently signed in user. So you need to add delegated permissions and use the flow except client credential flow to get access token.
If you still would like to use application permissions, you need to call this endpoint /users/{id | userPrincipalName}/mailFolders.
About the error(Resource does not exist or one of its queried reference-property objects are not present.), see the code sample of this issue.
When accessing the joined Teams of a user(user is registered as a guest in AAD). The Microsoft Teams Graph API(Joined team) is returning an empty result. So it would be great if any feedback/help on it is available.
What is achieved till now
Able to generate the access token using secret key approach by using the admin app registration. all the request are sent using Postman
Able to fetch all user(registered guests in AAD) of AAD using the access token.
Note: I have added the guest users in newly created directory, as I want to keep the users in a separate directory for B2B implementation.
Actual results
Here is the request of Joined team api. Here 8848b4c4-c89f-4d21-95e8-c19fa9024786 is the Id of user.
Request:
https://graph.microsoft.com/beta/users/8848b4c4-c89f-4d21-95e8-c19fa9024786/joinedTeams
Response :
{
"#odata.context": "https://graph.microsoft.com/beta/$metadata#groups",
"value": []
}
Expected Result
Should be able to get the list of joined teams using this API
We have a web application that OAuth with Office 365 using Azure AD. We are trying to restrict the resources we have access to.
Example: The authentication user have access to Site1, Site2 and Site3. We want to limit our application access to Site1 only. Does any one know if this is possible? I tried to go over Office 365, Azure AD and even Discovery API documentation, but I couldn't find anything helpful.
Did you also register the site1, site2 and site3 on the Azure AD? If I understood correctly, we can config the app manifest for the site1, site2 and site 3 to set the require permission like below(refer to here)
"oauth2Permissions": [
{
"adminConsentDescription": "Allow the application full access to the Todo List service on behalf of the signed-in user",
"adminConsentDisplayName": "Have full access to the Todo List service",
"id": "b69ee3c9-c40d-4f2a-ac80-961cd1534e40",
"isEnabled": true,
"type": "User",
"userConsentDescription": "Allow the application full access to the todo service on your behalf",
"userConsentDisplayName": "Have full access to the todo service",
"value": "user_impersonation"
}
],
Then we need to assign the web app with right permission as the Microsoft build service like figure below:
The last step is that site1, site2, site3 need to verify whether the request has the permission to visit the resource via analyze the scope in the access token.
In order to manage Authorization by user you should implement Role Base Access Control, in this link you will find an example using Azure AD https://github.com/Azure-Samples/active-directory-dotnet-webapp-roleclaims