I'm using the Microsoft Graph API within a PowerShell script to automate the creation of Microsoft Teams teams. I am obtaining email addresses from a database of a proprietary non-Microsoft application that does not contain the Microsoft User Id. The Microsoft User ID is needed in order to add members to the Teams.
I am using the Microsoft Graph URI:
graph.microsoft.com/v1.0/users/
to obtain the User Id.
Unfortunately, that database sometimes contains an email alias rather than the user's primary email address. When the script attempts to obtain the person's User Id using an alias, the Graph API call returns an error.
For example, when the primary email is address is "jsmith#abc.com", but the database contains his alias "joe#abc.com" I was expecting to be able to call that API with a filter such as:
graph.microsoft.com/v1.0/users?$filter=alias eq 'joe#abc.com'
but I can find no such filter option.
I would appreciate any tips on how to solve this problem.
The user object has a property called otherMails. This is a multi-value property.
The filter syntax is different for multi-value-properties.
To filter users by alias, you'll need to use:
https://graph.microsoft.com/v1.0/users?$filter=otherMails/any(c:c eq 'joe#abc.com')
Related
We are seeing a few users for which the graph API returns only a primary email despite knowing that there are multiple SMTP addresses configured for these users. We are observing this on the List Users endpoint as well as the Get User endpoint.
When using the $select parameter to include the otherMails and proxyAddresses properties, both come back as empty arrays. Microsoft365 admins for the tenant to which these users belong have provided us with screenshots demonstrating that some of these users have at least one email alias configured in addition to their primary email.
I'm curious if there's any scenario in which it would be expected that otherMails and proxyAddresses would be empty despite the presence of aliases on a user? Or if there's a particular way in which the request to the List/Get users endpoints must be crafted to get these fields to come back non-empty. According to the docs it seems like a collision between SMTP addresses across directory objects might cause this, but I'm certain that's not the case for all of the users for which we're seeing this issue.
The Azure port still uses the Azure AD Graph API in some places. One thing it uses this for is to list API permissions. For this, the portal uses the REST API target GET https://graph.windows.net/myorganization/applicationRefs/c5393580-f805-4401-95e8-94b7a6ef2fc2?api-version=2.0 (example shown for Office 365 Management API). I've searched and cannot seem to find a way to list similar permission sets using the Microsoft Graph API. Is there a way to access this using the Microsoft Graph API?
Ok, was going to upvote one of the previous answers, but my profile is too new. :( You can do this by reading the MS Graph service principal in your tenant as described above. This PowerShell code gives an example (it's used in a command called Find-GraphPermission in the autographps and autographps-sdk modules.
Basic approach is:
Get app-only permissions from the appRoles property of the servicePrincipal
Get delegated permissions from the publishedPermissionScopes property
Each element of appRoles has an id that can be read or written from a given appRoleAssigment object on an app's servicePrincipal in your tenant. Note that each appRole element has a value property that is the common friendly name of the app-only permission (e.g. BitlockerKey.ReadBasic.All
A similar id and value pair exists for each element of publishedPermissionScopes which gives you the delegated permissions. You can use those ids with oauth2PermissionGrant objects under the segment /oauth2PermissionGrants to enumerate consent grants for a given servicePrincipal (and thus app) in your tenant or grant or remove consent
Note that the ids for both appRoles and publishedPermissionScopes are the same in all tenants, so you can actually perform this same mapping of friendly names to ids for any tenant, and use a static snapshot. This can be useful as your application may not be able to read the Microsoft Graph servicePrincipal object. If you store a static version, you'll have the mapping regardless and you'll only miss any new permissions that get added to Microsoft Graph for new APIs.
This file contains a snapshot of the MS Graph servicePrincipal as a fairly readable JSON-like PowerShell hash table: https://github.com/adamedx/autographps-sdk/blob/main/src/common/DefaultScopeData.ps1
For this requirement, you can use this microsoft graph api: https://graph.microsoft.com/v1.0/applications/<object id of the application>
It will response the result like below screenshot(please pay attention to the field requiredResourceAccess):
The content under requiredResourceAccess is the API permissions of this application. The type scope means the permission is Delegated type and the type role means the permission is Application type.
Then please refer to steps below to know which permission does the id under resourceAccess field refer to.
Copy the resourceAppId, in my screenshot is 00000003-0000-0000-c000-000000000000. And request the graph api: https://graph.microsoft.com/v1.0/serviceprincipals?$filter=appId eq '00000003-0000-0000-c000-000000000000'
Copy one of the id under resourceAccess field in the response of first graph api. For example copy the first id a154bxxxxxxxxxxx59 in my first screenshot. And then search this id in the response of second graph api, we can find this id refer to User.Read.All permission.
We are using Microsoft Graph APIs ( https://graph.microsoft.com/v1.0/ ) to get all users from Azure Active Directory ( AAD ).
We get the basic user parameters as the response.
We don't get manager, groups & roles of the user in the list users API paged response. We need to call separate API for an individual user with his AAD id & get this additional information. We come across this $expand parameter in API documentation which states the following (emphasis mine):
Note: Not all relationships and resources support the $expand query parameter. For example, you can expand the directReports, manager, and memberOf relationships on a user, but you cannot expand its events, messages, or photo relationships. Not all resources or relationships support using $select on expanded items.
This note clearly suggests we shall get manager & memberOf properties for the user. But when we tried this with /users API it throws bad requests.
Again we searched more in an article titled Known issues with Microsoft Graph it has the information about $expand as follows,
$expand:
No support for nextLink
No support for more than 1 level of expand
No support with extra parameters ($filter, $select)
What is the exact use of $expand? How do we get additional information like manager, roles & groups of the user in List users API so that we don't have to call separate APIs per user?
Below APIs under the /beta version in Microsoft Graph are subject to change. Use of these APIs in production applications is not supported.
$expand-Normally, you can query either the properties of a resource or one of its relationships in a single request, but not both. You can use the $expand query string parameter to include the expanded resource or collection referenced by a single relationship (navigation property) in your results.
Memberof gives the groups, directory roles and administrative units that the user is a member of.
https://graph.microsoft.com/beta/users?$expand=memberof
To get manager details please use below query
https://graph.microsoft.com/beta/users?$expand=manager
Using Flow I am trying to create a Team and then a Planner to add to the Team as a Tab.
I'm trying to create a new Planner in Flow with the Group ID generated from creating a Team.
Following the MS Graph API I've tried using an HTTP in Flow to make a POST to
POST https://graph.microsoft.com/v1.0/planner/plans
with body
{
"owner": "GROUP ID HERE",
"title": "Planner"
}
But I get an error of Unauthorised. Can anyone please advise what I'm doing wrong?
Below is what my permissions on Azure Active Directory looks like to authenticate my API calls:
While I can create a planner through the Microsoft Graph API:
Request ID
Timestamp
I can't do the same thing on Flow using HTTP:
Almost every time, the issue with not having authorization to create a plan in a newly created group is because the calling user is not a member in the group. By default, when a group is created, the creator is an owner, but not a member. You'll need to add the user to the members.
If this isn't addressing your issue, you'll need to provide a bit more information on the error. The request id and the timestamp from the failed requests would allow us to directly diagnose the problem.
Asana accounts can have multiple emails associated to them, but getting a user from the API only returns 1 email. So which one will it return? Is there a concept of a primary email?
https://app.asana.com/api/1.0/users/me
Great question. Users typically have multiple email addresses when they are in multiple domains. If the API call has a domain context, such as GET /workspaces/:id/users the email addresses for each user will be their registered domain email for the workspace identified. This goes for querying followers of projects and tasks as they can only exist in a single domain.
However, when your query does not have a domain context, such as GET /users/me the behavior is a bit more undefined. The reply will not change from call to call unless the user has changed that email address, but there is not a notion of a "primary" email address you, as an API consumer, can apply to that response.
Hope that helps.