I'm building a Logic App to list all users from MS Graph.
I can get the list of all users by calling MS Graph API using OAuth authentication in my Logic App but I'm struggling to apply a filter in my custom request in MS Graph.
i.e. I have below structure in my OnPremiseAD:
OU=Site1,OU=Users,OU=TEST,DC=xyz,DC=com
OU=Site2,OU=Users,OU=TEST,DC=xyz,DC=com
OU=Site3,OU=Users,OU=TEST,DC=xyz,DC=com
OU=Site4,OU=Users,OU=TEST,DC=xyz,DC=com
...and I want to list users from OU=Site4 only.
Can someone please help?
https://graph.microsoft.com/beta/users?$filter...???
Based on Custom OU considerations and limitations:
User accounts, groups, service accounts, and computer objects that
you create under custom OUs aren't available in your Azure AD tenant.
These objects don't show up using the Microsoft Graph API or in the
Azure AD UI; they're only available in your managed domain.
So I'm afraid that it's not supported to list the users under an OU via Microsoft Graph API.
See a similar post here.
Related
I am new to bot development. I am working on creating a MS Teams bot using bot framework. The bot will be installed in ‘Personal’ scope in Teams, and it doesn’t have any tab / messaging extension etc. Once installed, I want to get the list of all the members/ channels/ Notification updates (i.e. members added/deleted etc.). As per the different documentation, I can get the list using Graph API.
List members of team - Microsoft Graph v1.0 | Microsoft Docs
List members of a channel - Microsoft Graph v1.0 | Microsoft Docs
To achieve this, I need the token that will be passed in API. I am not sure how to implement that. I have followed the instructions mentioned in Add authentication to a bot in Bot Framework SDK - Bot Service | Microsoft Docs. There was a step to add ‘Add OAuth Connection Settings’ and there were multiple options in ‘Service Provider’. I selected ‘Azure Active Directory v2’. After doing that, it works and I can get the token, but it only works if during login, I user my azure directory credentials. I have a Microsoft account linked with my MS Teams which id different than the Azure account. A user in team can have a Microsoft account / work / office account so this needs to work for everyone so what would be the correct ‘Service Provider’ option that will work for all accounts?
I was thinking that the flow should be like:
When clicks on ‘Add’ button to install the app in Teams
Once added, bot will prompt for Graph API permission using OAuth.
Once user gives the permission, I can use the token to call graph APIs.
I have also looked at the following tutorials:
How to use Bot Framework Composer to build low-code Microsoft Teams bots (Part 1)
Get user profile information in your Microsoft Teams bot with Microsoft Graph (Part 2) - YouTube
But after performing all the steps, when I try to login, it says – ‘This action can't be performed since the app does not exist or has been uninstalled.’.
I am not getting a clear approach on how to proceed with it.
As #Maxim has also suggested, if you want to have a bot that should run multitenant you need to put tenant Id as common in OAuth Setting in Azure bot. As the value suggest it isn't going to specific to single tenant and Redirect Uri should be set to https://token.botframework.com/.auth/web/redirect in app registration.
This is it, you don't need to add anything.
This is also mention in the doc --
We have some sample around it as well that shows how to use Graph API with the bot -
https://github.com/microsoft/BotBuilder-Samples/tree/main/samples/csharp_dotnetcore/24.bot-authentication-msgraph
You can setup this one and update the Graph calls to get member of team or channels.
We have a daemon app that connects to teams using MS graph. It's using "Application Permissions" mode and Admin consent is granted for most permissions. We are able to add channels (private or 'standard'), add/remove members, etc... from this service based on company requirements. All is well.
For the ChannelMessages, we'd like to be able to retrieve them based on userPrincipalName, from the same tenant that the app is registered in. (I know there is an ChannelMessage.Read.All with Application Permission and it requires us to submit a form to MS, we are not currently pursuing that route...).
Do we have to create ConfidentialClientApplication object to communicate with MS graph? If so, how do we create a ClaimsPrincipal or ClaimsIdentity, based only on userPrincipalName? Or is there a different solution to this problem?
Your help is appreciated.
thanks,
Art
Currently, Graph Explorer does not appear to support EDU endpoints. Is there a way to work around this problem?
According to your descriptions, I presume you want to find whether there is a wat to support EDU endpoints or not.
Base on my test, we can use the API like this:
GET /education/schools
It will return a collection of educationSchool objects in the response body.
In this document, we can find that this API support the work or school account. If we use a personal microsoft account to login the Graph Explore, it will not support the EDU endpoints.
The default tenant (i.e. the tenant data you get when you haven't logged into Graph Explorer) does include Edu data.
If you are authenticating, you will only be able to call the Edu endpoints if you have consented to the Edu scopes and your tenant is an Office 365 Education instance. These endpoints will not work with a non-Edu O365 tenant.
I saw some information about single sign on in combination with the azure ad. Does that mean I can create a web application that's using the graph api (Calendar , Contact) and using the single sign on for a pleasant user experience. I'm aware of the fact that the user should autorize the application to access his/her private data.
I have already looked on
https://azure.microsoft.com/en-us/documentation/articles/active-directory-sso-integrate-saas-apps/
https://azure.microsoft.com/nl-nl/documentation/articles/active-directory-appssoaccess-whatis/
Yes, you can register an application with Azure AD and use it to leverage the user's identity in the Microsoft cloud (for work and school accounts and for personal accounts) to support single sign-on. In addition that same application can then be authorized to access their data (mail, calendar, files, contacts, etc.) via the Microsoft Graph API.
I have created a project with Google Big Query.
I have one table with data. A service performs insert every hour in the table. The service uses a service account with a p12 file to authenticate without user interaction.
I have developped also a desktop application which authenticate via the browser (OAuth2Authenticator). It works well but eveyone who have a google account can login and accept to use my application, and I don't want that !
Is it possible to specify a list of authorized google accounts for a google big query project ?
Thanks,
Luc.
Yes, you can control who has access to your BigQuery datasets, as well as who is a member of the Google Developer Project that your BigQuery datasets are attached to.
If you are creating a Desktop application, the best way to provide authorization to BigQuery for specific users of a restricted dataset is to use an "installed application" Oauth2 flow. Are you currently using this flow?