I'm using Microsoft Graph to create a new user in my Azure AD. I'm using Graph Explorer to do so, I'm doing a POST request to https://graph.microsoft.com/v1.0/users with the following son in the body:
{
"accountEnabled": true,
"displayName": "displayName-value",
"mailNickname": "mailNickname-value",
"userPrincipalName": "upn-value#tenant-value.onmicrosoft.com",
"passwordProfile" : {
"forceChangePasswordNextSignIn": true,
"password": "password-value"
}
}
I keep getting the error: 'No HTTP resource was found that matches the request URI https://outlook.office365.com:444/profile/v1.0/users..'
I dont find anything about this error in google, why is this about? Why is the request URI 'https:/outlook.office35.com:444..' if I'm making the request to 'https://graph.microsoft.com..'?
You can't create "users" with an MSA, each account is a single user. You also cannot create a user in an AAD tenant without User.ReadWrite.All or Directory.ReadWrite.All permissions. Both of these will require consent from a tenant administrator.
Related
I am failing to add an OpenId account to B2C using Microsoft Graph. What needs to be done to do an add operation?
B2C Setup as TestB2C
In Azure B2C the OpenID Connect (to my companies Azure AD) is setup as an Identity Provider.
For this example, take the blurred out B2C above to be TestB2C.onmicorosoft.com and the target openID is "Corporate AD".
Graph Call To Insert User into B2C
{
"accountEnabled": true,
"displayName": "OmegaMan",
"mailNickname": "OmegaM",
"identities": [
{
"signInType": "userName",
"issuer": "TestB2C.onmicrosoft.com",
"issuerAssignedId": "OmegaMan#Corporate.com"
},
{
"signInType": "emailAddress",
"issuer": "TestB2C.onmicrosoft.com",
"issuerAssignedId": "OmegaMan#Corporate.com"
},
{
"signInType": "federated",
"issuer": "Corporate.com",
"issuerAssignedId": "6ab...34"
}
],
"passwordProfile" : {
"forceChangePasswordNextSignIn": false
}
}
The issuerAssignedId is from the settings placed in the Identity Providers section for the OpenId Connect. When I attempt to insert said user, I get this current error:
...
"error": {
"code": "Request_BadRequest",
"message": "A password must be specified to create a new user.",
...
Which for a federated user does not make sense. Note, that in a different add operation for an "email user", this process works; with different settings. What is missing to then add a federated user?
For a federated user, "accountEnabled" is false.
I was able to circumvent the user "Sign-Up" after user insertion. The issue turned out to be, that to have proper federation occur, the proper values need to be in place.
"identities": [
{
"signInType": "federated",
"issuer": "https://login.microsoftonline.com/XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXX/v2.0",
"issuerAssignedId": "YYYYYYYYY-YYYY-YYYY-YYYY-YYYYYYYYYYYY"
What was happening was that I was using "issuer": "myDomain.com" which was not resolving correctly to do a login; to which the user then had to "SignUp" via the federated IP and ended up with two logins.
By changing issuer from a DNS readable name, to the Microsoft login url with my AD directories' ID (the number provided when switching domain in Azure, XXXX-XXX ... btw) and also a proper issuerAssignedId, found from the originating AD issuer, it worked and the user was added.
We want to upload files via a REST service to our oneDrive. In the REST service we are calling Microsoft Graph API but I am getting the 401 error, which I guess because of authorisation issue, I am wondering what is the best approach here?
The whole process works nicely if on our web-application.
I granted App permission in the Azure Active Directory portal and confirmed the consent at
https://login.microsoftonline.com/<tenant>/adminconsent?client_id=<client-id>
Then tried to get token
url = "https://login.microsoftonline.com/<tenant>/oauth2/v2.0/token"
"client_id": credential.clientid
"client_secret", credential.clientsecret
"scope", "https%3A%2F%2Fgraph.microsoft.com%2F.default"
"grant_type", "client_credentials"
I was still getting 401 error.
Then I fixed the permissions, now I get the access_token, now I first checked if a file exists in specific folder in oneDrive, if not then upload the file.
But now I get the following error:
{
"statuscode": 403,
"body": "{\r\n \"error\": {\r\n \"code\": \"AccessDenied\",\r\n \"message\": \"Either scp or roles claim need to be present in the token.\",\r\n \"innerError\": {\r\n \"date\": \"2020-08-13T10:12:33\",\r\n \"request-id\": \"338a2758-m7e0-4289-bnna-45pb14c79efa\"\r\n }\r\n }\r\n}"
}
I used the following API for checking if a file exists:
"https://graph.microsoft.com/v1.0/sites/<siteid>/drive/root:/<filePath>:/children"
I am not sure what roles/permission I need to set.
In the manifest of my application registration I've configured to retrieve the given_name and family_name claims (through the UI, the resulting manifest looks like this):
"idToken": [
{
"name": "family_name",
"source": "user",
"essential": false,
"additionalProperties": []
},
{
"name": "given_name",
"source": "user",
"essential": false,
"additionalProperties": []
}
],
During the redirect I add the profile scope along with the given_name and family_name scopes, which results in the following error.
Message contains error: 'invalid_client', error_description: 'AADSTS650053: The application 'REDACTED' asked for scope 'given_name' that doesn't exist on the resource '00000003-0000-0000-c000-000000000000'. Contact the app vendor.
Any ideas? As I understand that is what is required to configure these optional claims on the v2.0 endpoint as described here: https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-optional-claims#v20-specific-optional-claims-set
You should only use the profile 'scope', which should result in you receiving the given_name and family_name 'claims'. That's standard behaviour for an Authorization Server, which will then either:
Return the name details directly in the id token
Or allow you to send an access token to the user info endpoint to get the name details
However, Azure v2 is very Microsoft specific, and user info lookup can be painful and involve sending a separate type of token to the Graph user info endpoint. Hopefully you won't have to deal with that and you will get the name details directly in the id token.
I had a scenario where my API (which only received an access token) needed to get user info, and I solved it via steps 14 - 18 of this write up, but it's a convoluted solution.
Once you configure optional claims for your application through the UI or application manifest. you need to provide profile Delegated permissions for the application.
I searched for similar questions but did not find answer I was looking for.
My goal is to update all users in AAD with hireDate.
At first I tried to do so using client credentials flow.
POST https://login.microsoftonline.com/espiradev.onmicrosoft.com/oauth2/token
Content-Type:application/x-www-form-urlencoded
grant_type:client_credentials
client_id:{{client_id}}
client_secret:{{client_secret}}
resource:https://graph.microsoft.com
After I got access code I called:
PATCH https://graph.microsoft.com/v1.0/users/[user1]
Authorization:bearer {{access_token}}
Content-Type:application/json
{
"hireDate": "2019-05-01T00:00:00Z"
}
Response:
"error": {
"code": "-1, Microsoft.Office.Server.Directory.DirectoryObjectUnauthorizedAccessException",
"message": "Attempted to perform an unauthorized operation.",
"innerError": {}
}
Second try was using password flow (client and user credentials). I used my global admin [user1] credentials and called same HTTP request. Response was HTTP 204 (everything OK).
POST https://login.microsoftonline.com/espiradev.onmicrosoft.com/oauth2/token
Content-Type:application/x-www-form-urlencoded
grant_type:password
client_id:{{client_id}}
client_secret:{{client_secret}}
resource:https://graph.microsoft.com
username:{{user1_upn}}
password:{{user1_password}}
Unfortunately, when I tried to update other [user2] it went like this:
PATCH https://graph.microsoft.com/v1.0/users/[user2]
Authorization:bearer {{access_token}}
Content-Type:application/json
{
"hireDate": "2019-05-01T00:00:00Z"
}
Response:
"error": {
"code": "-1, Microsoft.Office.Server.Directory.DirectoryObjectUnauthorizedAccessException",
"message": "Attempted to perform an unauthorized operation.",
"innerError": {}
}
If I am using [user2] credentials to get access token then I can update [user2] hireDate, but can not update [user1].
Application permissions:
Application permissions
UPDATED:
Decoded access token has these permissions:
"scp": "Directory.AccessAsUser.All Directory.ReadWrite.All User.ManageIdentities.All User.ReadWrite User.ReadWrite.All"
UPDATED[2]:
both [user1] and [user2] has Office 365 E1 licences assigned (including SharePoint Online (Plan 1))
Am I doing something wrong? If anyone has a solution to share, it would be much appreciated.
Apart from the office licenses, the global admin user should have Sites.ReadWrite.All scope permission in the token to update the "hireDate" property for other users.
I'm trying to use the Sample Graph API app to change a user's password but I'm getting:
Error Calling the Graph API Response:
{
"odata.error": {
"code": "Authorization_RequestDenied",
"message": {
"lang": "en",
"value": "Insufficient privileges to complete the operation."
}
}
}
Graph API Request:
PATCH /mytenant.onmicrosoft.com/users/some-guid?api-version=1.6 HTTP/1.1
client-request-id: ffd564d3-d716-480f-a66c-07b02b0e32ab
date-time-utc: 2017.08.10 03:04 PM
JSON File
{
"passwordProfile": {
"password": "Somepassword1$",
"forceChangePasswordNextLogin": false
}
}
I've tested updating the user's displayName and that works fine.
{
"displayName": "Joe Consumer"
}
AD Application Permissions
I've configured my app permissions as described here.
Check out this article. Seems like it has the same symptoms.
Solution 1:
If you are receiving this error when you call the API that includes only read permissions, you have to set permissions in Azure Management Portal.
Go to Azure Management Portal and click Active Directory.
Select your custom AD directory.
Click Applications and select your Application.
Click CONFIGURE and scroll down to the section 'Permissions to other applications'.
Provide required Application Permissions and Delegated Permissions for Windows Azure Active Directory.
Finally save the changes.
Solution 2:
If you are receiving this error when you call the API that includes delete or reset password operations, that is because those operations require the Admin role of Company Administrator. As of now, you can only add this role via the Azure AD Powershell module.
Find the service principal using Get-MsolServicePrincipal –AppPrincipalId
Get-MsolServicePrincipal | ft DisplayName, AppPrincipalId -AutoSize
Use Add-MsolRoleMember to add it to Company Administrator role
$clientIdApp = 'your-app-id'
$webApp = Get-MsolServicePrincipal –AppPrincipalId $clientIdApp
Add-MsolRoleMember -RoleName "Company Administrator" -RoleMemberType ServicePrincipal -RoleMemberObjectId $webApp.ObjectId
To connect to your B2C tenant via PowerShell you will need a local admin account. This blog post should help with that, see "The Solution" section.
Try below settings, works for me.
Used the below JSON
{
"accountEnabled": true,
"signInNames": [
{
"type": "emailAddress",
"value": "kart.kala1#test.com"
}
],
"creationType": "LocalAccount",
"displayName": "Joe Consumer",
"mailNickname": "joec",
"passwordProfile": {
"password": "P#$$word!",
"forceChangePasswordNextLogin": false
},
"passwordPolicies": "DisablePasswordExpiration",
"givenName": "Joe",
}
Also make sure you assign the application the user account, administrator role which will allow it to delete users link here