I am working with Graph Explorer to experiment with permissions:
https://developer.microsoft.com/en-us/graph/graph-explorer
When I authenticate to Graph Explorer, it always sends queries to the AD tenant that my identity is created in.
However, the identity I am using can query multiple Azure AD tenants.
How can I change default tenant in Graph Explorer
If you want to sign into your own tenant in Graph explorer, use tenant query string parameter.
https://developer.microsoft.com/en-us/graph/graph-explorer?tenant=contoso.onmicrosoft.com
A simple url to go to Graph explorer is https://aka.ms/ge, when you land on the destination, just add tenant query string parameter (domain name or tenantId, both work).
If you are already signed into a tenant, you will have to logout from
there. currently automatic switch of tenant is not supported.
Create a service account in the tenant you want to access.
Create a Service account with appropriate accesses/groups in the Target Tenent.
In a clean/Private Window bring up https://aka.ms/ge the Graph Explorer. Note that the test tenant will be engaged.
Select the user button and initiate a login with the credentials setup in step 1.
Initiate the first Get the Get My Profile to verify the service account logged in is found.
This is fundamentally how Microsoft Graph works, it retrieves data from the tenant you (or your app) authenticated against. It cannot query across multiple tenants.
Related
I am creating a Power App which is supposed to modify custom attributes on users on an Azure B2C tenant. However, the only way to update said users is by a Patch call referencing "https://graph.microsoft.com/v1.0/users/object-id" (which I am calling via a Power Automate flow). Since these are b2c users, their actual UPN does not match their email. I need to find a way to get this object ID beforehand so I can pass the appropriate patch call. Any tips? Thanks!
I tried using an Azure AD connector in Power Automate flow using the email of the user, but that is not their actual upn.
https://graph.microsoft.com/v1.0/users?$filter=displayName eq 'USER DISPLAY NAME'&$select=id
will return user id
I have added a custom User Attribute named Company Name via:
Azure AD B2C > User attributes
so that this information can be returned in the identity token after successful sign in.
I want to update these values for each user in the Azure AD B2C tenant.
As I understand it:
I cannot update these values via Azure Portal
The only way to update these values is via Microsoft Graph, specifically these methods:
Get user
Update user
I don't want to have to create an application just to be able to perform this basic administrative task.
So I am looking at:
Microsoft Graph PowerShell SDK
I installed the Microsoft Graph PowerShell SDK in PowerShell 7.
I was prompted to sign in via the browser after running this command:
Connect-MgGraph -Scopes "User.Read.All","Group.ReadWrite.All"
At this point I was confused which credentials to login with.
I logged in using my 'home tenant' Azure AD credentials.
(i.e the admin credentials of the Azure AD tenant from which I created the Azure AD B2C tenant - which then automatically created a guest account in the B2C tenant with the user principal name of info_my-home-tenant.onmicrosoft.com#EXT##my-dev-tenant.onmicrosoft.com).
I made the decision because I don't think I have any Azure AD B2C credentials.
(to access Azure AD B2C when I am logged into Azure Portal with my Azure AD credentials, I just click on 'switch directory').
I then ran:
Get-MgUser
And it, predictably, returned the users from my home Azure AD tenant, not the Azure AD B2C tenant.
So my question is:
In PowerShell 7, with the Microsoft Graph PowerShell SDK installed, how do I sign in so that I can interact with the Azure AD B2C tenant users, rather than my 'home' directory tenant users.
EDIT:
I started trying to follow the process described here:
Use app-only authentication with the Microsoft Graph PowerShell SDK
The first step is:
You'll need an X.509 certificate installed in your user's trusted store on the machine where you'll run the script
I created an Application Registration, however in the Certificates & secrets section it says:
Please note certificates cannot be used to authenticate against Azure AD B2C.
I agree this is tricky. Below are the steps you can use to successfully sign in to Azure AD B2C using Microsoft Graph SDK, and update a user's custom attribute value.
This post is divided into two sections:
Variables (which lists the variable values required and where to find them)
Commands (which lists the commands required)
This post assumes we have a custom attribute named Company Name defined in Azure AD B2C:
PowerShell Microsoft Graph SDK Reference
To orientate yourself, here is the link to the Microsoft.Graph.Users section:
Microsoft.Graph.Users
Variables
Below are the variables that will be referenced in this post and where to find them.
You might want to grab them at the start of the process so you can easily reference them later.
azure_ad_b2c_tenant_id
Azure AD B2C directory > Azure AD > Tenant ID
extensions_app_id
Azure AD B2C > App registrations > [ select 'All applications' ]
Click on the item named:
b2c-extensions-app. Do not modify. Used by AADB2C for storing user data.
Copy the Application (client) ID value
Remove the dashes from this value when using it in PowerShell
custom_attribute_property
This is a string of concatenated values with this syntax:
extension_<your-extensions-app-application-id>_<your-custom-attribute>
For example: extension_lalala1234etc_CompanyName
user_id
Azure AD B2C > Users > [ click on desired user ] > Object ID
Commands
01. Connect to your Azure AD B2C tenant
Connect-MgGraph -TenantId "<azure_ad_b2c_tenant_id>" -Scopes "User.ReadWrite.All"
This will prompt you to login with your Azure AD home tenant credentials.
02. Sanity check - list all users to confirm you are in the right tenant
Get-MgUser
// you can make the results prettier by using Format-List and defining the columns you want displayed
Get-MgUser | Format-List ID, DisplayName, UserPrincipalName
03. Sanity check - see what the value of the custom attribute currently is for all users and a single user
// all users - these do not work:
Get-MgUser | Format-List ID, extension_<your-extensions-app-application-id>_CompanyName
Get-MgUser -Property "id,extension_<your-extensions-app-application-id>_CompanyName"
// single user - these do not work:
Get-MgUser -UserId "<user-id>" | Format-List ID, DisplayName, UserPrincipalName, extension_<your-extensions-app-application-id>_CompanyName
Get-MgUser -UserId "<user-id>" -Property "id,extension_<your-extensions-app-application-id>_CompanyName"
// single user - this works:
$existingUser = Get-MgUser -UserId "<user-id>" -Property "id,extension_<your-extensions-app-application-id>_CompanyName"
$existingUser.AdditionalProperties | Format-List
04. Update a single user's custom attribute
$params = #{extension_<your-extensions-app-application-id>_CompanyName='Test Company'}
Update-MgUser -UserId "<user-id>" -BodyParameter $params
05. Verify the update was made
$existingUser = Get-MgUser -UserId "<user-id>" -Property "id,extension_<your-extensions-app-application-id>_CompanyName"
$existingUser.AdditionalProperties | Format-List
The decoded idToken that is returned after sign in will look like this:
Or, if signing in via an identity provider (in this case the home AD tenant), the decoded idToken will look like this:
Using the Microsoft Graph API v 1.0, how can I retrieve the user's MFA details?
For example, if I have an email based sign-in/sign-up policy with phone/SMS MFA, how can I see the phone number entered by the user? (and also set update it)
I know if I select 'identities' in the GET /users method I can see the email they've signed up with, but not the phone number they set for MFA. (https://learn.microsoft.com/en-us/graph/api/resources/user?view=graph-rest-1.0)
Of course I'm looking for all the mfa settings: mfa phone number, mfa email address, is mfa set, etc.
Hopefully there is some kind of extension attribute that contains this that I can select, and set on creation, but I cannot find documentation on this.
[UPDATE]
In the Azure portal, I can see the entered data if I go to user > profile > authentication methods. So I tried accessing the authentication relationships on the user. but it didn't provide any details (all empty arrays) https://learn.microsoft.com/en-us/graph/api/resources/authentication?view=graph-rest-1.0
There's a write-up here.
e.g:
GET https://graph.microsoft.com/beta/users/objectID/authentication/methods
we are using Microsoft Graph API for uploading files for business and personal accounts.
After the account logs in, we ask for some permissions, but we don't add the once needed for OneDrive. After the user explicitly requests to upload a file we send another request for an AccessToken including all scopes until now + files.readwrite.all. This was working perfectly until (maybe) a month ago. Now it works for business accounts, but not for personal accounts.
Steps that we do:
Redirect the user to login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=...&redirect_uri=https%3A%2F%2Fmywebsite.com%2Fsignin-microsoft&response_type=code%20id_token&scope=openid%20offline_access%20profile%20email%20mail.readwrite%20mail.send%20contacts.readwrite%20calendars.readwrite%20people.read%20user.read%20files.readwrite.all&response_mode=form_post&nonce=636656...&state=CfDJ8MLMcPchE...
The user selects their account (whit which they are already signed in)
They get redirected to https://login.live.com/oauth20_authorize.srf with the following sreen:
The permissions are not added for our application and we don't get any error.
Here is also the response from the error page:
Error Info
"/pp1600/oauth20_authorize.srf?client_id=9d3c...&scope=openid+offline_access+profile+email+mail.readwrite+mail.send+contacts.readwrite+calendars.readwrite+people.read+user.read+files.readwrite.all&redirect_uri=https%3a%2f%2fmywebsite.com%2fsignin-microsoft&response_type=code+id_token&state=CfD...&response_mode=form_post&nonce=636...&x-client-Ver=5.2.0&display=host&uaid=521...&msproxy=1&issuer=mso&tenant=common&ui_locales=en-US&username=pesho..."
loginserverprotocolhandler(846)
HR=0x80041018
Method string:GET
URL:"/pp1600/oauth20_authorize.srf"
Query string:"code=5"
Server protocol:HTTP/1.1
Update: after a couple of tries i actually managed to grant access to one of my accounts for the OneDrive integration. Not really sure what changed. I was just logging in and out with different Outlook accounts in Outlook and in our app. After that, i tried the same process with a different account and it failed again. Every time I was trying this I was logged with the same account on both places.
One more thing that I noticed is that before the consent was for all permissions and now the consent screen showed request only for the files permission.
I've created a multi tenant Web API that works just fine. Now I want to build a native client for testing. The Web API app is defined in one tenant. The test app is defined in another tenant that has given admin consent to the Web API.
I want to use the native app to authenticate with username and password in my (non-interactive) integration tests. I cannot use certificate/app-only authentication because I need a real user context.
Getting a token
var userCredential = new UserCredential("admin#clienttenant.onmicrosoft.com", "password");
var context = new AuthenticationContext("https://login.windows.net/common");
return context.AcquireToken("https://webapitenant.onmicrosoft.com/webApiResourceUri", testClientId, userCredential).AccessToken;
The problem with this code is that it doesn't work until I've given admin consent to the native app, even if the user is in the same tenant as the app registration.
Exception thrown:
'Microsoft.IdentityModel.Clients.ActiveDirectory.AdalServiceException' in Microsoft.IdentityModel.Clients.ActiveDirectory.dll
Additional information:
AADSTS65001: The user or administrator has not consented to use the application with ID 'nativeclientid'. Send an interactive authorization request for this user and resource.
Since tests aren't interactive I have to create a console application that uses the above code but with PromptBehaviour.Always. This will prompt me for username and password and show a consent form. After I give consent the tests that is using the same native app registration starts working.
Is there a way to accept the consent form without a interactive GUI?
At the moment there is no other way to write user consent without some sort of user experience. (Which makes sense right?)
If you use the Azure Management Portal, as an administrator of your tenant, all the apps you create should automatically be consented for the resources you selected. This is because the Azure Management Portal specifically will write those consent links as you save your client application.
If you use other portals or APIs to create your application, then you will need to consent to the application at least one time. You do not need to necessarily put prompt behavior on your application to get the consent screen. You can just generate the URL for signing into your application, which will also take you through the consent experience:
https://login.microsoftonline.com/<TenantID>/oauth2/authorize?client_id=<AppID>&response_type=code&redirect_uri=<RedirectURI>&resource=<ResourceURI>&prompt=admin_consent
Note that we added a "prompt=admin_consent" at the end which will consent to the application on-behalf of the whole tenant. With this kind of consent, you will only need to do it once per application to get it working.
I hope this helps!