Office 365 administration center allows to create organizational contacts which are shared with all users in organization.
In MS Graph documentation API of this functionality is badly documented and located in BETA section. Moreover, there is no command to create such a contact: https://developer.microsoft.com/en-us/graph/docs/api-reference/beta/resources/orgcontact
It looks like in Graph this functionality was not implemented. Using typical POST request to the /beta/contacts ends with an error response in Json structure: Unsupported resource type 'Contact' for operation 'Create'.
Note 1: I don't have any user logged in. My application uses service/daemon authentication.
Is there any other way to create organizational contact?
At this time, creating new orgContact objects isn't supported by the Graph API. You also cannot create organizational contacts with the Azure AD Graph API. For more information about organizational contacts, including how they are created in your tenant, see the Contact Entity documentation.
Organization Contacts are documented in the beta section because this API is in fact still in beta. I'm sorry you ran into issues here but with any beta endpoint there is always likelihood of missing/broken features and sparse documentation. There is also a substantial likelihood of breaking changes being rolled out to beta endpoints. As such, we do not recommend using them in production scenarios.
Related
Microsoft Graph API has support to retrieve mail rules for individual mail boxes. Is there any API to get the list of rules configured by Admin for the organization?
https://graph.microsoft.com/v1.0/users/user-id/mailFolders/inbox/messagerules
Not that i am aware of using Microsoft Graph API. At this point Graph API supports only individual mailboxes. The closest one i can see is that you can application permission to query other mailboxes as well. But it won't tell or get you the list of rules configured by admin for the organization. Being said that you can consider filing an uservoice so that it can be considered to be implemented. As an alternate you can use from Exchange PowerShell (something like Get-Trasportrule).
I'm trying to query the Global Address List using Microsoft Graph. I've worked with and adapted the sample code from https://github.com/microsoftgraph/console-csharp-snippets-sample.git -- however, I'm still having trouble. I've seen this article -- Global Address List Graph API -- which indicates I need to use the "/contacts" endpoint. However, I don't see how this helps me when I'm using the Microsoft.Graph library. Is there some method or collection within the Microsoft.Graph library that will allow me to read the GAL?
"GAL" is a MAPI concept that doesn't really apply to Graph. With Graph, you just read the users or contacts in your company's Active Directory. By combining both lists, you come close to what you'd see in the GAL in a MAPI client.
To do that, you would list users as doc'ed here: https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/api/user_list
Using the library, I believe this will get you started:
client.Users.Request().GetAsync();
For contacts, it's a lot trickier with the Graph library. Organizational contacts are only supported in the beta version of Microsoft Graph, which the client library doesn't support unfortunately. (See this issue for info). Michael Mainer did a write up of how you can generate your own beta version of the library if you're interested.
The info on querying organizational contacts is found here: https://developer.microsoft.com/en-us/graph/docs/api-reference/beta/resources/orgcontact.
As of late 2021, doesn't appear to be an easy "Export Global Address List" API from Microsoft. There appear to be manual methods (e.g. using the Exchange Admin interface) but nothing programmatic.
Below is broad strokes exercise for creating an approximation (that may be sufficient for your needs). A more accurate exercise may be to export the GAL from a official client (e.g. Outlook/Outlook Web/Exchange Admin interface). Its possible that in some cases the GAL is user specific which may make GAL export concept significantly more involved.
GAL export exercise:
APIs:
MS Graph API (available via HTTP, e.g. GET/POST)
Users
Groups
Some of the above only allowed certain properties accessible by individual record query - I needed to get the whole list then iterate through each record one by one to get all needed properties.
Exchange Powershell (available via Powershell)
Get Mailbox (for flags not exposed by Graph/Users)
Get-DistributionGroup (for flags not exposed by Graph/Groups)
Azure Functions can be used to run these queries serverless/"API-ified". Azure App Registration can be used as OAuth app that can be granted the permissions to access the above. Microsoft Graph Explorer is handy for testing Graph requests.
Put it together:
Smash the datasets together and then filter out on fields. Some flags are:
hideFromAddressLists
hideFromOutlookClients
HiddenFromAddressListsEnabled
showInAddressList,
some conditions you have to manually check for, e.g.
if no provisioned plans (i.e. unlicensed)
if no email address
etc.
I'm trying to use delta queries on my AD and it works perfectly when I try them out through Graph Explorer, but doesn't work at all with my app, I'm getting this:
message=Invalid request. Delta query is not supported by this resource.
My app is an 'old' app, meaning it was registered in Azure to work with old WAAD graph api. Is this why it's not working? Or could this be because of my app lacking some permission that Graph Explorer requires? I can read 'users' without any issues, it's only delta queries I'm having issues with.
The application requests the following permissions:
Access the directory as the signed-in user
Read all users' basic profiles
Sign in and read user profile
Token requests are managed by the library, it's asking for the following scopes: openid profile
If you're using Azure AD Graph then you cannot use /delta queries. AAD Graph API and Microsoft Graph API are entirely distinct APIs. Calls to one are not interchangeable with the other.
If you're looking to leverage /delta you'll have to refactor your application to use Microsoft Graph API.
Had to spend the whole day on this issue, here's what was going on. I was adding this HTTP header to the request (per some sample documentation):
Prefer: outlook.timezone="E. Europe Standard Time"
And that's what was breaking the delta queries request, as soon as I've removed the header - request returned delta data instead of an error. I wish the error could be more descriptive, I wouldn't have to spend so much time figuring this out.
In outlook I can lookup all users in my organisation, including phone number, address etc.
I guess using EWS I could do the same...
With Azure AD graph (https://graph.windows.net) I can get ALL(!) properties on all (GAL) users as well - without the option to select a smaller property subset…
In Microsoft Graph (https://graph.microsoft.com) I can get all users (GAL), but not (all) properties like phone number, title etc. without an admin allows access… Why is this different (more restricted) than the other APIs ?
ex. the permission; Directory.AccessAsUser.All (Access the directory as the signed-in user)
In Microsoft Graph user is UNABLE to consent
In Azure AD Graph - does NOT require admin
Using the /me/people (in preview) in Microsoft Graph I can get all properties on a lot of users in my organisation - but not all. And I might get some users that my nearest colleague can’t (why? - is it still buggy)
Every one tell you to use Microsoft Graph but it seems to be more restricted than the old APIs
I'd be interested to know a little more about the restrictive nature that you are describing. For the most part (with respect to Directory/Azure AD), Microsoft Graph exposes the same data secured by the same permissions model as Azure AD Graph. Please see https://developer.microsoft.com/en-us/graph/docs/concepts/permissions_reference#user-permissions for more details on the available user permissions and what they allow.
What you might be seeing with Microsoft Graph is the fact that when you query the /users entity set in v1.0 (i.e. GET https://graph.microsoft.com/v1.0/users) Microsoft Graph will return only a key set of user properties by default. The user entity type is pretty big, and growing all the time - it has more than 40 properties and 25 navigation properties. Serializing and de-serializing large objects, especially when paging collections can be expensive and non-performant, both for the client and for the Microsoft Graph service. Hence we return a default set. If you want other properties then you need to use the $select parameter. For example: GET https://graph.microsoft.com/v1.0/users?$select=displayName,givenName, officeLocation,postalCode,state. This is documented here: https://developer.microsoft.com/en-us/graph/docs/api-reference/beta/api/user_get for example, but we are working on making some improvements to the documentation in this area too. If you want to see the full set of properties exposed by the Microsoft Graph user entity type, please look at the schema here: https://graph.microsoft.com/v1.0/$metadata.
[NOTE: $select is not supported in Azure AD Graph API, so we always return the full set].
The people API - ../me/people is about the people who you (the signed-in user) communicate with most often - it could also contain people outside of your organization. Hence, the list of people is likely specific and different for each user (even colleagues). It also is not the full directory of users in your organization.
I'd also like to get to the bottom of why you are seeing a difference in terms of consent - Directory.AccessAsUser.All always requires admin consent for web apps (for both Microsoft and Azure AD Graph).
Hope this helps,
https://graph.microsoft.io/en-us/ seems to be built on top of the Azure AD graph - https://graph.windows.net/
I haven't found a lot of how graph.microsoft.io was built, but it seems like it is a superset of the original Azure AD API, together with the stuff to access data from Office 365 through the graph.
What stands out to me is that either they would have passed through queries from graph.microsoft.io to graph.windows.net or they would have rebuilt it all from scratch. So, I'm trying to understand how to build my own such graph. I will use Azure AD, which will enable my authentication and authorization. It will give me a graph of the users in my organization. But for custom applications that also use Azure AD for login, I would like them to be available via the graph, like how the Office 365 apps are available via the graph.microsoft.io site.
So far, to implement something similar, it seems like I can use the core Azure AD graph for a specific set of user data, and for apps that use the Azure AD instance that I provide, I can require them to implement an Odata endpoint which describes how their own data can be accessed.
Is this a good approach?
It's certainly pretty much exactly what we do, so who am I to argue. However, rather than going to Azure AD directly for the graph of users in your org, I'd encourage you to go to MS Graph for that data, as we'll be looking to add richness and functionality there rather than in the underlying AAD Graph as time marches on, and also it will enable you to link across easily to other Office apps of course.
Over time, we'd like you not to have to do this, but rather to bring your own apps' data into the Microsoft Graph in some fashion, but we are a ways away from having that facility available.