I am trying to restrict page access based on logged in user's AD Groups. I have issues with following codes.
var tenantId = incomingPrincipal.FindFirst(GraphConfiguration.TenantIdClaimType).Value;
//create Azure Graph Api client to make api calls
var client = Helpers.AzureGraphAPIFunctions.GetActiveDirectoryClient(tenantId);
IGroup group = client.Groups.Where(x => x.DisplayName == groupName).ExecuteSingleAsync().Result;
These codes work fine and get me the AD Group by groupName but sometimes throws exception
"Tenant information is not available locally. Use the following Urls
to get the information."
{"odata.error":{"code":"Directory_BindingRedirection","message":{"lang":"en","value":"Tenant information is not available locally. Use the following Urls to get the information."},
"values":[
{"item":"Url1","value":"https:\/\/directory-s1-ch1.directory.windows.net"},
{"item":"Url2","value":"https:\/\/directory-s1-sn2.directory.windows.net"},
{"item":"Url3","value":"https:\/\/directory-s1-co1.directory.windows.net"},
{"item":"Url4","value":"https:\/\/directory-s1-bl2.directory.windows.net"}
]}}
Any ideas?
Thanks
Folks,
We're currently investigating this issue (you should not be seeing this error). It looks like a regression. Will update this thread when I have more info.
UPDATE:
This issue should now be resolved. We made an update to our gateway logic that broke some of our retry/redirect logic. We've now put some monitors in place also that should detect this issue much faster (should we make the same mistake again).
Apologies for those of you who were affected by this incident.
Related
I am trying to collect all active TIs via the Beta Graph API by following this. But it doesn't return anything. Here is what I use in Postman:
https://graph.microsoft.com/beta/security/tiIndicators
Response (200):
{
"#odata.context": "https://graph.microsoft.com/beta/$metadata#security/tiIndicators",
"value": []
}
A bit of context for the environment I work in.
The tenant has multiple Sentinel workspaces & resource groups.
The application I use has the correct permissions:
ThreatIndicators.Read.All
ThreatIndicators.ReadWrite.OwnedBy
ThreatSubmission.Read.All
ThreatSubmission.ReadWrite.All
It is my current belief that this might be due to the limitations of the Beta API. My reasoning is that accourding to this documentation you need the ThreatIndicators.ReadWrite.OwnedBy permission to access the API. This would suggest that currently you can only view TI's that the resource itself created.
If more info is needed just ask.
According to the documentation, ThreatIndicators.ReadWrite.OwnedBy permission allow you to manage threat indicators your app creates or owns.
If you want to read all the threat indicators for your organization then your app needs ThreatIndicators.Read.All permission.
Although this is not a solution to the question it is a workaround. By using the Log Analytics API you can get the TI via a KQL.
ThreatIntelligenceIndicator
| where ExpirationDateTime > now() and
NetworkIP matches regex #"^(?:(?:25[0-5]|(?:2[0-4]|1\d|[1-9]|)\d)\.?\b){4}$" and
ConfidenceScore > 25
| summarize by NetworkIP
This is probably better as you can also use a watchlist to exclude specific IP addresses with one request.
One thing I struggled with this was Authorization. You must give your Application permission to use the api.loganalytics.io API, and the application needs the Log Analytics Reader role in the Log Analytic workspace you want to use.
Our setup is an on-premise Exchange Server which is accessible over the graph api. https://learn.microsoft.com/en-us/graph/hybrid-rest-support
We run in the issue, that our token is only "partial" working. And a token created by "Graph-Playground" is fully working. But we can't find any difference.
When I use Graph-Playground or use the token generated by Graph-Playground => all requests are working
When I create a token (over my app registration) => only some requests are working
The token seems to be valid some calls like /me are working, but all calls related to exchange like /me/contacts are failing with this error
Request, they work with token generated by Postman:**
Error:
{ "error": { "code": "MailboxNotEnabledForRESTAPI", "message": "REST API is not yet supported for this mailbox." } }
(that's a very generic error, and mostly don't say anything about the real issue)
Token Generation:
I create my token on the same way as Graph-Playground create the token (OAuth - Implicit flow):
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?response_type=token&state=test2&client_id=????&scope=openid%20profile%20User.Read%20email%20Contacts.Read&redirect_uri=????
Token - Analysis:
As a side note, it was working for a few days, nobody changed anything :)
So I have no idea, why the "Graph Playground" can create a working token, and my token only "partially" works. Can you help me?
There is already a thread, but I'm not the owner of it. Also there are no more responses... I can't provide a bounty for a foreign thread, that's why I create a new thread. You can find it here:
MailboxNotEnabledForRESTAPI - Microsoft Graph API integration with HMA Enabled on-premise server
I recognize your error, we see it in several cases (for Office 365):
User has no Exchange license (probably not the case, since it works in the explorer).
Customer tenant has setup additional security.
You can limit applications to certain mailboxes. Maybe there is some kind of setting or policy like this on your local Exchange as well, you have to connect to Exchange Online Powershell to set it, so maybe you can find something there. This is just a wild guess.
To track down this issue I would start checking the local Exchange logs.
Have you tried using the /users/{upn}/calendar endpoint? Maybe it's just that the /me/ part doesn't work.
I'm trying to get all the users which are there in a project,
I went throught this API https://docs.atlassian.com/software/jira/docs/api/REST/7.9.2/#api/2/user-findAssignableUsers, but idk why I'm getting {"errorMessages":["Internal server error"],"errors":{}}.
I also followed this article https://community.atlassian.com/t5/Answers-Developer-Questions/List-of-users-in-project-REST-API/qaq-p/536820 but I'm getting 401 unauthorised, as I don't have admin rights, I can't use the plugin mentioned in the above article. I'm stuck :( . I'll be thankful if anyone can help me.
Thanks.
First of all as Mech suggested, you will need to have admin access to the project to get required details. REST API uses exactly the same permissions as that of the normal JIRA UI.
If you want to fetch all the users(including different project roles) who have access to the respective project, then you need a chain of Jira REST Api calls as below,
Using this api to fetch all the available roles for a project,
GET /rest/api/2/project/{projectIdOrKey}/role
You will get some response like,
{
"Administrators": "http://www.example.com/jira/rest/api/2/project/MKY/role/10002",
"Users": "http://www.example.com/jira/rest/api/2/project/MKY/role/10001",
"Developers": "http://www.example.com/jira/rest/api/2/project/MKY/role/10000"
}
Then for each of the project roles(fetched in the first step), call the below jira rest api to give the respective list of users by passing the role id and project key,
GET /rest/api/2/project/{projectIdOrKey}/role/{id}
This is how you can get all project memebers (users) :
https://{YourCompanyName}.atlassian.net/rest/api/3/user/assignable/search?project={JiraIdProject OR JiraProjectKey}
I've been trying to return the employeeId of a user through the Microsoft Graph API but so far haven't had much luck.
I'm assuming this is probably because it doesn't exist in the metadata for the user in the Graph API so makes sense.
However, the property is populated in Azure AD. If I use the AZ command prompt to query the user I can see the property. Likewise, if I query the old Active Directory Graph API endpoint I can even see it there.
For example, querying
https://graph.windows.net/{tennant}/users/{upn}?api-version=1.6 directly I receive the employeeId as part of the response (using the ActiveDirectoryClient however seems to ignore this property and doesn't store it anywhere).
Is there any reason for this? Wouldn't it make sense to have it returned as an additional property? I've also looked into extensions, but as it's not an extension isn't returned there.
Any help would be appreciated. I can get the information I need by querying the old endpoint directly, but this seems like a complete backwards step and involves multiple queries to get the information I need - including having to use multiple end points (one of which I assume will be deprecated and removed soon).
EmployeeId is currently a beta feature and is only available in the beta endpoint of the Graph API.
So if you want to access the beta endpoint you just have to change the version to beta in your url. For example:
https://graph.microsoft.com/beta/me/
https://graph.microsoft.com/beta/users/{id|upn}/
https://graph.windows.net/{tennant}/users/{id|upn}?api-version=beta
For more information about the user-object in the beta endpoint see: https://developer.microsoft.com/en-us/graph/docs/api-reference/beta/resources/user
I assume it has something to do with this:
For me Google one Tap stopped working on all my sites that previously worked. I added API HTTP refer to restriction in console.developer.com, but I still get a warning message "The client origin is not permitted to use this API." any thoughts? If you go to the page https://www.wego.com/ you can see that Google one tap still works...
https://news.ycombinator.com/item?id=17044518#17045809
but Google YOLO stop working for everyone. I use it like many people for login and it just stop work.
My domain are obviously added on console.developers.google.com
Any ETA for fix this? Some information would be great for people who rely on it.
Google YOLO is not disabled. It is open to a small list of Google Partners.
The reason you were able to access it earlier was because it was open for a short period of time but the whitelist is now readded/enabled.
Reference:
https://twitter.com/sirdarckcat/status/994867137704587264
Google YOLO was put on whitelist after a client-side exploit became clear to google.
People could cover the login button of the prompt with something like a cookie consent (which we all know people automatically accept).
Therefor people could easily steal their gmail or other details due to this google decided to put it on whitelist and review the sites that are using this technology in order to ensure that they are using it as they should.
Google retroactively labeled One-Tap as a "closed beta".
https://developers.google.com/identity/one-tap/web
The beta test program for this API is currently closed. We are improving the API's cross-browser functionality and will provide updates here in the coming months.
The link for the entire project is currently 404, but the beta statement is visible on the wayback machine.