How to get and set Manager Attribute for a Windows Azure AD User using Graph API

Windows Azure AD Graph provides programmatic access to Windows Azure Active Directory (AD) through REST API endpoints. Using Windows Azure AD Graph API developers can execute create, read, update, and delete (CRUD) operations on Windows Azure AD objects such as users and groups.
REST API endpoints.
Windows Azure AD Graph exposes REST endpoints so that developers can consume it in their applications. Windows Azure AD Graph conforms to OData v3 protocol, which makes it possible to consume from any modern development platform and application architecture, ranging from mobile devices to Office 365 extensions.
Windows Azure AD Authentication.
In order to execute any of the operations available through Windows Azure Graph, the client needs to be authenticated first. Windows Azure AD Graph relies on Windows Azure AD for authentication. Windows Azure AD federates with Windows Azure Active Directory and serves as a Security Token Service (STS) for client requests.
You can downlaod sample MVC .NET application that demonstrates how to access directory tenant data from Windows Azure AD using the Graph API.
MVC Sample Application for Windows Azure AD Graph API
To open this application, you need to have Microsoft Visual Studio 2012, This is already configured with demo company Graph API access endpoint. To create Graph API access endpoint for your Office365 tenant or Azure AD tenant. You can follow my earlier post “Windows Azure Active Directory: Using the Graph API with an Office 365 Tenant” to create the access endpoint. See the sample Graph API access endpoint below that you can create using Powershell CmdLets or Windows Azure Management Portal.  To get the access of Windows Azure Management Portal, you have to get the Azure Subscription. Those who has Azure subscription can use Windows Azure Management Portal to create access endpoint and those who has Office365 tenant subscription can use Powershell CmdLets to create access point.
Setting Graph API access endpoint in Web.config
<add key=”TenantDomainNamevalue=”yourdomainname.onmicrosoft.com“/>
<add key=”AppPrincipalIdvalue=”7829c758-2bef-43df-a655-718089474545“/>
<add key=”Passwordvalue=”FStnXT1QON84B5o38aEmFdlNhEnYtzJ91Gg/JH/Jxiw=“/>
To create above details using Powershell, you can follow my earlier blog post. Using Graph API sample application, you can perform the CRUD (Create, Read, Update and Delete) on Azure AD Users and Groups. But few functionality is not available, you have to implement those functionality. Here one of the very useful functionality like setting and getting User Manager is not implemented in Sample application.
Now let us have a look, how to Set and Get User Manager
//Set Manager Attribute of an User

        public void SetUserManager(User user, User manager)
        {
            try
            {
                DirectoryService.SetLink(user, "manager", manager);
                DirectoryService.SaveChanges();
            }
            catch (Exception)
            {
                throw;
            }
        }
        //Get User Manager by loading Manager attribute of an User
        public User GetUserManager(string strUserDisplayName)
        {
            User user = new User();
            User manager = new User();
            DirectoryObject directoryObject;
            try
            {
                user = DirectoryService.users.Where(it =&gt; (it.displayName ==
                       strUserDisplayName)).SingleOrDefault();
                DirectoryService.LoadProperty(user, "manager");
                directoryObject = user.manager;
                manager = DirectoryService.users.Where(it =&gt; (it.objectId ==
                          directoryObject.objectId)).SingleOrDefault();
            }
            catch (Exception)
            {
                throw;
            }
            return manager;
        }

GPO Manager version 3.0.0.0

With the release of CionSystem’s GPO Manager  3.0.0.0 you know have workflow management, check in/check out, change control, backup/restore, reports and rollback- that is needed to effectively manage GPOs across the enterprise.

CionSystem’s GPOManager offers a mechanism to control this highly important component of Active Directory. GPOs, Scope of Management links, and WMI filters are backed up in a secure, distributed manner and then placed under version control.

CionSystem’s GPOmanager contains  following popular features

  • Version Comparisons: Quickly verify setting consistency and improve GPO auditing with advanced, side-by-side GPO version comparisons at different intervals.
  • Enhanced Group Policy Comparison and side-by-side two distinct GPO’S , two Versions and with Existing GPO with a Checkout copy GPO comparisons to verify setting consistency.
  • GPO history and Compare: to record all changes to GPO’s
  • Delete version history: to manage and reduce size of backup store
  • Undo GPO changes: Rolled back to previous versions.
  • Approval-based workflow: process to ensure that changes adhere to change management best practices before their deployment.
  • Configure workflow: to enable organizational requirements and set for specified users or groups on edit settings, cloak and uncloak and lock and unlock.
  • Workflow Commenting: Track the request, review and approval process with comments and e-mail notifications at any stage.
  • Scheduling: Enable approved changes to be implemented immediately or on a schedule.
  • Microsoft Group Policy Management Console (GPMC) for familiar look and feel.
  • Cloaking: Hidden pre-production GPS from all but selected administrators.
  • GPO check-in and check-out to prevent simultaneous editing conflicts.
  • GPO locking: to prevent unwanted changes to product GPOs.
  • Backup and Restore: Schedules the ALL GPO’s Backup or selected GPO’s to be taken at a specified date and time
  • Delegation and permissions management: Delegates or provide Read, Edit, Apply Permissions on GPO to Users
  • Day to Day task : Perform common GPO Actions/Tasks like Create , Edit, Delete, Link, Rename ,Backup, Import, Restore GPO, add comments to GPO, View, Enable, Disable
  • Manage security: Apply Filters to GPO
  • Copy /Paste : Create a duplicate GPO with same settings
  • Reports: Creates Report of all GPO’S at a specified Location.
  • Advance Categorizing: Easily find GPOS that are Linked , Unlinked, Orphaned, Disabled, Deleted etc.
  • Replication: To replicate the data among the Available domain controllers
  • Delegation: To grant Permission for Users to create GPO. To Apply WMI Filter.
  • Grant Permission on All GPO’s: To grant permission for users on all GPO’s to read, Edit ,delete.

Windows Azure Active Directory: Using the Graph API with an Office 365 Tenant

If you have already got an Office 365 subscription, and would like manage your users account using Azure AD Graph API (RESTful API) instead of Powershell CmdLets. Yes you can. While this statement is technically true, the story is far from complete. Azure Active Directory subscription comes free with  Office 365 subscription. You will not be require to subscribe to Azure to manage your users and group and user’s manager.
Now to access Azure AD using Graph API, you need to following details to authenticate with Azure AD.

  1. Tenant Domain Name
  2. Client Application Service Principal ID
  3. Client Application Secret Key.

The main challenge here is that you need to register you client web application with Azure to get above details. So you have go to Microsoft Azure Manage Portal to register your client application. To use Microsoft Azure Management Portal, you need to subscribe for this service with Microsoft Azure Portal. But as I said you can access Azure AD without any additional subscription of any Microsoft Azure Service. You can register your client application with Azure just by using your Office 365 admin account credentials. Now your job is to configure Powershell console where you can register your application using some Powershell Cmdlets. Click on following link to download the require tools to configure Powershell Console.
Microsoft Online Services Sign-In Assistant
Windows Azure Active Directory Module for Windows PowerShell (32-bit version)
Windows Azure Active Directory Module for Windows PowerShell (64-bit version)
After Installation above tools, click on Start Menu and Open Powershell Console and typeConnect-MsolService CmdLet

Type Office 365 admin account credentials and click on Ok. After successful Login to Office 365 cloud account execute following Powershell CmdLets to register your application with Azure AD in order to get above said details for Graph API.

  1. Import-Module MSOnline
  2. Import-Module MSOnlineExtended
  3. $servicePrincipalName =”GraphWebClientApp”
  4. $sp = New-MsolServicePrincipal -ServicePrincipalNames $servicePrincipalName -DisplayName $servicePrincipalName -AppPrincipalId “7829c758-2bef-43df-a685-717081174554”
  5. New-MsolServicePrincipalCredential -ObjectId $sp.ObjectId -Type Password -Value “FStnXT1QON84B5o38aEmFdlNhEnYtzJ91Gg/JH/Jxiw=”
  6. Add-MsolRoleMember -RoleObjectId “62e90394-69f5-4237-9190-012177145e10” -RoleMemberType ServicePrincipal -RoleMemberObjectId $sp.ObjectId

Execute above CmdLets One by One in Powershell Console. In above line 1 and 2 is meant for Importing the Powershell module. In line 4 for -AppPrincipalID  I have given 32 bit hard coded guid  value, you can give any 32 bit Guid. In line 5 I have given hard coded a complex string as password parameter that can be used as Client Secret Key. Line 6 is for adding read-write permission to ServicePrincipal to access Azure AD.
After above execution of CmdLet, you get the required details to authenticate your Client web application to access Azure AD as follows:
Tenant Domain  = eg. logicspark.onmicrosoft.com
AppPrincipalID = 7829c758-2bef-43df-a685-717081174554
Client Secret Key or Password = FStnXT1QON84B5o38aEmFdlNhEnYtzJ91Gg/JH/Jxiw=
Now download MVC sample web client application to connect to Azure AD to check your Office 365 Users and Groups.
Download Sample .Net MVC Client Application
After downloading this sample application, open Web.config file and modify details as shown below and run the application. If every thing goes well, you can explore the users and groups.

 <add    key="TenantDomainName" value="logicspark.onmicrosoft.com"/>
 <add    key="AppPrincipalId" value="7829c758-2bef-43df-a685-717081174554"/> 
 <add    key="Password" value="FStnXT1QON84B5o38aEmFdlNhEnYtzJ91Gg/JH/Jxiw=" /> 
 <add    key="webpages:Version" value="2.0.0.0" />
 <add    key="webpages:Enabled" value="false" />
 <add    key="PreserveLoginUrl" value="true" />
 <add    key="ClientValidationEnabled" value="true" />
 <add    key="UnobtrusiveJavaScriptEnabled" value="true" />