How to get and set Manager Attribute for a Windows Azure AD User using Graph API

/0 Comments/in , /by

Windows Azure AD Graph provides programmatic access to Windows Azure Active Directory (AD) through REST API endpoints. Using Windows Azure AD Graph API developers can execute create, read, update, and delete (CRUD) operations on Windows Azure AD objects such as users and groups.
REST API endpoints.
Windows Azure AD Graph exposes REST endpoints so that developers can consume it in their applications. Windows Azure AD Graph conforms to OData v3 protocol, which makes it possible to consume from any modern development platform and application architecture, ranging from mobile devices to Office 365 extensions.
Windows Azure AD Authentication.
In order to execute any of the operations available through Windows Azure Graph, the client needs to be authenticated first. Windows Azure AD Graph relies on Windows Azure AD for authentication. Windows Azure AD federates with Windows Azure Active Directory and serves as a Security Token Service (STS) for client requests.
You can downlaod sample MVC .NET application that demonstrates how to access directory tenant data from Windows Azure AD using the Graph API.
MVC Sample Application for Windows Azure AD Graph API
To open this application, you need to have Microsoft Visual Studio 2012, This is already configured with demo company Graph API access endpoint. To create Graph API access endpoint for your Office365 tenant or Azure AD tenant. You can follow my earlier post “Windows Azure Active Directory: Using the Graph API with an Office 365 Tenant” to create the access endpoint. See the sample Graph API access endpoint below that you can create using Powershell CmdLets or Windows Azure Management Portal.  To get the access of Windows Azure Management Portal, you have to get the Azure Subscription. Those who has Azure subscription can use Windows Azure Management Portal to create access endpoint and those who has Office365 tenant subscription can use Powershell CmdLets to create access point.
Setting Graph API access endpoint in Web.config
<add key=”TenantDomainNamevalue=”yourdomainname.onmicrosoft.com“/>
<add key=”AppPrincipalIdvalue=”7829c758-2bef-43df-a655-718089474545“/>
<add key=”Passwordvalue=”FStnXT1QON84B5o38aEmFdlNhEnYtzJ91Gg/JH/Jxiw=“/>
To create above details using Powershell, you can follow my earlier blog post. Using Graph API sample application, you can perform the CRUD (Create, Read, Update and Delete) on Azure AD Users and Groups. But few functionality is not available, you have to implement those functionality. Here one of the very useful functionality like setting and getting User Manager is not implemented in Sample application.
Now let us have a look, how to Set and Get User Manager
//Set Manager Attribute of an User

        public void SetUserManager(User user, User manager)
        {
            try
            {
                DirectoryService.SetLink(user, "manager", manager);
                DirectoryService.SaveChanges();
            }
            catch (Exception)
            {
                throw;
            }
        }
        //Get User Manager by loading Manager attribute of an User
        public User GetUserManager(string strUserDisplayName)
        {
            User user = new User();
            User manager = new User();
            DirectoryObject directoryObject;
            try
            {
                user = DirectoryService.users.Where(it =&gt; (it.displayName ==
                       strUserDisplayName)).SingleOrDefault();
                DirectoryService.LoadProperty(user, "manager");
                directoryObject = user.manager;
                manager = DirectoryService.users.Where(it =&gt; (it.objectId ==
                          directoryObject.objectId)).SingleOrDefault();
            }
            catch (Exception)
            {
                throw;
            }
            return manager;
        }

Windows Azure Active Directory: Using the Graph API with an Office 365 Tenant

/0 Comments/in , /by

If you have already got an Office 365 subscription, and would like manage your users account using Azure AD Graph API (RESTful API) instead of Powershell CmdLets. Yes you can. While this statement is technically true, the story is far from complete. Azure Active Directory subscription comes free with  Office 365 subscription. You will not be require to subscribe to Azure to manage your users and group and user’s manager.
Now to access Azure AD using Graph API, you need to following details to authenticate with Azure AD.

  1. Tenant Domain Name
  2. Client Application Service Principal ID
  3. Client Application Secret Key.

The main challenge here is that you need to register you client web application with Azure to get above details. So you have go to Microsoft Azure Manage Portal to register your client application. To use Microsoft Azure Management Portal, you need to subscribe for this service with Microsoft Azure Portal. But as I said you can access Azure AD without any additional subscription of any Microsoft Azure Service. You can register your client application with Azure just by using your Office 365 admin account credentials. Now your job is to configure Powershell console where you can register your application using some Powershell Cmdlets. Click on following link to download the require tools to configure Powershell Console.
Microsoft Online Services Sign-In Assistant
Windows Azure Active Directory Module for Windows PowerShell (32-bit version)
Windows Azure Active Directory Module for Windows PowerShell (64-bit version)
After Installation above tools, click on Start Menu and Open Powershell Console and typeConnect-MsolService CmdLet

Type Office 365 admin account credentials and click on Ok. After successful Login to Office 365 cloud account execute following Powershell CmdLets to register your application with Azure AD in order to get above said details for Graph API.

  1. Import-Module MSOnline
  2. Import-Module MSOnlineExtended
  3. $servicePrincipalName =”GraphWebClientApp”
  4. $sp = New-MsolServicePrincipal -ServicePrincipalNames $servicePrincipalName -DisplayName $servicePrincipalName -AppPrincipalId “7829c758-2bef-43df-a685-717081174554”
  5. New-MsolServicePrincipalCredential -ObjectId $sp.ObjectId -Type Password -Value “FStnXT1QON84B5o38aEmFdlNhEnYtzJ91Gg/JH/Jxiw=”
  6. Add-MsolRoleMember -RoleObjectId “62e90394-69f5-4237-9190-012177145e10” -RoleMemberType ServicePrincipal -RoleMemberObjectId $sp.ObjectId

Execute above CmdLets One by One in Powershell Console. In above line 1 and 2 is meant for Importing the Powershell module. In line 4 for -AppPrincipalID  I have given 32 bit hard coded guid  value, you can give any 32 bit Guid. In line 5 I have given hard coded a complex string as password parameter that can be used as Client Secret Key. Line 6 is for adding read-write permission to ServicePrincipal to access Azure AD.
After above execution of CmdLet, you get the required details to authenticate your Client web application to access Azure AD as follows:
Tenant Domain  = eg. logicspark.onmicrosoft.com
AppPrincipalID = 7829c758-2bef-43df-a685-717081174554
Client Secret Key or Password = FStnXT1QON84B5o38aEmFdlNhEnYtzJ91Gg/JH/Jxiw=
Now download MVC sample web client application to connect to Azure AD to check your Office 365 Users and Groups.
Download Sample .Net MVC Client Application
After downloading this sample application, open Web.config file and modify details as shown below and run the application. If every thing goes well, you can explore the users and groups.

 <add    key="TenantDomainName" value="logicspark.onmicrosoft.com"/>
 <add    key="AppPrincipalId" value="7829c758-2bef-43df-a685-717081174554"/> 
 <add    key="Password" value="FStnXT1QON84B5o38aEmFdlNhEnYtzJ91Gg/JH/Jxiw=" /> 
 <add    key="webpages:Version" value="2.0.0.0" />
 <add    key="webpages:Enabled" value="false" />
 <add    key="PreserveLoginUrl" value="true" />
 <add    key="ClientValidationEnabled" value="true" />
 <add    key="UnobtrusiveJavaScriptEnabled" value="true" />