Azure AD Graph API cannot access Microsoft Account

1
votes

I have 2 users in Azure AD

  1. Microsoft Account user
  2. Microsoft Azure Active Directory user

User 2 always works in Graph API calls but not the user 1.

https://graph.windows.net/tenantid/users/testmail@hotmail.com?api-version=2013-04-05

(Email actually is url encoded as testmail%40hotmail.com). This gives the following error "{\"odata.error\":{\"code\":\"Request_ResourceNotFound\",\"message\":{\"lang\":\"en\",\"value\":\"Resource 'testmail@hotmail.com' does not exist or one of its queried reference-property objects are not present.\"}}}"

Does anyone know how to fix this?

Edited: Things I figured out trying to fix this. I am using UserPrincipal name in the query above(..users/testmail@hotmail.com?..). For built-in domain accounts userPricipal name is testmail@domain.com(this works) but for a Microsoft account userPrincipal name is testmail_hotmail.com#EXT#@domain.com. This was given in the all users list (https://graph.windows.net/tenantid/users?api-version=2013-04-05). But even when I changed the query to '..users/testmail_hotmail.com#EXT#@domain.com?..' ofcourse after url encoding(testmail_hotmail.com%23EXT%23%40domain.com), still it does not work. Objectid always works though for all accounts(..users/objectId?..) .

Also tried otherMails. May be the api is wrong as otherMails is an array. "https://graph.windows.net/tenantId/Users?$filter=otherMails eq 'testmail%40hotmail.com'&api-version=2013-04-05"

So the question still remains. if only email is available for an MS account(not objectid) when making the call, how to get user details?

2
azureazure-active-directory

2 Answers

1
votes

You are missing your domain in the URL you posted. It should be

https://graph.windows.net/[your Azure AD domain]/users

To get the email address for a user you need to add the object Id of the user in the request URL. So, for example, to get an Azure AD user it would be like this:

https://graph.windows.net/[your Azure AD domain]/users/[object ID of user]/mail

For users in the directory sourced from a Microsoft Account, the mail property is null. So, you will have to look in the otherMails property like this:

https://graph.windows.net/[your Azure AD domain]/users/[object ID of user]/otherMails

If you want to access the full user account using a user's UPN, you can do that for users sourced from Azure AD. For example, for a tenant domain contoso.com and a user with a UPN johndoe@contoso.com, the query would look like this:

https://graph.windows.net/contoso.com/users/johndoe@contoso.com

This doesn't work for users sourced from Microsoft Accounts. For these accounts, the UPN contains characters (#, . for example) that break the query. You can filter by the UPN though using the naming convention that is used for users sourced from Microsoft Accounts. Suppose you have a user whose email is jayhamlin@yahoo.com in your directory. The UPN would be something like jayhamlin_yahoo.com#EXT#@contoso.com. So, you could use a filter and look for the first part of the UPN like this:

https://graph.windows.net/contoso.com/users?api-version=2013-11-08&$filter=startswith(userPrincipalName, 'jayhamlin_yahoo')

You can easily explore the Graph API and object properties for your directory using https://graphexplorer.cloudapp.net.

-1
votes

That filter can work, but you could also filter on otherMails. Your original query didn't work because otherMails is a multi-valued property- so you need to use "any":

https://graph.windows.net/tenantId/users?api-version=1.5&$filter=otherMails/any(x:startswith(x,'testmail@hotmail.com'))

When are you using this lookup? Is it once the user has signed in or for some people picking scenario?

Cheers,