Guest Account queries to Azure AD or Graph in Single tenant Application

1
votes

Iā€™m looking for information to support the following scenario.

We invite users from other Azure AD as guests to our Azure AD, put them in a group for a specific purpose and need to be able to get that guest user memberof groups from our Azure AD. When Trying to use Graph we cannot get connected to our graph as the guest Account seams to ask its own Graph all the time. Have searched the web for a long time and tested a lot of sample applications that at a first glance looks like it could support our scenario but no luck so far.

One of the reasons why we want to register a single tenant app is for to be able to manage the licensing part of our apps and solely manage the access to our application instead of demanding customer IT to be involved in the process of setting up and maintain their part of a multi tenant solution.

I now have lost all directions and just need a push in some direction on how to proceed.

2
c#functionazuregraphazure-active-directory
I believe AAD should support your scenario, but it is not clear what exactly you are currently trying and where you are currently failing. If you could share more details about your current authentication methods, and the specific error message or behaviors you are receiving, I am sure the community can help you resolve your problems. ā€“ Shawn Tabrizi
Shawn see comment below.. ā€“ Patrik Lilja

2 Answers

0
votes

As Shawn Tabrizi mentioned, the Microsoft Graph does support to retrieve the members for guest user from other tenants. Here is an example for your reference:

GET: https://graph.microsoft.com/v1.0/groups/{groupId}/members 
authorization: bearer {access_token}

Result enter image description here

More detail about this rest, you can refer link below. And please feel free to let me know if you still have problem about this REST.

List members

0
votes

Let's walk through it!

I have a tenant: shawntest.onmicrosoft.com

I created a new Guest User in this tenant using the Azure Portal: enter image description here

I clicked the "+ New guest user" button, and created the guest Gmail account you can see above. I have additionally added this user to a few groups, also in the portal: enter image description here

So let's sign this user in.

First, it is important in these situations to specify the Tenant where you want to sign the user in. You should probably NOT use the common endpoint for these kinds of accounts, since they may be associated with multiple tenants, and then you leave it up to AAD to make the final determination for you. Instead, specify a specific authentication context with a specific tenant id:

https://login.microsoftonline.com/shawntest.onmicrosoft.com

Now get a token using your preferred user login flow. I am using the Native Client flow, which can be easily simulated with just 13 lines of PowerShell.

Once I have my token, I call the /me endpoint to show evidence that I am working with an external user:

GET https://graph.windows.net/me?api-version=1.6

{
    "odata.metadata": "https://graph.windows.net/myorganization/$metadata#directoryObjects/Microsoft.DirectoryServices.User/@Element",
    "odata.type": "Microsoft.DirectoryServices.User",
    "objectType": "User",
    ...
    "displayName": "Shawn Tabrizi",
    ...
    "userPrincipalName": "xxxxxx_gmail.com#EXT#@shawntest.onmicrosoft.com",
    "userType": "Guest"
}

Looks good to me. Now let's get the groups that user is a member of, using the memberOf query. Note that you can do this query right away, it is NOT dependent on any data from the last query.

GET https://graph.windows.net/me/memberOf?api-version=1.6

{
    "odata.metadata": "https://graph.windows.net/myorganization/$metadata#directoryObjects",
    "value": [{
        "odata.type": "Microsoft.DirectoryServices.Group",
        "objectType": "Group",
        ...
        "displayName": "TestGroup",
        ...
        "securityEnabled": true
    }, {
        "odata.type": "Microsoft.DirectoryServices.Group",
        "objectType": "Group",
        ...
        "displayName": "MyTestGroup",
        ...
        "securityEnabled": true
    }]
}

And that's all folks!