Based on this article, there are still some gaps between the Microsoft Graph API and the older Azure AD Graph API, but seems neither will fully retrieve what's required.
As of now, the following with get the Alternate Email
field only from the "Authentication contact info" section using the Azure AD Graph API;
Register the Application in Azure AD
In the Azure Active Directory instance;
- Register a new application (
client_id
)
- Grant "Read all users' full profiles" permissions to Windows Azure Active Directory
- Create a private key (
client_secret
) for the application
Authentication Flow
Reference: Service to Service Calls Using Client Credentials
Retrieve an access token
Request
POST https://login.microsoftonline.com/<tenant id>/oauth2/token
Payload
{
"client_id": "<client_id>",
"client_secret": "<client_secret>",
"resource": "https://graph.windows.net",
"grant_type": "client_credentials"
}
User Authentication Contact Info
Reference: Basic operations on users
Get user
Request
GET https://graph.windows.net/<tenant_id>/users/<user_id>?api-version=1.6
Headers
{
"Authorization": "Bearer <access_token>"
}
Response
{
...
"otherMails": ["<Alternate Email>"],
...
}