Announcing some new capability in Azure Active Directory Graph Service


We have rolled out an update to the Graph service a couple of days back. Here is a brief overview of changes included in this update. We will have individual posts on these topics in the future.

  • Using OAuth 2.0 Authorization Code Grant for delegated access of Azure Active Directory (AAD) via AAD Graph: You might have seen the recent announcement of developer preview for support of OAuth Code Grant in Azure Active Directory. You can use this to provide delegated access when accessing resources. We can use the same mechanism to access AAD resources using delegated access via Graph API. We will have a detailed post and a sample web application showing how to use this with Graph shortly.
  • Support for “Me” alias: If you used delegated access of directory resources mentioned in the first point above, the token presented to graph will include user information in the claims. To refer to the user object, you can use the “Me” alias. The alias is case insensitive.
  • Checking transitive group membership for multiple groups: Graph service already supported IsMemberOf function to check transitively whether a user is a member of a particular Group (will check for transitive group membership and not just direct membership in the group). But in authorization scenarios, it will be a common requirement to check for transitive group membership for multiple groups. Right now the easiest way to do it through multiple calls to isMemberOf function but it adds multiple round trips and definitely not something that is recommended. We have added a new function “checkMemberGroups” to enable this scenario. checkMemberGroups takes a collection of object IDs of groups and can be called on a user, group or service principal object that the membership check needs to happen on. The function checks whether the object belongs to each of the groups and returns the collection of object IDs of the groups that the user object belongs to.  The number of input groups is limited to 20. 
    • HTTP Method: POST
    • Request Body:

      {

          “groupIds”:[“fb11a9aa-d501-465e-bd19-48a511883862″,”24541d7f-c4c5-473e-9b78-f4fe8f0d5194”]

      }

       

      Response:

      {

          [“fb11a9aa-d501-465e-bd19-48a511883862”]

      } 

 Getting all groups that a user is member of: Sometimes you might want to get the information about all the group memberships of a user (or a group or a service principal) and cache it for the session (do not cache this information beyond the session). We have added a function called “getMemberGroups” for this scenario. getMemberGroups can be called on a user/ group/service principal object and returns all the object ids of the groups that the user/group/service principal is member of( either directly or indirectly). The functions takes one Boolean parameter: securityEnabledOnly.  If securityEnabledOnly is true, only security enabled groups are returned and the function can only be called on user object. The maximum number of groups that you can get back from the query is capped at 1000 when securityEnabledOnly is true and 4500 when it is specified as false.

 HTTP Method: POST

Request Body:

{“securityEnabledOnly”:false} 

Response:

{

    [“fb11a9aa-d501-465e-bd19-48a511883862”]

}

 

 As always questions and feedback are welcome.

Comments (6)

  1. Paul Ballard says:

    Can I add user roles to my WAAD service?  I want to do this so I can pass the roles to my web apps for authorization.

  2. Paul,

    I think creating a custom Group and adding the users to the groups is more appropriate for the scenario you describe. The authorization scenario described in this MSDN article : msdn.microsoft.com/…/dn195601.aspx describes how to use group memberships of a user for resource authorization. You can also add users to roles. But the roles in AAD have defined semantics in Directory and adding users to those roles will give them specific access to directory resources. So if you want to authorize users for your application, I suggest creating groups and adding users to groups.

    Thanks,

    Srikanth.

  3. Mark says:

    getMemberGroups can be called on a user/ group/service principal object

    Is that possible , that you write down how to invoke this method? I do not understand which object refers to as a user/group service principal object. I really need that, thanks

  4. Hi Mark,

    The getMemberGroups operation can only be called on group and service principal objects if the securityEnabledOnly property in the request body is set to false.  The request is very similar to the example given in the post, e.g.:

       POST graph.windows.net/…/getMemberGroups

       Authorization: …

       Content-Type: application/json

       {"securityEnabledOnly":false}

    In this example, 87fdb58f-451c-4eb1-8ffb-3fafd393e8e9 is the objectId of the group that is the member of other groups you wish to obtain.

    Thanks,

    Robert

  5. Imran says:

    I want to ask a question…that If we have a finite presentation of a group, but order of the generators are unknown, then can we draw a cayley graph of that group?? if yes, then by which mean

  6. Ed says:

    Hi Imran, can you tell more about the goal of the Cayley graph?  Do simply want to find all directional groups of the group in question?