Announcing some new capability in Azure Active Directory Graph Service
We have rolled out an update to the Graph service a couple of days back. Here is a brief overview of changes included in this update. We will have individual posts on these topics in the future.
- Using OAuth 2.0 Authorization Code Grant for delegated access of Azure Active Directory (AAD) via AAD Graph: You might have seen the recent announcement of developer preview for support of OAuth Code Grant in Azure Active Directory. You can use this to provide delegated access when accessing resources. We can use the same mechanism to access AAD resources using delegated access via Graph API. We will have a detailed post and a sample web application showing how to use this with Graph shortly.
- Support for “Me” alias: If you used delegated access of directory resources mentioned in the first point above, the token presented to graph will include user information in the claims. To refer to the user object, you can use the “Me” alias. The alias is case insensitive.
- Example: https://graph.windows.net/contoso.com/me?api-version=2013-11-08 will return user information of the currently authenticated user.
- Checking transitive group membership for multiple groups: Graph service already supported IsMemberOf function to check transitively whether a user is a member of a particular Group (will check for transitive group membership and not just direct membership in the group). But in authorization scenarios, it will be a common requirement to check for transitive group membership for multiple groups. Right now the easiest way to do it through multiple calls to isMemberOf function but it adds multiple round trips and definitely not something that is recommended. We have added a new function “checkMemberGroups” to enable this scenario. checkMemberGroups takes a collection of object IDs of groups and can be called on a user, group or service principal object that the membership check needs to happen on. The function checks whether the object belongs to each of the groups and returns the collection of object IDs of the groups that the user object belongs to. The number of input groups is limited to 20.
- Example: Let’s assume that the user belongs to only group with object id fb11a9aa-d501-465e-bd19-48a511883862.To check whether user joe@contoso.com belongs to group fb11a9aa-d501-465e-bd19-48a511883862 and 24541d7f-c4c5-473e-9b78-f4fe8f0d5194:
- Request URL:
https://graph.windows.net/contoso.com/users/joe@contoso.com/checkMemberGroups?api-version=2013-11-08
HTTP Method: POST
Request Body:
{
"groupIds":["fb11a9aa-d501-465e-bd19-48a511883862","24541d7f-c4c5-473e-9b78-f4fe8f0d5194"]
}
Response:
{
["fb11a9aa-d501-465e-bd19-48a511883862"]
}
Getting all groups that a user is member of: Sometimes you might want to get the information about all the group memberships of a user (or a group or a service principal) and cache it for the session (do not cache this information beyond the session). We have added a function called “getMemberGroups” for this scenario. getMemberGroups can be called on a user/ group/service principal object and returns all the object ids of the groups that the user/group/service principal is member of( either directly or indirectly). The functions takes one Boolean parameter: securityEnabledOnly. If securityEnabledOnly is true, only security enabled groups are returned and the function can only be called on user object. The maximum number of groups that you can get back from the query is capped at 1000 when securityEnabledOnly is true and 4500 when it is specified as false.
- Example: To retrieve all the groups that a user joe@contoso.com is member of:
- Request URL:
https://graph.windows.net/contoso.com/users/joe@contoso.com/getMemberGroups?api-version=2013-11-08
HTTP Method: POST
Request Body:
{"securityEnabledOnly":false} |
Response:
{ ["fb11a9aa-d501-465e-bd19-48a511883862"] }
|
As always questions and feedback are welcome.