Receiving Error “AADSTS900439 – USGClientNotSupportedOnPublicEndpoint”

Problem: This blog provides more information about the error “AADSTS900439 – USGClientNotSupportedOnPublicEndpoint”.  This error typically occurs when a user uses a public cloud endpoint to sign in to an application registered in Azure Government sovereign cloud. It is known fact that the official Azure Active Directory (AAD) Authority for Azure Government changed from `https://login-us.microsoftonline.com` to `https://login.microsoftonline.us`. This change also applied to Microsoft 365 GCC High and DoD, which Azure Government…

Read More

Configure .Net Application to call Microsoft Graph in a National Cloud Tenant

When authenticating with Azure and making a Microsoft Graph request, for commercial tenants, this is all done with the .com endpoints ( https://login.micorosoftonline.com/… and https://graph.microsoft.com ) and your token audience is for the .com endpoint as well. However, when performing the requests against a National Cloud tenant, you must use the appropriate endpoints. In this article, I will show you how to configure the Microsoft Graph .Net SDK in a…

Read More

Receiving error “Change enumeration is not supported for requested tenant.” from MS Graph Delta query

Problem Customer receives the following error when running an MS Graph delta query, for instance the following: GET https://graph.microsoft.com/beta/users/delta ‘error’: { ‘code’: ‘Request_UnsupportedQuery’, ‘message’: ‘Change enumeration is not supported for requested tenant.’, ‘innerError’: { ‘request-id’: ‘xxx’, ‘date’: ‘2020-05-22T13:17:45’ } } Root Cause This error can happen if the tenant is an Azure AD B2C tenant. More Information Differential or Delta query is currently not supported in an Azure AD B2C…

Read More

How to get and display the user photo with Graph SDK for .Net in a WPF application

Occasionally, we get requests asking how to get the user photo using the Graph SDK. This blog post will show you how to do that in a WPF application but I will also show you a method for getting the photo and saving it to disk with a .Net console application. You can download the sample project here: https://github.com/RayGHeld/GraphClient_GetUserPhoto This project also utilizes the Authentication Provider code in this blog…

Read More

Implement Client Credentials flow for Graph Java Client

In my previous article , I showed you how to modify our great Graph Client for Java sample to add some additional options for things like filtering, setting the max retries for 429 errors, etc.  That sample uses the Oauth2 Device Code flow.  In this article, I will show you how to convert that and use the Client Credentials Flow.  Although, you will not be able to retrieve the same…

Read More

Some notes regarding the Microsoft Graph Subscription and webhook

For certain Azure AD resources or Directory Objects you can use Microsoft Graph to create Subscriptions to receive change notifications event. Below are some notes to be aware of: Subscription object Lifetime Each subscription object (except for Security alerts) is only valid for 3 days maximum, so make sure you renew the subscription before it expires to keep receiving change notifications. See https://docs.microsoft.com/en-us/graph/api/resources/subscription?view=graph-rest-1.0 for more detail on maximum subscription length…

Read More

Graph Query to get B2B user using User Principal Name (UPN)

If you are using Microsoft Graph API Query to fetch B2B user using UPN, and experiencing below shown error: Query: https://graph.microsoft.com/v1.0/users/example_gmail.com#EXT#@example.onmicrosoft.com Response: Well, here is the fix: You will need to encode the URL request. Reason, you are experiencing the error is because, ‘#‘ sign is treated as a special character in the URL. So ‘#‘ must be URL-encoded otherwise everything after it will be treated as a fragment and…

Read More

Using filter query on mail-related attributes in Microsoft Graph

The user object has email addresses stored in a couple of properties: the mail and otherMails properties. Both of these properties can be used to search for certain users having the desired email addresses. Here is an example of how to use the filter query to search for user using mail property: beta endpoint: GET https://graph.microsoft.com/beta/users?$filter=mail eq ‘john@contoso.com’ v1.0 endpoint: GET https://graph.microsoft.com/v1.0/users?$filter=mail eq ‘john@contoso.com’ Unlike the mail attribute (string-type property),…

Read More

Segment Users in Azure AD

If you have been using Microsoft Graph API to add or modify users in Azure Active Directory (Azure AD) you may have noticed that when you create a new user it lives with all the other users, some of which may have nothing to do with your application. Ideally, you may want a sub-directory or business unit of sorts. Fortunately, there are ways to segment these users in a more…

Read More

Setup POSTMAN to get Azure access tokens automatically for you

Introduction Postman is an HTTP request tool that is very handy for developing and testing your Azure requests. This is the Postman website: https://learning.getpostman.com/ Postman does make it easy to setup authentication and acquire access tokens but it normally is a multi-step process. The purpose of this blog post is to show you how you can setup Postman to automatically handle authentication for you so you don’t have to go…

Read More