Why do I sometimes get a 404 when trying to update an Azure Directory object after I just created it?

Azure AD is a distributed computing system which means, all of the data must be duplicated to the various data centers. You can read about the architecture of Azure here. We occasionally see a case where a customer is using Microsoft Graph to programmatically create a user, group, application, etc. and getting the object id back from that request and then using that id to do some kind of management…

Read More

Microsoft Graph: Why you cannot call the “me” endpoint with a token acquired via the client credentials grant flow

Introduction Microsoft Graph has a couple of primary ways you can get information about a user in Azure AD. This not only includes things like the user attributes but also groups the user is a member of, access to mail, and etc. Each endpoint does require specific permissions but generally speaking, a user can get the basic information about him/herself via the “me” endpoint. The “me” endpoint From our docs…

Read More

Azure Active Directory: How to get the signed in users groups when there is a groups overage claim in an Access token.

Azure AD has a maximum number of groups that can be returned in an access token when you have selected to include the groups claim for your access token. This post will show you how to reproduce the scenario and then how to get the users groups using Microsoft Graph when a groups overage claim is present in the token instead of actual groups. For a JWT token, Azure has…

Read More

How to perform logging for both MSAL.Net and Microsoft Graph SDK

Microsoft Graph SDK has the ability to log out complete HTTP Requests and Reponses as documented here. The way this logging mechanism works is by implementing a custom HttpClient Message handler to intercept every HTTP Request and Response between the client application and the Microsoft Graph Service. Besides hooking into GraphServiceClient’s processing pipeline to do request and response tracing, one can also configure proxy info. See Customize the Microsoft Graph…

Read More

Retry Invoke-RestMethod requests in PowerShell when an error occurs

In this blog post, I will show you how you can trap a specific type of error when making a graph request using the Invoke-RestMethod commandlet and pause and retry the request x number of times before quitting. This is very helpful and is actually recommended to do error handling when making requests to Microsoft Graph. The key here is to set the Url that you’re going to be calling…

Read More

Using PowerShell to configure a signing certificate for a SAML-based SSO Enterprise Application

In my last blog post I talked about how to use PowerShell to instantiate an MSAL Confidential Client Application to acquire an access token using Client Credentials Grant flow. In this post we will use PowerShell to instantiate an MSAL Public Client Application to perform an Authorization Code Grant flow to obtain a delegated permission Access Token for Microsoft Graph. We will then use that access token to call Microsoft…

Read More

Why /memberOf Microsoft Graph API returning null fields for some attributes.

What do below API calls do? https://graph.microsoft.com/v1.0/me/memberOf https://graph.microsoft.com/v1.0/users/{id | userPrincipalName}/memberOf These API calls gives us the list of groups and directory roles that the user is a direct member of. API Call: GET JSON response: {     “@odata.context”: “https://graph.microsoft.com/v1.0/$metadata#directoryObjects”,     “value”: [         {             “@odata.type”: “#microsoft.graph.group”,             “id”: “b0a133d4-3f3d-4990-be22-879151155f19”,             “deletedDateTime”: null,             “classification”: null,             “createdDateTime”: null,             “creationOptions”: [],             “description”: null,             “displayName”: null,             “expirationDateTime”: null,             “groupTypes”: [],             “isAssignableToRole”: null,             “mail”: null,             “mailEnabled”: null,             “mailNickname”: null,             “membershipRule”: null,             “membershipRuleProcessingState”: null,         } } What is the reason behind seeing null values? When we make a call…

Read More

Receiving Error “AADSTS900439 – USGClientNotSupportedOnPublicEndpoint”

Problem: This blog provides more information about the error “AADSTS900439 – USGClientNotSupportedOnPublicEndpoint”.  This error typically occurs when a user uses a public cloud endpoint to sign in to an application registered in Azure Government sovereign cloud. It is known fact that the official Azure Active Directory (AAD) Authority for Azure Government changed from `https://login-us.microsoftonline.com` to `https://login.microsoftonline.us`. This change also applied to Microsoft 365 GCC High and DoD, which Azure Government…

Read More

Configure .Net Application to call Microsoft Graph in a National Cloud Tenant

When authenticating with Azure and making a Microsoft Graph request, for commercial tenants, this is all done with the .com endpoints ( https://login.micorosoftonline.com/… and https://graph.microsoft.com ) and your token audience is for the .com endpoint as well. However, when performing the requests against a National Cloud tenant, you must use the appropriate endpoints. In this article, I will show you how to configure the Microsoft Graph .Net SDK in a…

Read More