0

I have an application that needs to filter permissions based on their on-prem AD common name. Couple of notes:

  • Azure AD Connect is syncing data between OnPrem AD and Azure
  • I am successfully retrieving the logged on user's group information from Azure Graph API into the Web Application.

The problem I'm having is the data returned from Graph API is not what I need or I have not properly configured Azure AD Connect properly. The Graph API JSON return object for groups is documented here.

Here is the Group object returned from Graph API: 

{
  "odata.metadata": "https://graph.windows.net/myorganization/$metadata#directoryObjects/Microsoft.DirectoryServices.Group/@Element",
  "odata.type": "Microsoft.DirectoryServices.Group",
  "objectType": "Group",
  "objectId": "b4bda672-1fba-4711-8fb1-5383c40b2c14",
  "deletionTimestamp": null,
  "description": "Marketing Department",
  "dirSyncEnabled": null,
  "displayName": "Marketing",
  "lastDirSyncTime": null,
  "mail": null,
  "mailNickname": "BposMailNickName",
  "mailEnabled": false,
  "onPremisesSecurityIdentifier": null,
  "provisioningErrors": [],
  "proxyAddresses": [],
  "securityEnabled": true
}

The closest thing I can find is "Display Name" but this is not the Common Name. An option, one I don't want to use, is make all of the "Display Names" the same as the group CN.

TLDR; Is a user groups CN accessible through Graph API and if so, how can I get to this data?

-Update: I'm using the Graph API endpoint getObjectsByObjectIds to hit Graph API once I have retrieve all of the Users Group Ids.

user959729
  • 1,127
  • 2
  • 12
  • 19

1 Answers1

2

CN is not accessible through Graph API (AAD or Microsoft Graph). If you are looking for a common unique identifier between on-premises and the cloud the you could use the on-premises group SID (in the cloud onPremisesSecurityIdentifier). This property is filterable.

The only other option I can think of (if that's not acceptable and you really need CN) is to use directory schema extensions, to extend the group entity with an additional CN property. Schema extensions are also filterable. Please also take a look at the latest AD Connect versions, as I believe they offer the ability to create/configure AAD cloud schema extensions and map from on-premises.

Hope this helps,

Dan Kershaw - MSFT
  • 5,833
  • 1
  • 14
  • 23
  • Thanks Dan for the information. We'll update the authorization filter so that we use the SID/onPremisesSecurityIdentifier property. – user959729 Mar 14 '16 at 17:03