0

I want to retrieve all the user information from Subscription. We can get all the user list from an Azure subscription using below article.

https://learn.microsoft.com/en-us/rest/api/authorization/roleassignments/list

But above URl retrieves list of all User GUIDs(and some more information) but here i want user display name, mailid, etc.

Please help me How can i do this.

We can send this user GUIDs to graph API to retrieve the User information but it needs consent from Tenant admin and also we need two more extra calls(one is to get Graph bearer access token and other is call to graph api with above list of User GUIDs). So how can i do this with out graph API.

Avinash
  • 2,053
  • 2
  • 14
  • 32

2 Answers2

1

I don't think there is any option available for retrieving the user details.

The only option is to use Graph API with the token generated by an application(Service Principal) or Active Directory User.

The User or the Principal should have Read Active Directory Users permission to fetch the user details.

Arunprabhu
  • 1,454
  • 9
  • 15
1

You could utilise the RBAC Graph part of the Resource Manager API. If you're returning a list of GUID's you could loop through them calling 

GET https://graph.windows.net/{tenantID}/users/{upnOrObjectId}?api-version=1.6

Which will return to you a better representation of the user

Pete Philters
  • 869
  • 5
  • 12
  • Thanks for the quick reply Phil. I have used Graph RBAC PI "https://graph.windows.net/{AzureTenantId}/getObjectsByObjectIds?api-version=1.6", but this also need App(service prinicipal) and Admin consent for App. I don't want to do this because i don't have admin consent for my App. Can you please suggest if there is any other way. – Avinash Aug 09 '18 at 16:47
  • So ideally you'd grant the correct Admin permission for reading over the AAD users to your application. What is your reason for not being able to that? Alternatively you [could assign your application's service principal to a Pre-defined Admin role in AAD](https://stackoverflow.com/questions/51652438/azure-ad-enable-the-service-principal-as-a-an-application-administrator). This does the same as granting the permission however so probably not useful. If you don't want to grant your application the permission then it's not possible to get the information. – Pete Philters Aug 09 '18 at 16:52
  • Thanks for the reply. That answered my question. – Avinash Aug 09 '18 at 22:01