Announcing some new capability in Azure Active Directory Graph Service

We have rolled out an update to the Graph service a couple of days back. Here is a brief overview of changes included in this update. We will have individual posts on these topics in the future.

• Using OAuth 2.0 Authorization Code Grant for delegated access of Azure Active Directory (AAD) via AAD Graph: You might have seen the recent announcement of developer preview for support of OAuth Code Grant in Azure Active Directory. You can use this to provide delegated access when accessing resources. We can use the same mechanism to access AAD resources using delegated access via Graph API. We will have a detailed post and a sample web application showing how to use this with Graph shortly.
• Support for “Me” alias: If you used delegated access of directory resources mentioned in the first point above, the token presented to graph will include user information in the claims. To refer to the user object, you can use the “Me” alias. The alias is case insensitive.
  • Example: https://graph.windows.net/contoso.com/me?api-version=2013-11-08 will return user information of the currently authenticated user.
• Checking transitive group membership for multiple groups: Graph service already supported IsMemberOf function to check transitively whether a user is a member of a particular Group (will check for transitive group membership and not just direct membership in the group). But in authorization scenarios, it will be a common requirement to check for transitive group membership for multiple groups. Right now the easiest way to do it through multiple calls to isMemberOf function but it adds multiple round trips and definitely not something that is recommended. We have added a new function “checkMemberGroups” to enable this scenario. checkMemberGroups takes a collection of object IDs of groups and can be called on a user, group or service principal object that the membership check needs to happen on. The function checks whether the object belongs to each of the groups and returns the collection of object IDs of the groups that the user object belongs to. The number of input groups is limited to 20. 
  • Example: Let’s assume that the user belongs to only group with object id fb11a9aa-d501-465e-bd19-48a511883862.To check whether user joe@contoso.com belongs to group fb11a9aa-d501-465e-bd19-48a511883862 and 24541d7f-c4c5-473e-9b78-f4fe8f0d5194: 
  • Request URL:  

    https://graph.windows.net/contoso.com/users/joe@contoso.com/checkMemberGroups?api-version=2013-11-08

  • HTTP Method: POST

  • Request Body:

    {     "groupIds":["fb11a9aa-d501-465e-bd19-48a511883862","24541d7f-c4c5-473e-9b78-f4fe8f0d5194"] }

    Response:

    {     ["fb11a9aa-d501-465e-bd19-48a511883862"] }

 Getting all groups that a user is member of: Sometimes you might want to get the information about all the group memberships of a user (or a group or a service principal) and cache it for the session (do not cache this information beyond the session). We have added a function called “getMemberGroups” for this scenario. getMemberGroups can be called on a user/ group/service principal object and returns all the object ids of the groups that the user/group/service principal is member of( either directly or indirectly). The functions takes one Boolean parameter: securityEnabledOnly. If securityEnabledOnly is true, only security enabled groups are returned and the function can only be called on user object. The maximum number of groups that you can get back from the query is capped at 1000 when securityEnabledOnly is true and 4500 when it is specified as false.

• Example: To retrieve all the groups that a user joe@contoso.com is member of:
• Request URL:  

  https://graph.windows.net/contoso.com/users/joe@contoso.com/getMemberGroups?api-version=2013-11-08

 HTTP Method: POST

Request Body:

Response:

As always questions and feedback are welcome.

Comments

• Anonymous
  May 20, 2013
  Can I add user roles to my WAAD service?  I want to do this so I can pass the roles to my web apps for authorization.
• Anonymous
  May 20, 2013
  Paul,I think creating a custom Group and adding the users to the groups is more appropriate for the scenario you describe. The authorization scenario described in this MSDN article : msdn.microsoft.com/.../dn195601.aspx describes how to use group memberships of a user for resource authorization. You can also add users to roles. But the roles in AAD have defined semantics in Directory and adding users to those roles will give them specific access to directory resources. So if you want to authorize users for your application, I suggest creating groups and adding users to groups.Thanks,Srikanth.
• Anonymous
  August 16, 2013
  getMemberGroups can be called on a user/ group/service principal objectIs that possible , that you write down how to invoke this method? I do not understand which object refers to as a user/group service principal object. I really need that, thanks
• Anonymous
  August 20, 2013
  Hi Mark,The getMemberGroups operation can only be called on group and service principal objects if the securityEnabledOnly property in the request body is set to false.  The request is very similar to the example given in the post, e.g.:   POST graph.windows.net/.../getMemberGroups   Authorization: ...   Content-Type: application/json   {"securityEnabledOnly":false}In this example, 87fdb58f-451c-4eb1-8ffb-3fafd393e8e9 is the objectId of the group that is the member of other groups you wish to obtain.Thanks,Robert
• Anonymous
  February 02, 2014
  I want to ask a question…that If we have a finite presentation of a group, but order of the generators are unknown, then can we draw a cayley graph of that group?? if yes, then by which mean
• Anonymous
  March 13, 2014
  Hi Imran, can you tell more about the goal of the Cayley graph?  Do simply want to find all directional groups of the group in question?