0

got a bit of a dilemma here.

I have a C# MVC app (connected to sharepoint) and i need to find a way to retrieve users from Azure Active Directory (Sharepoint does not provide people picker for this type of addin).

What i want to achieve -> A search box, on button click it searches AD for the user email or name (probably email) and then it should return a json containing the Azure AD user id and display name.

I thought about using MS Graph to do that, but i didnt find a good tutorial to implement Graph calls into MVC. PLUS ! id like a way that doesnt require users to do anything but click the search button (so preferrably no auth token for user, no graph app login or such things).

Is this possible ? I would even do it in JS since it will be a rather "closed" application, but i the way they documented the graph implementation makes me cry.... (so...yeah...pls dont point me to the MS graph implementation doc, its awfull).

Any help would be appreciated, thanks.

Dante R.
  • 902
  • 3
  • 13
  • 41
  • https://stackoverflow.com/questions/25757712/c-sharp-search-for-user-in-ad – Paul Abbott Aug 10 '18 at 16:16
  • What is the problem using Graph? Its the exact library you need – maccettura Aug 10 '18 at 16:17
  • The problem is i'm not really sure how to implement it. Im not that experienced in C# and the only docs that i've found were asking the user to log in before doing any calls. I'd like to avoid that if possible... @PaulAbbott - This looks interesting (i've googled past 2 days and saw everything but that), i'll take a look thanks. – Dante R. Aug 10 '18 at 16:21
  • @PaulAbbott I think i needed to be a bit more specific...my AD is Azure based, not a normal one. The link you gave me throws a "server could not be contacted" error :(. – Dante R. Aug 10 '18 at 16:42
  • @DanteR. Graph requires you to get a token based on your ClientId and Secret. Just look for `Microsoft.Graph` SDK tutorials – maccettura Aug 10 '18 at 16:45
  • @maccettura as i said...i did look at samples, documentation, everything i could find related to MS Graph but ALL OF THEM require the user to sign in. I dont want this extra step for the user. I dont know if i can do it without user logging in and consenting to the app, thats why im asking here.. (which is why my post has the title "questions") – Dante R. Aug 10 '18 at 17:39

1 Answers1

3

Dante

Based on your question and the comments you posted, I think maybe you want to use Microsoft Graph to get the user id and display name by the email; and you want to do it without user logging in and consenting to the app. If I misunderstood your question, please feel free let me know.

My initial suggestion is that you can try to get an AccessToken without a user.

According to this reference we can get an AccessToken by some background services or daemons.

Based on my test, we can try the following steps:
1. Get administrator consent:

app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
                                           {
                                               ClientId = clientId,
                                               Authority = authority,
                                               RedirectUri = redirectUri,
                                               PostLogoutRedirectUri = redirectUri,
                                               Scope = "openid profile",
                                               ResponseType = "id_token",
                                               TokenValidationParameters = new TokenValidationParameters { ValidateIssuer = false, NameClaimType = "name" },
                                               Notifications = new OpenIdConnectAuthenticationNotifications
                                                               {
                                                                   AuthenticationFailed = this.OnAuthenticationFailedAsync,
                                                                   SecurityTokenValidated = this.OnSecurityTokenValidatedAsync
                                                               }
                                           });

    ConfidentialClientApplication daemonClient = new ConfidentialClientApplication(Startup.clientId, string.Format(AuthorityFormat, tenantId), Startup.redirectUri,
                                                                                       new ClientCredential(Startup.clientSecret), null, appTokenCache.GetMsalCacheInstance());


AuthenticationResult authResult = await daemonClient.AcquireTokenForClientAsync(new[] { MSGraphScope });
  1. We can get the user by the email from the url: https://graph.microsoft.com/v1.0/users/{email address}. For example, https://graph.microsoft.com/v1.0/users/xxx.outlook.com

For more details, we can refer to v2.0 daemon sample on GitHub.

Keen Jin
  • 1,060
  • 1
  • 6
  • 8
  • That is pretty much what i want. I was just reading that article today. The code sample should prove useful as soon as i get admin consent for the app. I'll get back to the question as soon as i manage to test the app. Many thanks ! Edit: one more thing, i assume User.Read.All should be enough for what i need right? (User id to be used in People field in sharepoint and display name/email) Edit2: Hmmm if i think about it, i think i should also ask for Directory.Read.All just so i'm sure i'll be able to get security groups as well in case i need them in the future. – Dante R. Aug 13 '18 at 11:22
  • For your question 1, you are right. It's enough for your demand. Maybe you should need the application permissions for your second demand. If the answer is helpful for you, could you mark it as answer? – Keen Jin Aug 14 '18 at 01:23