Reputation: 1177
Azure AD - Retrieve a On-Prem AD Group Common Name
I have an application that needs to filter permissions based on their on-prem AD common name. Couple of notes:
- Azure AD Connect is syncing data between OnPrem AD and Azure
- I am successfully retrieving the logged on user's group information from Azure Graph API into the Web Application.
The problem I'm having is the data returned from Graph API is not what I need or I have not properly configured Azure AD Connect properly. The Graph API JSON return object for groups is documented here.
Here is the Group object returned from Graph API:
{
"odata.metadata": "https://graph.windows.net/myorganization/$metadata#directoryObjects/Microsoft.DirectoryServices.Group/@Element",
"odata.type": "Microsoft.DirectoryServices.Group",
"objectType": "Group",
"objectId": "b4bda672-1fba-4711-8fb1-5383c40b2c14",
"deletionTimestamp": null,
"description": "Marketing Department",
"dirSyncEnabled": null,
"displayName": "Marketing",
"lastDirSyncTime": null,
"mail": null,
"mailNickname": "BposMailNickName",
"mailEnabled": false,
"onPremisesSecurityIdentifier": null,
"provisioningErrors": [],
"proxyAddresses": [],
"securityEnabled": true
}The closest thing I can find is "Display Name" but this is not the Common Name. An option, one I don't want to use, is make all of the "Display Names" the same as the group CN.
TLDR; Is a user groups CN accessible through Graph API and if so, how can I get to this data?
-Update: I'm using the Graph API endpoint getObjectsByObjectIds to hit Graph API once I have retrieve all of the Users Group Ids.
Upvotes: 0
Views: 3126
Answers (1)
Reputation: 5838
CN is not accessible through Graph API (AAD or Microsoft Graph). If you are looking for a common unique identifier between on-premises and the cloud the you could use the on-premises group SID (in the cloud onPremisesSecurityIdentifier). This property is filterable.
The only other option I can think of (if that's not acceptable and you really need CN) is to use directory schema extensions, to extend the group entity with an additional CN property. Schema extensions are also filterable. Please also take a look at the latest AD Connect versions, as I believe they offer the ability to create/configure AAD cloud schema extensions and map from on-premises.
Hope this helps,
Upvotes: 2
Related Questions
- AzureAD GraphAPI: How to get Group-Name
- Azure Active Directory Group Delta API
- Using Microsoft Graph how do i get Azure AD user fields that were synced from On Premise AD
- Microsoft Graph Java API - Filter Groups based on a boolean value
- How to add service principal as an Owner to the Azure AD group through Graph API
- OData - get individual property of an entity
- Microsoft Graph fails to report group membership deltas via groups/delta that originate in on-prem AD and sync to Azure
- Azure AD Tenant Name
- Office 365 Azure AD: How get members of AD Groups