Graph API requests for guest users in Azure AD

Question

I wanted to know how can we make graph API calls for guest users in Azure AD. I am able to achieve it for internal users using the API examples given here but the same calls are not working on guest user. Is there any difference in the way the requests need to be made?

Answer 1

@Shawn Tabrizi's answer above helped me achieve what I needed (get Azure AD group info for logged in user).

To get the user AD ObjectID from the identity claims, I used this:

using System.Linq;
using System.Security.Claims;

namespace HealthcareEfficiencyService_webApp.Helpers
{
    public class ClaimsHelper
    {
        private readonly static string objectIdClaimsType = "http://schemas.microsoft.com/identity/claims/objectidentifier";

        public static string getAdObjectId(ClaimsIdentity claimsIdentity)
        {
            return claimsIdentity.Claims.FirstOrDefault(x => x.Type == objectIdClaimsType).Value;
        }
    }
}

Answer 2

Guest accounts in your tenant will have a different user principal name than the UPN they have in their home tenant. You should be able to see evidence of this by querying all the users in your tenant, and finding the external users which have a 'modified' user principal name, usually with "EXT".

You can see a direct example of this in our Demo Tenant here

"userPrincipalName": "djayachandran.cw_mmm.com#EXT#@GraphDir1.onmicrosoft.com",

It seems like you will need to query for these users using other properties where their old UPN is not changed, like the 'mail' property. Ultimately, you want to find the ObjectId of the user you are interested in, and use that as your key to find the user information. You should be able to get the object id from the token of the signed in user.

Let me know if this helps! Thanks, Shawn Tabrizi