Update user's images on Azure Active Directory using Graph API (c# .Net windows service)

Question

My Network admin has configured local(On Prem) MS Active directory on MS Windows server 2008 and now they have moved to Azure Active Directory in a hybrid mode e.g keeping both Directories synchronized.

Earlier i have written a windows service to run on machine where the MS AD is installed and what does this service actually do is as below

1: set up the configuration before starting the service e.g Domain Controller, BaseDN and Administrator Credentials.

2: Service runs after a specified interval and retrieve users from a local intranet web server which need to be updated on AD. (UserId, Name , Image etc.)

3:Users Retrieved from intranet web server have unique names and are already mapped on Local AD , so i search for the user on AD by CN="UserName"

4: after a successfull search i can have DirectoryEntry instance of the user and can update their thumbnail Photo.

Below is a brief code

foreach (var userInDB in usersList)
            {
                string webServerAddress = ConfigurationManager.AppSettings["WebserverAddress"];
                string ImagePath = webServerAddress + userInDB.ImagePath;
                try
                {
                    using (DirectorySearcher dsSearcher = new DirectorySearcher(myLdapConnection))
                    {
                        dsSearcher.Filter = "(&(objectClass=user) (cn="+ userInDB.UserName+"))";
                        SearchResult result = dsSearcher.FindOne();

                        if (result != null)
                        {
                            using (DirectoryEntry user = new DirectoryEntry(result.Path))
                            {
                                using (var webClient = new WebClient())
                                {
                                    
                                    byte[] userImage = webClient.DownloadData(ImagePath);
                                    byte[] userImageThumbnail =CreateThumbnail(userImage,96);
                                    Log4Net.WriteLog("Image File Converted to bytes", LogType.GENERALLOG);

                                    user.Properties["thumbnailPhoto"].Clear();
                                    user.Properties["thumbnailPhoto"].Add(userImageThumbnail);
                                    user.CommitChanges(); 
                                }
                            }
                            new UserServices().UpdateUser(userInDB.UserId);
                        }
                        else
                        {
                            
                        }
                    }
                }
                catch (Exception ex)
                {
                    Log4Net.WriteException(ex);
                }
            }

So far so good , the service works perfectly and sync my users images from local intranet web server on Local AD.

Now that coming to Azure AD , i want to sync the same images on Azure AD. After a quick R&D i have come to the following solutions

1: I can use the Graph API and update the users with following HTTP Request

PATCH /users/{id | userPrincipalName}/photo/$value  

my concern on this solution are as below

1: Does userPrincipalName and CN are common identities e.g (i have a very low knowledge of Network administration and i haven't configured those Local AD and Azure AD , so i have no idea that how come Local AD is synced with Azure AD ). I need to be sure that i will access the user in Azure AD by providing the same user name (for userPrincipalName) which i used to access it in Local AD (for CN).

2: My Second concern is that as I have gone through the documentations about Configuring the MS Graph API e.g

(i) Register your app.

(ii) Configure permissions for Microsoft Graph on your app.

(iii) Get administrator consent.

(iv) Get an access token.

(v) Use the access token to call Microsoft Graph.

i do not fully understand the 3rd point though e.g. how come this scenario fits in for a windows service running on its own after a specified interval ? is it a one time job to get the administrator consent and use the service later on without it. Is there a scenario that we can get the administrator consent for a registered application for once (in a separate application preferably) and use the windows service to access the Azure AD later on without any problem.

3: My Third and last concern about this whole scenario is that "Do I really need to do this all?"

I have gone through some articles like

https://support.office.com/en-ie/article/active-directory-connect-and-office-365-856f2f62-a6e8-4ab0-817b-adabd8f27332#ID0EAABAAA=Course_Overview

stating about Active Directory Connect and Office 365. Isn't it sufficient to update the Local On Prem AD by the windows service and configure Azure AD to get automatically updated (synced) , e.g. to let it on Network administrator to configure the both directories to get in sync automatically.

Do I really need to update both Local AD and Azure AD separately ? (in a single windows service or 2 windows services ? )

Bottom Line: I am a newbie for Azure AD or even AD , the description above is a result of my quick R&D, I have not yet developed the complete environment to implement the solution e.g Getting a free developer account for office 365 , setup a local AD on my windows server , Register my application at Microsoft App Registration Portal and do the rest of job. Because before moving on and setting up the environment i need to get a go ahead from experts on Azure AD that i am going in right direction and which solution is suitable for the above described scenario. To Repeat it again "I want to update the user's images from my local intranet web server to Azure AD"

kindly suggest me the best lines to follow on.

Thanx and regards ,

Answer 1

You have a number of questions in your question, but i'll try and address each part:

1: Does userPrincipalName and CN are common identities

Yes, your AD should have the userPrincipalName for each user. You should be able to look up the user and then get their Upn from AD.

2: is it a one time job to get the administrator consent and use the service later on without it. Is there a scenario that we can get the administrator consent for a registered application for once (in a separate application preferably) and use the windows service to access the Azure AD later on without any problem.

Yes, administrator consent to an application is once (unless you need to change permission scopes). For this type of solution (no UI) you should consider using client credential flow vs. delegated authentication. With client credentials you get an App Id and Secret and use those to get an access token each time you need one. You don't need a user to sign in as part of the authentication flow & you dont need to handle refresh tokens. client credential auth flow

3: My Third and last concern about this whole scenario is that "Do I really need to do this all?"

You probably do sadly. AD Connect will sync thumbnailphoto to AAD, however if a user updates their photo in O365 the thumbnail will no longer sync from AAD to Office 365 (EXO/SPO) ever again automatically. This breaks sync and you probably will need to push photos to the Microsoft Graph which will put the photo in EXO if the user has a mailbox which is where most of O365 pulls it's photo from. Short answer, yes you probably should.