Azure AD Graph API无法访问Microsoft帐户

Question

I have 2 users in Azure AD

1. Microsoft Account user
2. Microsoft Azure Active Directory user

User 2 always works in Graph API calls but not the user 1.

https://graph.windows.net/tenantid/users/testmail@hotmail.com?api-version=2013-04-05

(Email actually is url encoded as testmail%40hotmail.com). This gives the following error "{\\"odata.error\\":{\\"code\\":\\"Request_ResourceNotFound\\",\\"message\\":{\\"lang\\":\\"en\\",\\"value\\":\\"Resource 'testmail@hotmail.com' does not exist or one of its queried reference-property objects are not present.\\"}}}"

Does anyone know how to fix this?

Edited: Things I figured out trying to fix this. I am using UserPrincipal name in the query above(..users/testmail@hotmail.com?..). For built-in domain accounts userPricipal name is testmail@domain.com(this works) but for a Microsoft account userPrincipal name is testmail_hotmail.com#EXT#@domain.com. This was given in the all users list ( https://graph.windows.net/tenantid/users?api-version=2013-04-05 ). But even when I changed the query to '..users/testmail_hotmail.com#EXT#@domain.com?..' ofcourse after url encoding(testmail_hotmail.com%23EXT%23%40domain.com), still it does not work. Objectid always works though for all accounts(..users/objectId?..) .

Also tried otherMails. May be the api is wrong as otherMails is an array. " https://graph.windows.net/tenantId/Users ?$filter=otherMails eq 'testmail%40hotmail.com'&api-version=2013-04-05"

So the question still remains. if only email is available for an MS account(not objectid) when making the call, how to get user details?

Answer 1

You are missing your domain in the URL you posted. It should be

https://graph.windows.net/[your Azure AD domain]/users

To get the email address for a user you need to add the object Id of the user in the request URL. So, for example, to get an Azure AD user it would be like this:

https://graph.windows.net/[your Azure AD domain]/users/[object ID of user]/mail

For users in the directory sourced from a Microsoft Account , the mail property is null. So, you will have to look in the otherMails property like this:

https://graph.windows.net/[your Azure AD domain]/users/[object ID of user]/otherMails

If you want to access the full user account using a user's UPN, you can do that for users sourced from Azure AD. For example, for a tenant domain contoso.com and a user with a UPN johndoe@contoso.com, the query would look like this:

https://graph.windows.net/contoso.com/users/johndoe@contoso.com

This doesn't work for users sourced from Microsoft Accounts. For these accounts, the UPN contains characters (#, . for example) that break the query. You can filter by the UPN though using the naming convention that is used for users sourced from Microsoft Accounts. Suppose you have a user whose email is jayhamlin@yahoo.com in your directory. The UPN would be something like jayhamlin_yahoo.com#EXT#@contoso.com . So, you could use a filter and look for the first part of the UPN like this:

https://graph.windows.net/contoso.com/users?api-version=2013-11-08&$filter=startswith(userPrincipalName, 'jayhamlin_yahoo')

You can easily explore the Graph API and object properties for your directory using https://graphexplorer.cloudapp.net .

Answer 2

That filter can work, but you could also filter on otherMails. Your original query didn't work because otherMails is a multi-valued property- so you need to use "any":

https://graph.windows.net/tenantId/users?api-version=1.5& $filter=otherMails/any(x:startswith(x,'testmail@hotmail.com'))

When are you using this lookup? Is it once the user has signed in or for some people picking scenario?

Cheers,