What is the manager attribute value that needs to be sent to Azure AD?

Hi there,

I´m creating and updating users on Azure AD using Azure AD driver version 5.1.7. I´m being able to create, modify and delete the user account on Azure, but I´m not being able to configure the manager attribute. I tried to use a value from IDM side that would identify the manager with no success, I then tried to use the Azure AD object ID attribute of the manager as the value to configure the manager attribute with no success either. I have searched the Internet to find what is the value format for manager attribute on Azure AD, but the only document I found, it looks like it is the manager Object ID.   

https://learn.microsoft.com/en-us/graph/api/user-post-manager?view=graph-rest-1.0&tabs=http

Another attribute that I´m not being able to configure is the creationType. We are trying to configure Invitation as the value, but it returns an error, and the user is not created. On the customer production environment we can see a user with the value Invitation on the creationType attribute. I believe that to be able to set this value, some other attributes must be configured also, but I did not find anythng regarding this so far.

It just occurred to me one idea. Is it necessary to create the user first and then update it with the manager information?

Any help on these 2 issues will be very helpfull. The manager is the important one. 

Thanks. 

Gustavo

  • 0  

    Hi Gustavo

    According to the documentation you found, you must pass the manager GUID (AzureID) to establish a link to the manager.

    HTTP MS example:

    PUT graph.microsoft.com/.../10f17b99-784c-4526-8747-aec8a3159d6a/manager/$ref
    Content-type: application/json

    {
    "@odata.id": "graph.microsoft.com/.../6ea91a8d-e32e-41a1-b7bd-d2d185eed0e0"
    }

    10f17b99-784c-4526-8747-aec8a3159d6a - User's AzureGUID

    6ea91a8d-e32e-41a1-b7bd-d2d185eed0e0 - Manager's AzureGUID

    Assign a user's manager.

    Note: You cannot assign direct reports; instead, use this API.

    According to MS GRAPH API, you can't create a "backlink" (Manager to User). It is always supposed to be User to Manager.

    If I remember correctly, instead AzureGUID you can use UPN (email)

    PowerShell example:

    $Header = @{
        Authorization = "$($Request.token_type) $($Request.access_token)"
    }
    
    $bodyProcess = @{
       
        "@odata.id"= "">graph.microsoft.com/.../aa9999a1-1111-11a2-abab-asfdas32"
       
    }
    $body = $bodyProcess | ConvertTo-Json
    $Uri = 'graph.microsoft.com/.../$ref'
    Invoke-RestMethod -Uri $Uri -Headers $Header -Method PUT -ContentType "application/json" -Body $Body
  • 0   in reply to   

    CreationType is a Read-Only attribute set by the system during user creation

    creationType String Indicates whether the user account was created through one of the following methods:
    • As a regular school or work account (null).
    • As an external account (Invitation).
    • As a local account for an Azure Active Directory B2C tenant (LocalAccount).
    • Through self-service sign-up by an internal user using email verification (EmailVerified).
    • Through self-service sign-up by a guest signing up through a link that is part of a user flow (SelfServiceSignUp).

    Read-only.
    Returned only on $select. Supports $filter (eq, ne, not, in).
  • 0   in reply to   

    https://learn.microsoft.com/en-us/dotnet/api/microsoft.azure.powershell.cmdlets.resources.msgraph.models.apiv10.microsoftgraphuser.creationtype?view=az-ps-latest

    MicrosoftGraphUser.CreationType Property

    Feedback

    Definition

    Indicates whether the user account was created as a regular school or work account (null), an external account (Invitation), a local account for an Azure Active Directory B2C tenant (LocalAccount) or self-service sign-up using email verification (EmailVerified). Read-only. Supports $filter (eq, ne, NOT, and in).

    [Microsoft.Azure.PowerShell.Cmdlets.Resources.MSGraph.DoNotFormat]
    [Microsoft.Azure.PowerShell.Cmdlets.Resources.MSGraph.Origin(Microsoft.Azure.PowerShell.Cmdlets.Resources.MSGraph.PropertyOrigin.Owned)]
    public string CreationType { get; }

  • 0 in reply to   

    Thank you. I had in my mind that the configuration of this attribute is done by the system, but I was not sure about it. Thanks.

  • 0 in reply to   

    I´m using the invoke rest endpoint action but I´m not sure if the authentication method should be basic or oauth2. I´m using the clientID as the authentication ID and basic authentication method. I´m getting unauthorized message back. What would be the configuration? thanks.

  • Verified Answer

    +1   in reply to   

    I just tested the manager attribute update and I can confirm, that the driver handles this operation correctly and takes care of all MSGraph API internal complexities for set manager operation.

    You just have to link to user objects that already have associations.

    Cut from my driver log:

    [11/01/24 21:35:54.201]:AAD2 ST:Policy returned:
    [11/01/24 21:35:54.201]:AAD2 ST:
    <nds dtdversion="4.0" ndsversion="8.x">
    <source>
    <product edition="Advanced" version="4.9.0.0000">DirXML</product>
    <contact>NetIQ Corporation</contact>
    </source>
    <input>
    <modify cached-time="20241102013553.900Z" class-name="user" event-id="DC1-NDS#20241102013553#1#1:a32c546d-9eeb-47f2-ab48-327e2fe37d23" qualified-src-dn="O=data\OU=users\CN=AlexW" src-dn="\IDM-TREE\data\users\AlexW" src-entry-id="33038" timestamp="1730511353#6">
    <association state="associated">37818dba-5ed5-4c6e-a9c3-c59bc3f2c4ec</association>
    <modify-attr attr-name="manager">
    <add-value>
    <value association-ref="903ef65b-133a-4b6d-bc8c-697d19b73ca2" timestamp="1730511353#6" type="dn">\IDM-TREE\data\users\AdeleV</value>
    </add-value>
    </modify-attr>
    </modify>
    </input>
    </nds>
    [11/01/24 21:35:54.203]:AAD2 ST:Submitting document to subscriber shim:
    [11/01/24 21:35:54.204]:AAD2 ST:
    <nds dtdversion="4.0" ndsversion="8.x">
    <source>
    <product edition="Advanced" version="4.9.0.0000">DirXML</product>
    <contact>NetIQ Corporation</contact>
    </source>
    <input>
    <modify cached-time="20241102013553.900Z" class-name="user" event-id="DC1-NDS#20241102013553#1#1:a32c546d-9eeb-47f2-ab48-327e2fe37d23" qualified-src-dn="O=data\OU=users\CN=AlexW" src-dn="\IDM-TREE\data\users\AlexW" src-entry-id="33038" timestamp="1730511353#6">
    <association state="associated">37818dba-5ed5-4c6e-a9c3-c59bc3f2c4ec</association>
    <modify-attr attr-name="manager">
    <add-value>
    <value association-ref="903ef65b-133a-4b6d-bc8c-697d19b73ca2" timestamp="1730511353#6" type="dn">\IDM-TREE\data\users\AdeleV</value>
    </add-value>
    </modify-attr>
    </modify>
    </input>
    </nds>
    [11/01/24 21:35:54.207]:AAD2 ST:Remote Interface Driver: Sending...
    [11/01/24 21:35:54.207]:AAD2 ST:
    <nds dtdversion="4.0" ndsversion="8.x">
    <source>
    <product edition="Advanced" version="4.9.0.0000">DirXML</product>
    <contact>NetIQ Corporation</contact>
    </source>
    <input>
    <modify cached-time="20241102013553.900Z" class-name="user" event-id="DC1-NDS#20241102013553#1#1:a32c546d-9eeb-47f2-ab48-327e2fe37d23" qualified-src-dn="O=data\OU=users\CN=AlexW" src-dn="\IDM-TREE\data\users\AlexW" src-entry-id="33038" timestamp="1730511353#6">
    <association state="associated">37818dba-5ed5-4c6e-a9c3-c59bc3f2c4ec</association>
    <modify-attr attr-name="manager">
    <add-value>
    <value association-ref="903ef65b-133a-4b6d-bc8c-697d19b73ca2" timestamp="1730511353#6" type="dn">\IDM-TREE\data\users\AdeleV</value>
    </add-value>
    </modify-attr>
    </modify>
    </input>
    </nds>
    [11/01/24 21:35:54.211]:AAD2 ST:Remote Interface Driver: Document sent.
    [11/01/24 21:35:54.211]:AAD2 ST:Remote Interface Driver: Waiting for receive...
    [11/01/24 21:35:55.075]:AAD2 ST:Remote Interface Driver: Received
    [11/01/24 21:35:55.075]:AAD2 ST:
    <nds dtdversion="2.0" ndsversion="8.x">
    <source>
    <product build="20240611_0150" instance="AAD2" version="5.2.0.0100">Identity Manager Driver for Azure AD and Office 365</product>
    <contact>NetIQ Corporation</contact>
    </source>
    <output>
    <status event-id="DC1-NDS#20241102013553#1#1:a32c546d-9eeb-47f2-ab48-327e2fe37d23" level="success"/>
    </output>
    </nds>

  • 0   in reply to   

    Remote Loader shows "internal" MS GRAPH calls:

    DirXML: [11/01/24 21:35:54.80]: TRACE: AAD2_Azure: Calling document modifier class com.novell.nds.dirxml.driver.azure.apiext.GraphAPIExtension.modifySubscriberRequest()
    DirXML: [11/01/24 21:35:54.80]: TRACE: AAD2_Azure: customHandler
    DirXML: [11/01/24 21:35:54.80]: TRACE: AAD2_Azure: customHandler: class-name == 'users'
    DirXML: [11/01/24 21:35:54.80]: TRACE: AAD2_Azure: Custom: preparing PUT to graph.microsoft.com/.../$ref
    DirXML: [11/01/24 21:35:54.80]: TRACE: AAD2_Azure: Resetting headers
    DirXML: [11/01/24 21:35:54.80]: TRACE: AAD2_Azure: Setting the following HTTP request properties:
    Authorization: <content suppressed>
    DirXML: [11/01/24 21:35:54.80]: TRACE: AAD2_Azure: Content-Type:application/json
    DirXML: [11/01/24 21:35:54.80]: TRACE: AAD2_Azure: Did a HTTP PUT with 96 bytes of data to graph.microsoft.com/.../$ref
    DirXML: [11/01/24 21:35:54.80]: TRACE: AAD2_Azure: *******************************************************
    DirXML: [11/01/24 21:35:54.80]: TRACE: AAD2_Azure: **********************LOGGING REQUEST******************
    DirXML: [11/01/24 21:35:54.80]: TRACE: AAD2_Azure: *******************************************************
    DirXML: [11/01/24 21:35:54.80]: TRACE: AAD2_Azure: Request URL :graph.microsoft.com/.../$ref
    DirXML: [11/01/24 21:35:54.80]: TRACE: AAD2_Azure: Http Method : PUT
    DirXML: [11/01/24 21:35:54.80]: TRACE: AAD2_Azure: Sending http request with below headers :-
    DirXML: [11/01/24 21:35:54.80]: TRACE: AAD2_Azure: Authorization: <content suppressed>
    DirXML: [11/01/24 21:35:54.80]: TRACE: AAD2_Azure: Content-Type: application/json
    DirXML: [11/01/24 21:35:54.80]: TRACE: AAD2_Azure: ***************************END**************************
    DirXML: [11/01/24 21:35:55.01]: TRACE: AAD2_Azure: ********************************************************
    DirXML: [11/01/24 21:35:55.01]: TRACE: AAD2_Azure: ***********************LOGGING RESPONSE*****************
    DirXML: [11/01/24 21:35:55.01]: TRACE: AAD2_Azure: ********************************************************
    DirXML: [11/01/24 21:35:55.01]: TRACE: AAD2_Azure: Http response code : 204
    DirXML: [11/01/24 21:35:55.01]: TRACE: AAD2_Azure: Http response status : HTTP/1.1 204 No Content
    DirXML: [11/01/24 21:35:55.01]: TRACE: AAD2_Azure: Getting http response with below headers :-
    DirXML: [11/01/24 21:35:55.01]: TRACE: AAD2_Azure: Cache-Control: no-cache
    DirXML: [11/01/24 21:35:55.01]: TRACE: AAD2_Azure: Strict-Transport-Security: max-age=31536000
    DirXML: [11/01/24 21:35:55.01]: TRACE: AAD2_Azure: request-id: 82bb2424-873b-4a88-9cb8-1b25d403f5f2
    DirXML: [11/01/24 21:35:55.01]: TRACE: AAD2_Azure: client-request-id: 82bb2424-873b-4a88-9cb8-1b25d403f5f2
    DirXML: [11/01/24 21:35:55.01]: TRACE: AAD2_Azure: x-ms-ags-diagnostic: {"ServerInfo":{"DataCenter":"Canada Central","Slice":"E","Ring":"3","ScaleUnit":"001","RoleInstance":"YT1PEPF00001AC2"}}
    DirXML: [11/01/24 21:35:55.01]: TRACE: AAD2_Azure: x-ms-resource-unit: 1
    DirXML: [11/01/24 21:35:55.01]: TRACE: AAD2_Azure: Date: Sat, 02 Nov 2024 01:35:56 GMT
    DirXML: [11/01/24 21:35:55.01]: TRACE: AAD2_Azure: Sending http response with body :-
    DirXML: [11/01/24 21:35:55.01]: TRACE: AAD2_Azure: **********************END*****************************
    DirXML: [11/01/24 21:35:55.01]: TRACE: AAD2_Azure: Response code and message: 204 No Content
    DirXML: [11/01/24 21:35:55.01]: TRACE: AAD2_Azure: Calling document modifier class com.novell.nds.dirxml.driver.azure.apiext.GraphAPIExtension.modifySubscriberResponse()
    DirXML: [11/01/24 21:35:55.01]: TRACE: AAD2: Received response document from subscriber
    DirXML: [11/01/24 21:35:55.01]: TRACE: Remote Loader: SubscriptionShim.execute() returned:
    DirXML: [11/01/24 21:35:55.01]: TRACE: <nds dtdversion="2.0" ndsversion="8.x">
    <source>
    <product build="20240611_0150" instance="AAD2" version="5.2.0.0100">Identity Manager Driver for Azure AD and Office 365</product>
    <contact>NetIQ Corporation</contact>
    </source>
    <output>
    <status event-id="DC1-NDS#20241102013553#1#1:a32c546d-9eeb-47f2-ab48-327e2fe37d23" level="success"/>
    </output>
    </nds>