Question 103304 in Azure Question posted in
The official documentation to get you started can be found here.

Can't get CustomSecurityAttributes for Azure AD users with MS Graph Powershell SDK

For the context, I’m building an app that will read and update the Custom Security Attributes of Azure AD users. I’m using the beta version.

Here is my code:

# Connect to the client
Function Invoke-Connect-MSGraph($ClientId, $TenantId, $ClientSecret) {
    $body = @{
        'grant_type'    = 'client_credentials'
        'client_id'     = $ClientId
        'client_secret' = $ClientSecret
        # Scope has to be .default when using client cred flow: https://stackoverflow.com/a/51789899/12739456
        'scope'         = 'https://graph.microsoft.com/.default'
    }
    
    $Params = @{
        'Uri'         = "https://login.microsoftonline.com/$TenantId/oauth2/v2.0/token"
        'Method'      = 'Post'
        'ContentType' = 'application/x-www-form-urlencoded'
        'Body'        = $body
    }
    
    try {
        $TokenResponse = Invoke-RestMethod @Params
        $AccessToken = $TokenResponse.access_token 

        Connect-MgGraph -AccessToken $AccessToken 
        Select-MgProfile -Name "beta"

        Write-Host "Connected to MS Graph"
    }
    catch [Exception] {
        Write-Error "Error Connecting. Error was: $_.Exception.Message"
        exit
    }
}

# Get User
$EmployeeEmail = "[email protected]"
$User = Get-MgUser -Filter "proxyAddresses/any(x:x eq 'smtp:$($EmployeeEmail)')"

# Get Custom Security Attributes 
$Attr = Get-MgUser -UserId $User.Id -Property "customSecurityAttributes"
$AzureCustomSecurityAttributes = Convertfrom-json ($Attr).ToJson()

The error I’m getting: Cannot find an overload for "ToJson" and the argument count: "0". It seems that $Attr always returns null.
But I’m able to get other user attributes.

The app has the correct permission: CustomSecAttributeAssignment.ReadWrite.All and User.Read.All
The Admin role I’m using also has the Attribute Assignment Administrator role.

What am I doing wrong here?
Thanks in advance for your input!

I tried implementing the same logic using Azure AD PowerShell. It works, but since Azure AD PowerShell is being deprecated, I need to find a solution using MS Graph PowerShell.

Tags:

2

Answers


  1. 0

    Get-MgUser returns User object. You don’t need to convert result from json, just access CustomSecurityAttributes property directly

    $user = Get-MgUser -UserId $User.Id -Property "customSecurityAttributes"
Write-Output $user.CustomSecurityAttributes
    Login or Signup to reply.
  2. 0

    I agree with @user2250152.

    This is my api call way of doing it

    # replace this with yours
$tenantId = "xxx"
$appId = "xxx"
$appSecret = "xxx"

# Define API endpoint and parameters
$authEndpoint = "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token"
$body = @{
    client_id = $appId
    client_secret = $appSecret
    scope = "https://graph.microsoft.com/.default"
    grant_type = "client_credentials"
}

$tokenResponse = Invoke-RestMethod -Method Post -Uri $authEndpoint -Body $body
$accessToken = $tokenResponse.access_token


# Define the headers for the API request
$headers = @{
    Authorization = "Bearer $accessToken"
    ContentType = "application/json"
}

# user u need to read customsecurityattributes
$userupn = "[email protected]"
# api call uri
$apiEndpoint = "https://graph.microsoft.com/beta/users/$userupn"

# API request
$apiResponse = Invoke-RestMethod -Method Get -Uri $apiEndpoint -Headers $headers

# Output
$apiResponse.customSecurityAttributes

    Kindly note, to retrieve custom security attributes for a particular user, that user must be assigned the custom attributes already.

    You can refer to this article, it explains clearly how to create custom security attributes, assigning to users. It uses both graph api calls and azure AD GUI to demonstrate how to do it.

    When using azure ad GUI to create the attributes and assign to users, you need one of this permissions.
    Attribute Assignment Reader, Attribute Definition Reader, Attribute Assignment Administrator, Attribute Definition Administrator
    By default this roles are not even assigned to Global admins.

    Refer to this Microsoftdoc

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search