locked
Reading Extension Attributes in Azure AD RRS feed

  • Question

  • User2054207217 posted

    Hello:

    I need to read few extension attributes in Azure AD using ASP.NET MVC Core. I am able to read name:  @User.Identity.Name and few others but not extensionattributes.

    Any way I can query these attributes? Need to check this value and allow authorization to a view based on the value.

    Thanks.

    Thursday, March 12, 2020 4:31 PM

Answers

All replies

  • User283571144 posted

    Hi progdever,

    If you want to check the user's extension information, you should use the Microsoft graph  to achieve your requirement. You could directly use the graph library, more details about how to use it, you could refer to below article.

    https://docs.microsoft.com/en-us/learn/modules/msgraph-access-user-data/ 

    Besides, I suggest you could also use the Microsoft graph api v1.0 to achieve your requirement, you could get the user's access token and send it to Microsoft graph api  to get the user extension.

    More details about how to do it, you could refer to this article.

    https://docs.microsoft.com/en-us/graph/api/user-get?view=graph-rest-1.0&tabs=http 

    Best Regards,

    Brando

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Friday, March 13, 2020 2:19 AM
  • User2054207217 posted

    Thanks for this. Can you give me a sample code?

    Friday, March 13, 2020 4:33 PM
  • User283571144 posted

    Hi progdever,

    Here is a Microsoft Graph Connect Sample for ASP.NET Core 2.1 demo

    This demo is using  ASP.NET Core 2.1 MVC to connect to Microsoft Graph using the delegated permissions flow to retrieve a user's profile, their photo from Azure AD (v2.0) endpoint and then send an email that contains the photo as attachment.

    Notice: You need register your application in AAD by yourself by following the tutorial.

    Best Regards,

    Brando

    Tuesday, March 17, 2020 2:49 AM
  • User2054207217 posted

    Thanks. I followed this through and when running I am getting this error:

    OpenIdConnectProtocolException: Message contains error: 'unsupported_response_type', error_description: 'AADSTS700054: response_type 'id_token' is not enabled for the application.
    Trace ID: 435cefa6-e646-47a9-ab60-7b9c11fa3500
    Correlation ID: cf087710-4937-424f-90fe-770393751eab

    Tuesday, March 17, 2020 9:11 PM
  • User283571144 posted

    Hi progdever,

    I guess you may not enable 'id_token' for the application, you need open the Azure portal, locate the AAD --> APP registration --> Select your registered app --> Authentication and enable the id-token.

    Best Regards,

    Brando

    Wednesday, March 18, 2020 2:09 AM
  • User2054207217 posted

    Thanks, but I did enable the implicit ID Tokens. This is the error:

    OpenIdConnectProtocolException: Message contains error: 'unsupported_response_type', error_description: 'AADSTS700054: response_type

    Wednesday, March 18, 2020 10:59 PM
  • User2054207217 posted

    Actually this is the new error:

    MsalServiceException: AADSTS50194: Application 'dea19b3a-7c1e-4a2d-a508-1f52c492450b'(SMT-Graph-3-18) is not configured as a multi-tenant application. Usage of the /common endpoint is not supported for such applications created after '10/15/2018'. Use a tenant-specific endpoint or configure the application to be multi-tenant.

    Wednesday, March 18, 2020 11:07 PM
  • User2054207217 posted

    I ended up solving this using MSAL and OpenID Connect and using Graph API later.

    Paul

    Monday, April 13, 2020 11:25 PM