Share via

Graph API is not loading correct information

Chris Barr 1 Reputation point
2022-01-29T20:06:17.16+00:00

The call to https://graph.microsoft.com/v1.0/users when logged in as the account that CREATED the Azure account is not returning the actual users in Azure AD.
It should return 2 users, the default and the one that I added but it returns a compleately different account with a compleately different UPN.

So when accessing https://developer.microsoft.com/en-us/graph/graph-explorer
Then logging in the the only user that I know, the account that I created the Azure account with
Then calling https://graph.microsoft.com/v1.0/users
I get a single user with UPN "A"

{
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#users",
"value": [
{
"displayName": "",
"surname": "",
"givenName": "",
"id": "7f8b172c12844d2c",
"userPrincipalName": "user@tiedtlaw email address.com",
"businessPhones": [],
"jobTitle": null,
"mail": null,
"mobilePhone": null,
"officeLocation": null,
"preferredLanguage": null
}
]
}

However there are 2 users and the UPN of the user that Azure created is user@weird random words.onmicrosoft.com and secondUser@weird random words.onmicrosoft.com.

So it seems that the API isn't able to actually access my own data of the Azure account that I created.

I've also tried to login as the user that azure created, user@weird random words.onmicrosoft.com, but I was never given the password to the account that was created for me.
So logically, with any other accounts I'd just do a password reset.
NOPE, can't do that.
user@weird random words.onmicrosoft.com is a Microsoft account that is managed by the user. Only user@weird random words.onmicrosoft.com can reset their password for this account.
Click here for instructions
But.... That's me. Because there was only 1 user and I'm logged in....
So, fine let's "Click here for instructions"....
Yea... No.... That's some random Office account password reset page. That doesn't actually have any information about resetting my internal Azure AD user's password.

WTF, I created the Azure account, that's my user, I as the root admin should be able to reset the freaking password for SECURITY REASONS!

Why is this so unbelievably complicated?

Microsoft Security Microsoft Entra Microsoft Entra ID

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. AmanpreetSingh-MSFT 56,866 Reputation points Moderator
    2022-01-31T06:42:50.563+00:00

    Hi @Chris Barr • Thank you for reaching out.

    When you say user@weird random words.onmicrosoft.com does that look like user_example.com#EXT#@yourtenant.onmicrosoft.com ? If yes, this is expected when the user e.g., user@ssss .com is added to your tenant as a Guest/External User. The reason behind this is, you cannot have a UPN with suffix @example.com if you have not added example.com as a verified domain to your tenant. Please check and confirm if those 2 users are added as guest users. Usually, we use Microsoft Account (Live ID) to create Azure Account and the Microsoft Account gets added to the newly created tenant as a Guest user.

    Now, for the error: We're sorry. You can't reset your own password because you haven't registered for password reset.

    When Guest/External identity is used, the password of the user is stored in the Home Tenant or the Identity Provider where the account was initially created. External Identity is the concept of bringing your own identity, that means,

    • If the guest user is invited from another tenant, the credentials of the user are stored in that specific tenant.
    • If the invited user is from an external IDP, e.g., outlook.com or hotmail.com, the credentials are stored in that identity provider.

    This is why you will not be able to reset the password of these users via Azure Portal or Graph API.

    For instance, if you log in to the Azure portal using ******@outlook.com, you will be redirected to login.live.com endpoint, and credentials are validated against MSA IDP (Microsoft Account Identity provider) and not in Azure. So, in this case, to sign in to Azure Portal, you will use user@harsh.com .com and NOT user_outlook.com#EXT#@yourtenant.onmicrosoft.com.

    Feel free to tag me in your reply if you have any further questions.

    Read more:

    -----------------------------------------------------------------------------------------------------------

    Please "Accept the answer" if the information helped you. This will help us and others in the community as well.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.