Share via

GraphAPI and schemaExtensions

Paul Rarey 21 Reputation points
2020-09-10T17:49:30.473+00:00

We are using Graph Explorer, attempting to extend the AzureAD User object schema in our non-prod (labs) tenant.

The following JSON body is added with this method => POST https://graph.microsoft.com/v1.0/schemaExtensions

{ "id":"OurUserExtensions",
"description": "User Object Extensions",
"targetTypes": [
"User"
],
"properties": [
{
"name": "costCenter",
"type": "String"
},
{
"name": "costCenterName",
"type": "String"
}
]

}

The response code is "Authorization_RequestDenied" with the "message" "Attempt to update complex extension definition on application belonging to a different context"

The Admin person executing the POST did check Modify permissions, however none listed required Consent to be granted.

Returned Error https://1drv.ms/u/s!AhWdkaAMXIqfg6kTv06c7W7ZGBgAvg?e=HxrbSb

Is it possible that schemaExtensions must be created/managed only at a Domain level just below a TLD?
There are two Domains defined in our labs tenant

  • lab.myDomain.com
  • myDomainDev.onmicrosoft.com

Do we require a Domain in our non-prod tenant such as myDomainLabs.com with the GraphAPI logged in Admin user/UPN eg ******@myDomainLabs.com ??

The person executing GraphAPI calls is using a full Admin account & logs in with a UPN specific to the lab.myDomain.com domain.

Thanks in advance!
/paul

Microsoft Security | Microsoft Entra | Microsoft Entra ID
0 comments
Answer accepted by question author
  1. Saurabh Sharma 23,866 Reputation points Microsoft Employee Moderator
    2020-09-10T21:39:33.12+00:00

    @Paul Rarey Hi Paul,

    I am able to reproduce your issue. (See screenshot below)
    23971-image.png

    As you are using Microsoft Graph Explorer to add the schema extension, the application id of the Graph Explorer is being used to add as the owner of schema extension which is not allowed as Graph Explorer application is managed by Microsoft and signed in user need to owner of the application for this call to work. Please refer to the documentation. (See extract from the referred documentation)
    24001-image.png

    In order to fix this you need to pass the "Owner" property to JSON payload while making the Graph API call. So, first register an application in AAD and pass the application id to POST like below -
    23972-image.png

    2 people found this answer helpful.
    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Paul Rarey 21 Reputation points
    2020-09-11T16:33:15.843+00:00

    Thank you @Saurabh Sharma !!
    I did go dig into the docs & found what you highlighted. Kind'a embarrassed I didn't RTFM deeper first :)
    /paul

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.