Once in awhile I need to obtain some “user” information from the Azure Active Directory (AAD) User profile. AAD is not the same as general Active Directory. If you are using Dynamics Customer Engagement online, you can access the “graph” for that user using standard API even in your own page extensions. For example, I often have a substantial web extension for my pages that pulls in data from the logged in user’s profile.
I was looking at some of the preview features available in AAD for adding extra attributes. Here’s a couple of links on the topic:
- Adding extensions, old graph AD API, do not use: https://docs.microsoft.com/en-us/previous-versions/azure/ad/graph/howto/azure-ad-graph-api-directory-schema-extensions
- New approach for schema extensions: https://docs.microsoft.com/en-us/graph/extensibility-schema-groups
- https://docs.microsoft.com/en-us/graph/api/schemaextension-post-schemaextensions?view=graph-rest-1.0
- Customize claims: https://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-claims-mapping
- Graph explorer: https://developer.microsoft.com/en-us/graph/graph-explorer
The examples show how to add a schema extension. An open extension can be accessed anytime and does not need registration. Let’s assume you have registered an application in the azure portal. You’ll have an appid (a GUID).
The examples assume that you have logged in with your application and have ensured it has directory read/write access and user profile read/write access (the app needs these delegated permissions). However, the examples do not show how to create the schema extension in the graph explorer properly. Assuming we are using the new graph API and not the deprecated Graph AD API (it’s different!) you need to change the post body .
To add the schema extension to a specific app, just include the “owner” property in the post. The owner property is the appliction ID. With the owner set properly, you can now use this extension and add the “claim” to an id_token or access_token when you use AAD to retrieve these attributes or access them directly from your extension loaded into your CRM web page because you will automatically have access to the graph API. If you do not set the owner properly in the post body, the default owner is the graph explorer itself, which will not have access to perform the change.
// POST https://graph.microsoft.com/beta/schemaExtensions
{
"id": "myapp",
"description": "myapp schema extensions",
"targetTypes": [
"User"
],
"owner": "<appid>" // e.g. "67ebda1c-0872-41af-99fa-e31ab1ddc936",
"properties": [
{
"name": "keyproperty",
"type": "String"
}
]
}
