For the context, I'm building an app that will read and update the Custom Security Attributes of Azure AD users. I'm using the beta version.
Here is my code:
# Connect to the client
Function Invoke-Connect-MSGraph($ClientId, $TenantId, $ClientSecret) {
$body = @{
'grant_type' = 'client_credentials'
'client_id' = $ClientId
'client_secret' = $ClientSecret
# Scope has to be .default when using client cred flow: https://stackoverflow.com/a/51789899/12739456
'scope' = 'https://graph.microsoft.com/.default'
}
$Params = @{
'Uri' = "https://login.microsoftonline.com/$TenantId/oauth2/v2.0/token"
'Method' = 'Post'
'ContentType' = 'application/x-www-form-urlencoded'
'Body' = $body
}
try {
$TokenResponse = Invoke-RestMethod @Params
$AccessToken = $TokenResponse.access_token
Connect-MgGraph -AccessToken $AccessToken
Select-MgProfile -Name "beta"
Write-Host "Connected to MS Graph"
}
catch [Exception] {
Write-Error "Error Connecting. Error was: $_.Exception.Message"
exit
}
}
# Get User
$EmployeeEmail = "janedoe@xyz.com"
$User = Get-MgUser -Filter "proxyAddresses/any(x:x eq 'smtp:$($EmployeeEmail)')"
# Get Custom Security Attributes
$Attr = Get-MgUser -UserId $User.Id -Property "customSecurityAttributes"
$AzureCustomSecurityAttributes = Convertfrom-json ($Attr).ToJson()
The error I'm getting: Cannot find an overload for "ToJson" and the argument count: "0". It seems that $Attr always returns null.
But I'm able to get other user attributes.
The app has the correct permission: CustomSecAttributeAssignment.ReadWrite.All and User.Read.All
The Admin role I'm using also has the Attribute Assignment Administrator role.
What am I doing wrong here? Thanks in advance for your input!
I tried implementing the same logic using Azure AD PowerShell. It works, but since Azure AD PowerShell is being deprecated, I need to find a solution using MS Graph PowerShell.
I agree with @user2250152.
This is my api call way of doing it
# replace this with yours
$tenantId = "xxx"
$appId = "xxx"
$appSecret = "xxx"
# Define API endpoint and parameters
$authEndpoint = "https://login.microsoftonline.com/$tenantId/oauth2/v2.0/token"
$body = @{
client_id = $appId
client_secret = $appSecret
scope = "https://graph.microsoft.com/.default"
grant_type = "client_credentials"
}
$tokenResponse = Invoke-RestMethod -Method Post -Uri $authEndpoint -Body $body
$accessToken = $tokenResponse.access_token
# Define the headers for the API request
$headers = @{
Authorization = "Bearer $accessToken"
ContentType = "application/json"
}
# user u need to read customsecurityattributes
$userupn = "user@yourdomain.com"
# api call uri
$apiEndpoint = "https://graph.microsoft.com/beta/users/$userupn"
# API request
$apiResponse = Invoke-RestMethod -Method Get -Uri $apiEndpoint -Headers $headers
# Output
$apiResponse.customSecurityAttributes
Kindly note, to retrieve custom security attributes for a particular user, that user must be assigned the custom attributes already.
You can refer to this article, it explains clearly how to create custom security attributes, assigning to users. It uses both graph api calls and azure AD GUI to demonstrate how to do it.
When using azure ad GUI to create the attributes and assign to users, you need one of this permissions.
Attribute Assignment Reader, Attribute Definition Reader, Attribute Assignment Administrator, Attribute Definition Administrator
By default this roles are not even assigned to Global admins.
Refer to this Microsoftdoc