Wednesday, 21 February 2018

Azure AD B2B self-service registration - Register and Update a guest user using Graph API

Azure B2B capabilities give organizations the ability to provide external users (from partner organizations/ contractors etc) access to their data safely. This means that an External user can be added as a "Guest User" in an organization's Azure AD and this identity can be used to provide access to SharePoint online, Office 365 Groups etc.

An external user can be added to an Azure AD as a guest user using an E-mail address. An invitation email is sent out to the user to join the inviting tenant. This email ID can be of a user from another Azure AD, or a Microsoft Account or a personal/work ID which is not in an Azure AD.

In case the user is in another Azure AD, a password reset is not required for the user on accepting the invitation. User's main identity remains in the origin tenant and the user can continue to use the same set of credentials while accessing the inviting tenant. When the external user leaves their own organization and their account gets disabled, the access to inviting tenant also gets disabled automatically.

If the E-mail is a personal one, a new identity is created in the inviting tenant when the user accepts the invitation and creates a password. Here is some useful documentation to read through

Guest users can be registered through the Azure Portal or using the Graph API. Being able to send guest user invitations through the Graph API opens the possibility of creating self-service registration portals for guest users.

In this post we are going to walk through the process of

1) Sending guest user invite through Graph API

2) Updating the guest user's profile as soon as the the invitation email is sent - This makes sure that the basic user information is available in the inviting tenant. This helps in keeping data available for building People directory etc.

Self service registration can be implemented as a simple MVC web page where user provides the basic information such as

- First Name
- Last Name
- Email address
- Company
- Contact number etc

Rules/validations can be applied on the registration form as desired to make sure that only users from intended email domains are allowed to register as guest users.

In this post, we use App credentials and Graph API (GraphServiceClient) to send email invites to the guest users. Head over to to register an app that can call Graph API.

Permissions required for this app to send email invites are : User.Invite.All, User.ReadWrite.All, Directory.ReadWrite.All

First we authenticate and get the GraphServiceClient instance to work with Microsoft Graph using app credentials

Once we have the GraphServiceClient, create an "Invitation" objects and send the invite

The invitation object accepts

Email address of the Guest user
Display name with which the guest user will be registered in the Azure AD
- Redirect UI - this is the URL where the user will be redirected when the invitation is accepted - InvitedUserMessageInfo object where we can set a customized message to be send in the email

The call to send user invitation returns an Invitation object in response.

Once the invite is sent, the user gets registered in the Azure AD. We can update the user properties in Azure AD to make sure that when the user accepts the invitation, the basic information is available in the Azure AD.

The invitation object returned as a response of sending an invite also returns a Azure AD USER object. This object can be used to set the user profile properties and update it back in Azure AD.

Friday, 5 January 2018

Use Azure Functions as remote event receiver in SharePoint

SharePoint webhooks are a new way of building event receivers for SharePoint. However, webhooks are only enabled for SharePoint list items at the time of writing this.

Recently I was required to write a event receiver for ListAdded event in a web. I decided to try and use Azure functions to achieve this instead of writing the traditional provider hosted app remote event receiver. Came across this great post  from Sergei Sergeev for reference.

Lets create a ListAdded event receiver using Azure Functions.

To Begin with, create a Azure Function project in Visual Studio and created a Function App in Azure through the Azure Portal. Add a function to the function app and select the HTTP trigger type of function since the event receiver needs to send the event payload to a HTTP endpoint. Publish your Azure function to the function app created through Azure Portal. The Azure function is now ready to receive events from SharePoint.

The Azure Function will have an endpoint. This can be fetched by clicking on the function in the Azure portal and clicking on the Get function URL link

The URL will look something like this :


The domain may be different based on your tenant configurations. We need the domain part of this URL in the next steps.

Now we need to register a event receiver on a WEB in SharePoint. We will use a simple console app for this. The console app will use SharePoint App credentials. So, head over to the "/_layouts/AppRegNew.aspx" page in your site and register a new app. Remember to provide the domain of this app as the domain of your event receiver Azure function noted above. We will need this in the future. Provide full control permissions to this APP on the site collection.

Here is the code for installing an event receiver on the web. Replace receiverAzureFuncUrl, webUrl, ClientID and ClientSecret and run the console app. The console app users PnP Sites Core to get app-only client context.

Now the Azure function is ready to receive event of a list being added to the WEB. We need one more thing in our code and that is "TokenHelper". This is used to validate the context token received in the event payload and communicate with SharePoint through from within Azure function (which is our event receiver). I created a class library project in my Azure Function solution in Visual Studio and installed the "AppForSharePointOnlineWebToolKit" nuget package. Add a reference of this class library in your Azure Function APP project

NOTE : I had to add the reference of the DLL of this class library. Adding the project reference made the publish operation to fail.

Since the token helper fetches the ClientID and ClientSecret from webconfig, modify the code to fetch these values from the Azure Function APP settings.

Change the code of your Azure function to handle the incoming request from List Added event. This code reads the event payload and parses the XML to fetch the values that are of our interest. You can log the entire XML and see what are the values received through the Event payload. Once we have the "ContextToken" string, we can Validate the token and also get the client context of the site using "TokenHelper".  The "GetClientContextWithContextToken" method internally validates the token as well.

Hope this helps !

Friday, 24 November 2017

Graph API : Get all the Office 365 Groups Owned by a user

There is a Graph API endpoint to get all the Office 365 Groups a user is Member of. The filter is used to get only the Office 365 Groups.

I wanted to retrieve all the Groups that a user owns, however there is no "ownerOf" endpoint. The endpoint ownedObjects can be used to retrieve this data. 

For the current user :

For a specific user : 

However this endpoint returns all the directory objects the user is owner of.  When I tried to $filter on this endpoint, it did not work ! Through the Graph explorer it appears that at the time of writing this, $filter to this endpoint is not currently supported.  So you may just have to retrieve all the data that is returned and then filter on the "groupTypes" property of the group object in your application code.

Thursday, 23 November 2017

Custom action term set navigation for SharePoint reusing the SPFx extension sample

There is a great SharePoint Framework extensions sample for navigation using the term store on GitHub . However this can only be used on the Modern pages. I tried to re-use the code of this component to build a custom action that can be used on the classic pages to provide a similar functionality.

Here is the custom action code on GitHub

  • In this, the SPFx specific code is replaced with relevant code that would run on classic pages. The extensions sample uses SPHttpClient and the Context object of SPFx. This has been replaced to use Axios NPM module to make HTTP calls. (SPTermStoreService.ts file changed)
  • The TenantGlobalNavBarApplicationCustomizer.ts has been changed to load the navigation bar when the SharePoint page loads. The SPFx extensions specific code is removed 
  • The modern pages already have react, so the SPFx components when bundled do not include react and react-dom. However, this custom action bundles react and react-dom as well in the final bundle. So there is a custom gulpfile.js with this project that uses Microsoft/gulp-core-build to compile the Typescript and SASS files 
  • The final bundle is generate using webpack through a gulp task.

More details in the GitHub documentation

Monday, 30 October 2017

Work with Multi-value lookup fields in Microsoft Flow and SharePoint - Part 2

Part I of this post explains a couple of limitations of working with Microsoft Flow and SharePoint Multi-value lookup field.

Work with Multi-value lookup fields in Microsoft flow and SharePoint - Part 2

To overcome the challenge I decided to use SharePoint REST API to retrieve the field values. As you may already know, flow provides HTTP Trigger action which we can use to call the SharePoint REST API. The idea is to get an access token and retrieve the values through this HTTP trigger action. There are two great posts that helped me get an Access token, SharePoint scribblings and Shantha Kumar's blog

To start with, register an app in your SharePoint site through the "_layouts/15/AppRegNew.aspx" page. Provide the appropriate permissions so that it can access the multi-value lookup field data.

You'll have the client ID and client secret of the app. Also find out the TenantID of the tenant you are working on.

We create a new flow which is triggered when a new Item is created. Initialize the variables TenantID, ClientID, ClientSecret and a placeholder variable for AccessToken.

Next, add a HTTP trigger action, to get the access token

The body of this request is of the format


Run the flow once till this step and see the history of the execution. Copy the body of the response. We will need it in the next steps.

Now we return to our flow and add a parse JSON action. Provide the "Content" as the body of the response from the previous HTTP trigger action. Use the body value copied in the previous step and paste it in the "Use sample payload to generate schema". This provides parse JSON action a sample format of the JSON that must be parsed.

Once this step executes, we are ready to use the access token. Next, use another HTTP trigger action to call SharePoint REST endpoint (here I have used a hard coded item ID) and retrieve the multi-value lookup field values. Along with the Title, you may also want to retrieve the ID of the looks. That might help you query other lists where these values may have been used.

The results show the lookup values that were selected for the item.

Now, we can then use these values as we would like to