In recent times, one of the Graph developer reached out to me know the get the source of the account (which is available in Azure AD portal blade). During my investigation, i failed to find the above info/no source field is exposed directly with Graph API and the documentation also doesn’t talk much about it.
Being said that i suggested the following workaround and see if it helps.
- Make the API call with beta endpoint and $select=displayName,userType.
- Parse the columns of the user. This way you can get the usertype as guest or member. Here’s the snapshot:
- If the usertype is Member then the user source is “Azure Active Directory”.
- If the usertype is Guest and externaluserstate is accepted then the user source is “External Azure Active Directory”.
Hope this helps!!
In recent times, i worked with one of the ISV developer who reported that for some users when they use $filter with Graph API calls throws HTTP 403 – Forbidden. The same call works fine with $filter for most of the users. We chased and found it happens for some users (and not for all the users, but for Guest users).
We noticed that their application only had delegated permissions for https://graph.microsoft.com/User.ReadBasic.All
. So when you just use User.ReadBasic.All
, then your app won’t have permission to read the userType
property. It also means that it doesn’t have permission to filter on that property. So you’ll find any user in the tenant will have the same experience, including a member or a global administrator, not just your guest user. So we asked the user to try with User.Read.All
in their app then we noticed the filter worked as expected for the user in the guest role – so it helped us to move forward.
Please note that if the above doesn’t help (as your scenario may vary) then I suggest you to have a look at the related Stackoverflow thread.
Hope this helps.
Deva's developer blog where I talk about Microsoft Azure/Security/MS Graph, AI/ ML & more!!