How to know if a user is desactivated in Azure AD using MSGraph Api

sergecal 26 Reputation points
2020-07-21T09:24:23.307+00:00

Dear all,

We are using MS graph API in order to handle different request in Azure AD.
What we are trying to do is that when we need to add a user in the AD we need to perform following test before proceeding :

1 - Does the user already exist in the AD
2- If user exist does the user is desable
3- if user is desable we simply need to enable it again

From that simple test sequence, what is the way to check for a desable account in Azure AD using graph ?

When I try to get the user using POST man, it return user information but have no parameter mentionning if the user is desable or not

For exemple in picture below you can see that user cal-test@itecor.com is desable
13165-av35cy4ecr.png

And the return object from postman does not have that lock sign-in info as seen below :

13143-rinx4fj3b4.png

Any idea how to get that information ?

Thanks for help
regards

Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
19,640 questions
0 comments
Accepted answer
  1. soumi-MSFT 11,716 Reputation points Microsoft Employee
    2020-07-21T15:29:09.297+00:00

    @sergecal , Regarding query 1: "Does Beta endpoint means it is not yet a release endpoint of MS Graph ?"

    Ans: Since its in beta state, we do not recommend customers using that in production as we keep updating the backend of these APIs until they are marked as Production Ready i.e they get pushed into GA state for the general public to use them in their production applications.

    For the query 2: You would need to use the same graph API with Patch. I tested that and you can refer to the screenshots below for more details: 

    PATCH https://graph.microsoft.com/v1.0/users/bradh@soumi.msftonlinerepro.com  
{ "accountEnabled": true }

    13187-accountenabledpatch.png

    13188-getuser.png

    Note: Here you need to use the Auth-Code-Flow of OAuth and make sure the following delegated permissions are present on the app-registration
    Directory.AccessAsUser.All

4 additional answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. AmanpreetSingh-MSFT 56,311 Reputation points
    2020-07-21T09:47:38.09+00:00

    Hello @sergecal

    The attribute you need to look for is accountEnabled. Setting "Block Sign-in" option in Azure Portal to YES, sets this attribute to FALSE.

    You can see this attribute by using either Beta endpoint as per the below call:

    https://graph.microsoft.com/beta/users?$filter=mail eq 'username@your_domain.com'

    If you want to use v1.0 endpoint only, you need to specify the attribute name in $select parameter, as mention below:

    https://graph.microsoft.com/v1.0/users?$filter=mail eq 'username@your_domain.com'&$select=DisplayName,accountEnabled

    -----------------------------------------------------------------------------------------------------------

    Please do not forget to "Accept the answer" wherever the information provided helps you. This will help others in the community as well.

    2 people found this answer helpful.
    0 comments
  2. sergecal 26 Reputation points
    2020-07-21T14:04:30.94+00:00

    Dear all,

    Thanks for your answer ,

    I will give a try and let you know
    In the meantime I have few question still

    Q1 : Does Beta endpoint means it is not yet a realease end point of MS Graph ?

    Q2 : Once I get the user which is desactivated, how to I activate back that user using graph API as well?

    Thanks for help
    regards

    1 person found this answer helpful.
    0 comments
  3. soumi-MSFT 11,716 Reputation points Microsoft Employee
    2020-07-21T09:48:45.883+00:00

    @sergecal , Thank you for reaching out. To find out if the user is in blocked-signin state or not, you would need to use the beta endpoint of graph APIs i.e: 

    https://graph.microsoft.com/beta/users/{userPrincipalName}

    Please refer to the screenshots below:

    User Profile:
    13216-userprofile.png

    Graph API Call:
    13217-accountdisabled.png

    For v1.0 edppoint you can use the following Graph API Call: 

    https://graph.microsoft.com/v1.0/users/{userPrincipalName}?$select=DisplayName,accountEnabled

    In Microsoft Graph API v1.0 a lot of attributes are hidden from general view and hence they have to be explicitly called through query parameters as mentioned above.

    Hope this helps.

    Do let us know if this helps and if there are any more queries around this, please do let us know so that we can help you further. Also, please do not forget to accept the response as Answer; if the above response helped in answering your query.

    0 comments
  4. AmanpreetSingh-MSFT 56,311 Reputation points
    2020-07-21T14:44:52.757+00:00

    @sergecal Please find below answer to your questions below:

    Q1 : Does Beta endpoint means it is not yet a release end point of MS Graph ?

    Yes, Beta endpoint is in preview and not generally available. We don't recommend using preview features in production.

    Q2 : Once I get the user which is deactivated, how to I activate back that user using graph API as well?

    To activate the user, you need to set the value of accountEnabled to true by using below Patch call and body:

    CALL: Patch https://graph.microsoft.com/v1.0/users/object_id_or_upn_of_user
    BODY: {"accountEnabled":true}

    -----------------------------------------------------------------------------------------------------------

    Please do not forget to "Accept the answer" wherever the information provided helps you. This will help others in the community as well.

    0 comments