https://community.qlik.com/t5/Official-Support-Articles/Qlik-Sense-SaaS-How-to-verify-group-information-returned-by/ta-p/1968589 <P>This article explains how to call the Graph API manually to verify group information.</P> <P>This is based on how Qlik Sense SaaS code is fetching groups from Azure AD.</P> <P>Qlik Sense for Windows straightly reads the groups from the ID token and if the number is too big, Azure AD will just include a link to the graph API in the ID token, which Qlik Sense for Windows will just ignore.</P> <P><STRONG>Environments:</STRONG></P> <P><LI-PRODUCT title="Qlik Cloud" id="qlikSenseEnterpriseSaaS"></LI-PRODUCT>&nbsp;</P> <P>&nbsp;</P> <H3><STRONG>Resolution</STRONG></H3> <P>FIrst of all, generate a token based on the steps in the below article.</P> <DIV class="lia-message-subject"><A href="https://community.qlik.com/t5/Knowledge/Qlik-Sense-How-to-request-an-OIDC-token-manually-and-check-if/ta-p/1843408" target="_self">Qlik Sense: How to request an OIDC token manually and check if correct attributes are included (PowerShell)<SPAN>&nbsp;</SPAN></A></DIV> <P><LI-WRAPPER></LI-WRAPPER></P> <H2 class="message-subject">&nbsp;</H2> <P>Once the tokens generated, take the access_token (NOT the id_token) and use it to retrieve information from the Azure AD Graph API:</P> <P>&nbsp;</P> <LI-CODE lang="markup">$access_token='eyJ0eXAiOi...CjAeMzpab_5QE2c5QZm0bA' $hdrs = @{} $hdrs.Add("Authorization","Bearer "+$access_token) $url = 'https://graph.microsoft.com/v1.0/me/memberof' $response = Invoke-WebRequest -Uri $url -Method Get -Headers $hdrs echo $response.Content​</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>Example of response:</P> <P>&nbsp;</P> <LI-CODE lang="markup">{"@odata.context":"https://graph.microsoft.com/v1.0/$metadata#directoryObjects","value":[{"@odata.type":"#microsoft.graph.directoryRole","id":"605fd212-5945-4270-a4d5-e1e6ca65fbc7","deletedDateTime":null,"description":nu ll,"displayName":null,"roleTemplateId":null},{"@odata.type":"#microsoft.graph.group","id":"43d6963e-a75f-46d7-87e4-99b95bb74877","deletedDateTime":null,"classification":null,"createdDateTime":"2018-08-31T14:24:21Z","crea tionOptions":[],"description":"Qlik","displayName":"TestGroup","expirationDateTime":null,"groupTypes":[],"isAssignableToRole":null,"mail":null,"mailEnabled":false,"mailNickname":"cf40a8f3-47f6-4a3b-811b-e6028a9e21b9 ","membershipRule":null,"membershipRuleProcessingState":null,"onPremisesDomainName":null,"onPremisesLastSyncDateTime":null,"onPremisesNetBiosName":null,"onPremisesSamAccountName":null,"onPremisesSecurityIdentifier":null, "onPremisesSyncEnabled":null,"preferredDataLocation":null,"preferredLanguage":null,"proxyAddresses":[],"renewedDateTime":"2018-08-31T14:24:21Z","resourceBehaviorOptions":[],"resourceProvisioningOptions":[],"securityEnabl ed":true,"securityIdentifier":"S-1-12-1-1138136638-1188538207-3113870471-2001254235","theme":null,"visibility":null,"onPremisesProvisioningErrors":[]}]}</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>Qlik Sense will fetch the odata type #microsoft.graph.group and fetch the displayName, then create the groups.</P> <P>If there is more than 100 groups, the results will be paginated by page of 100 in the Graph API, Qlik Sense can fetch up to 10 pages (1000 groups).</P> Mon, 15 Aug 2022 07:29:15 GMT Damien_V 2022-08-15T07:29:15Z https://community.qlik.com/t5/Official-Support-Articles/Qlik-Sense-SaaS-How-to-verify-group-information-returned-by/ta-p/1968589 <P>This article explains how to call the Graph API manually to verify group information.</P> <P>This is based on how Qlik Sense SaaS code is fetching groups from Azure AD.</P> <P>Qlik Sense for Windows straightly reads the groups from the ID token and if the number is too big, Azure AD will just include a link to the graph API in the ID token, which Qlik Sense for Windows will just ignore.</P> <P><STRONG>Environments:</STRONG></P> <P><LI-PRODUCT title="Qlik Cloud" id="qlikSenseEnterpriseSaaS"></LI-PRODUCT>&nbsp;</P> <P>&nbsp;</P> <H3><STRONG>Resolution</STRONG></H3> <P>FIrst of all, generate a token based on the steps in the below article.</P> <DIV class="lia-message-subject"><A href="https://community.qlik.com/t5/Knowledge/Qlik-Sense-How-to-request-an-OIDC-token-manually-and-check-if/ta-p/1843408" target="_self">Qlik Sense: How to request an OIDC token manually and check if correct attributes are included (PowerShell)<SPAN>&nbsp;</SPAN></A></DIV> <P><LI-WRAPPER></LI-WRAPPER></P> <H2 class="message-subject">&nbsp;</H2> <P>Once the tokens generated, take the access_token (NOT the id_token) and use it to retrieve information from the Azure AD Graph API:</P> <P>&nbsp;</P> <LI-CODE lang="markup">$access_token='eyJ0eXAiOi...CjAeMzpab_5QE2c5QZm0bA' $hdrs = @{} $hdrs.Add("Authorization","Bearer "+$access_token) $url = 'https://graph.microsoft.com/v1.0/me/memberof' $response = Invoke-WebRequest -Uri $url -Method Get -Headers $hdrs echo $response.Content​</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>Example of response:</P> <P>&nbsp;</P> <LI-CODE lang="markup">{"@odata.context":"https://graph.microsoft.com/v1.0/$metadata#directoryObjects","value":[{"@odata.type":"#microsoft.graph.directoryRole","id":"605fd212-5945-4270-a4d5-e1e6ca65fbc7","deletedDateTime":null,"description":nu ll,"displayName":null,"roleTemplateId":null},{"@odata.type":"#microsoft.graph.group","id":"43d6963e-a75f-46d7-87e4-99b95bb74877","deletedDateTime":null,"classification":null,"createdDateTime":"2018-08-31T14:24:21Z","crea tionOptions":[],"description":"Qlik","displayName":"TestGroup","expirationDateTime":null,"groupTypes":[],"isAssignableToRole":null,"mail":null,"mailEnabled":false,"mailNickname":"cf40a8f3-47f6-4a3b-811b-e6028a9e21b9 ","membershipRule":null,"membershipRuleProcessingState":null,"onPremisesDomainName":null,"onPremisesLastSyncDateTime":null,"onPremisesNetBiosName":null,"onPremisesSamAccountName":null,"onPremisesSecurityIdentifier":null, "onPremisesSyncEnabled":null,"preferredDataLocation":null,"preferredLanguage":null,"proxyAddresses":[],"renewedDateTime":"2018-08-31T14:24:21Z","resourceBehaviorOptions":[],"resourceProvisioningOptions":[],"securityEnabl ed":true,"securityIdentifier":"S-1-12-1-1138136638-1188538207-3113870471-2001254235","theme":null,"visibility":null,"onPremisesProvisioningErrors":[]}]}</LI-CODE> <P>&nbsp;</P> <P>&nbsp;</P> <P>Qlik Sense will fetch the odata type #microsoft.graph.group and fetch the displayName, then create the groups.</P> <P>If there is more than 100 groups, the results will be paginated by page of 100 in the Graph API, Qlik Sense can fetch up to 10 pages (1000 groups).</P> Mon, 15 Aug 2022 07:29:15 GMT https://community.qlik.com/t5/Official-Support-Articles/Qlik-Sense-SaaS-How-to-verify-group-information-returned-by/ta-p/1968589 Damien_V 2022-08-15T07:29:15Z