{"id":2156,"date":"2018-11-19T11:00:51","date_gmt":"2018-11-19T11:00:51","guid":{"rendered":"https:\/\/developer.microsoft.com\/en-us\/office\/blogs\/?p=2156"},"modified":"2018-11-19T11:00:51","modified_gmt":"2018-11-19T11:00:51","slug":"30daysmsgraph-day-19-use-case-assign-permissions-using-unified-groups","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/30daysmsgraph-day-19-use-case-assign-permissions-using-unified-groups\/","title":{"rendered":"30DaysMSGraph \u2013 Day 19 \u2013 Use Case: Assign Permissions using Unified Groups"},"content":{"rendered":"

List of all posts in the #30DaysMSGraph series<\/a><\/h4>\n

In Day 18<\/a> we extended the base .Net Core console application to update the users (exchange online) mailbox settings in Office 365. Today we\u2019ll extend the base console application to assign permissions to the users by adding them to the unified groups.\u00a0 Note that it is not required to perform each of the daily Use Case samples in order to continue to the next.\u00a0 Starting with the base console application from Day 15 will be sufficient if building from scratch, or as always, you can clone the completed version in the provided repo at bottom of this post. The application uses a client secret and the Microsoft Authentication Library (MSAL) to establish an authentication context with the Microsoft Graph API.<\/p>\n

\"\"<\/a><\/p>\n

Today we will explore the process of adding user to the required Office 365 Groups in preparation for onboarding a user.<\/p>\n

Add and validate user permissions in unified groups<\/h3>\n

In preparation for onboarding a user, once the user is created and appropriate license is applied, now we can add the permissions required for the user to various groups. In this post we will show you how to add users to Office 365 unified groups. By virtue of being part of these groups, the user will get permissions to access not just the group but also the associated SharePoint Online site. As of today (Nov 2018), Microsoft Graph does not support adding user permissions to SharePoint Online site. However, you can update the Azure AD App and assign permissions to SharePoint Online (in addition to Microsoft Graph) and then access SharePoint Online REST API to accomplish the task of assigning permissions. Note that this is outside the scope for today’s post.<\/p>\n

You can use the Microsoft Graph endpoint \/users\/{id|userPrincipalName}\/memberOf to get groups and directory roles that a user is a direct member of. You can find the Microsoft Graph documentation here<\/a>.<\/p>\n

You can use the Microsoft Graph endpoint \/groups\/{id}\/members\/$ref to add a user to a group. The documentation for this endpoint is here<\/a>.<\/p>\n

To use the above API the Azure AD App needs new permissions. As such the Azure AD App Registration\u00a0needs to be updated to include the following application permissions: User.Read.All, Group.ReadWrite.All, Directory.Read.All, and Directory.ReadWrite.All<\/p>\n

\"\"<\/a><\/p>\n

With the necessary permissions configured it is time to look at new the code required.<\/p>\n

\n

Get list of groups user is a member of<\/h4>\n<\/div>\n
\n

Below is a helper method added to PermissionHelper.cs class that will list out all the Groups that a user belongs to.<\/p>\n

\n
\n
        \/\/Returns a list of groups that the given user belongs to\n        public async Task<List<ResultsItem>> UserMemberOf(string alias)\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 {\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 User user = FindByAlias(alias).Result;\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 List<ResultsItem> items = new List<ResultsItem>();\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 IUserMemberOfCollectionWithReferencesPage groupsCollection = await _graphClient.Users[user.Id].MemberOf.Request().GetAsync();\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 if (groupsCollection?.Count > 0)\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 {\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 foreach (DirectoryObject dirObject in groupsCollection)\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 {\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 if (dirObject is Group)\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 {\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Group group = dirObject as Group;\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 items.Add(new ResultsItem\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 {\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Display = group.DisplayName,\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Id = group.Id\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 });\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 }\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 }\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 }\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 return items;\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 }<\/pre>\n
\n
Identify a group and add user permissions to the group and the associated SharePoint Online Site<\/h4>\n<\/div>\n
Below are two more helper methods that will help in adding a user to a unified group and also ensures the user is not already part of that group.<\/div>\n
\n
\n
\u00a0 \u00a0 \u00a0 \u00a0 \/\/Adds the user to the given group if not already a member of\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 public async Task AddUserToGroup(string alias, string groupId)\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 {\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 User user = FindByAlias(alias).Result;\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 List<ResultsItem> items = UserMemberOf(alias).Result;\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 if (items.FindIndex(f => f.Id == groupId) >= 0)\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Console.WriteLine(\"User already belongs to this group\");\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 else\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 await _graphClient.Groups[groupId].Members.References.Request().AddAsync(user);\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 }\n\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \/\/Returns the first unified group with the given suffix\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 public async Task<string> GetGroupByName(string groupNameSuffix)\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 {\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 var groups = await _graphClient.Groups.Request().Filter(\"groupTypes\/any(c:c%20eq%20'unified') AND startswith(displayName,'\" + groupNameSuffix + \"')\").Select(\"displayName,description,id\").GetAsync();\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 if (groups?.Count > 0)\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 {\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 return (groups[0] as Group).Id as string;\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 }\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 return null;\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 }<\/pre>\n<\/div>\n<\/div>\n
Now that the helper methods are ready. You can call into these methods from the Program.cs class using below method:<\/div>\n
\n
\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 private static void PermissionHelperExampleScenario()\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 {\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 const string alias = \"adelev\";\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ListUnifiedGroupsForUser(alias);\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 string groupId = GetUnifiedGroupStartswith(\"Contoso\");\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 AddUserToUnifiedGroup(alias, groupId);\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ListUnifiedGroupsForUser(alias);\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 }\n\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 private static void ListUnifiedGroupsForUser(string alias)\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 {\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 var permissionHelper = new PermissionHelper(_graphServiceClient);\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 List<ResultsItem> items = permissionHelper.UserMemberOf(alias).Result;\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Console.WriteLine(\"User is member of \"+ items.Count +\" group(s).\");\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 foreach(ResultsItem item in items)\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 {\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 Console.WriteLine(\"\u00a0 Group Name: \"+ item.Display);\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 }\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 }\n\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 private static string GetUnifiedGroupStartswith(string groupSuffix)\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 {\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 var permissionHelper = new PermissionHelper(_graphServiceClient);\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 var groupId = permissionHelper.GetGroupByName(groupSuffix).Result;\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 return groupId;\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 }\n\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 private static void AddUserToUnifiedGroup(string alias, string groupId)\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 {\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 var permissionHelper = new PermissionHelper(_graphServiceClient);\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 permissionHelper.AddUserToGroup(alias, groupId).GetAwaiter().GetResult();\n\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 }<\/pre>\n<\/div>\n<\/div>\n<\/div>\n
In the above code the method\u00a0PermissionHelperExampleScenario encapsulates today’s use case secnario. It first lists out all the unified groups that a given user belongs to. Then it identifies a new unified group. Then attemps to add the user to this new group. The code takes care of validating if the user is already part of this group. Finally to validate the use case, it lists out the groups that the user belongs to.<\/div>\n
<\/div>\n
The complete set of instructions and code are on GitHub in the\u00a0dotnetcore-console-sample<\/a> repo for you try it yourself.<\/div>\n
\n
Try It Out<\/h2>\n
Navigate to the\u00a0dotnetcore-console-sample<\/a> repo.\u00a0 Do one (or both) of the following:<\/p>\n
Day 19 repo link<\/a><\/p>\n
    \n
  1. Clone the repo and configure the project in the Day 19 subfolder.<\/li>\n
  2. Follow the instructions in Day 19 to build the project from scratch yourself.<\/li>\n<\/ol>\n
    If you run into any issues while building or configuring the project please create a new Issue on the repo.<\/p>\n
    Join us tomorrow as we show you how to use Device Code Flow to authenticate user and use Microsoft Graph API in Day 20<\/a>.<\/p>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"
    In this post we will show you how to add users to Office 365 unified groups. By virtue of being part of these groups, the user will get permissions to access not just the group but also the associated SharePoint Online site. <\/p>\n","protected":false},"author":69213,"featured_media":25159,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[3],"tags":[84],"class_list":["post-2156","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-microsoft-graph","tag-30daysmsgraph"],"acf":[],"blog_post_summary":"
    In this post we will show you how to add users to Office 365 unified groups. By virtue of being part of these groups, the user will get permissions to access not just the group but also the associated SharePoint Online site. <\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/posts\/2156","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/users\/69213"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/comments?post=2156"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/posts\/2156\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/media\/25159"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/media?parent=2156"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/categories?post=2156"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/microsoft365dev\/wp-json\/wp\/v2\/tags?post=2156"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}