Skip to main content

Migrating from LDAP to Graph API

Today, PwC Identity, specifically ForgeRock OpenDJ, supports the Lightweight Directory Access Protocol (LDAP).

LDAP allows users or applications to connect to a directory to search or update objects. Objects can be accounts or groups. In addition to searching and/or updating objects, LDAP supports validating/authenticating user credentials (referred to as a BIND).

As PwC Identity transitions from ForgeRock products to Entra ID as its global Identity solution, applications that leverage LDAP to ForgeRock OpenDJ will need to change as Entra ID does not support LDAP.

This can be done using the Graph API, which can be used to manage user & group objects in Entra ID.

Prerequisites for Migration

If your application currently uses LDAP to connect to OpenDJ, you must meet the following conditions to move to Graph API:

Important Conditions
  1. Read-Only User Operations: Your application does not use LDAP to update user objects but only uses LDAP to perform search operations on user objects to pull back information. PwC Entra ID tenant is a hybrid model in that all PwC user accounts and attributes are synchronized from PwC's on-prem Active Directory known as One AD. In this hybrid model, you cannot make changes directly to user objects in Entra ID. All changes are only accepted from One AD and sync to Entra ID.

  2. Group Operations: Your application uses LDAP to perform search operations on groups or update certain groups the application owns. Graph ID APIs support both use cases if your application is granted the needed access to update groups.

  3. No Authentication Required: You do not require authentication (i.e., BIND operations). With LDAP you can pass a username and password entered by the user and ask OpenDJ to return success or failure. You cannot directly use the Graph API to directly validate a user's password against their stored credentials for security reasons.

If you meet these conditions, you can move to Graph APIs. If not, you will need to engage the PwC Identity Application Integration Team to discuss alternative solutions for your application.

Requesting Graph API Access

To access PwC Entra ID tenant via APIs, application owners must submit a request and receive approval before access to Graph APIs is allowed. The M365@PwC SharePoint Site provides guidance for obtaining this approval.

Processing Time

This process can take weeks depending on the type of access needed by an application.

Detailed API Methods

For detailed information about Graph API methods, Microsoft provides a robust set of articles on their APIs that can be found here.


Search User by Email

This method allows an application to query PwC's Entra ID tenant using email as the filter.

API Permissions Needed: User.Read.All

Sample Code:

GET https://graph.microsoft.com/v1.0/users?$filter=(mail+eq+'USEREMAIL')

By default, a limited set of properties are returned:

  • businessPhones, displayName, givenName, id, jobTitle, mail, mobilePhone, officeLocation, preferredLanguage, surname, userPrincipalName.
tip

If you want to return specific attributes, you can add &$select= parameter.

GET https://graph.microsoft.com/v1.0/users?$filter=(mail+eq+'USEREMAIL')&$select=displayName,mail,userPrincipalName,userType,createdDateTime,externalUserState,id

Reference: Microsoft Graph User Search Documentation


Search User by User Principal Name (UPN)

This method allows an application to query PwC's Entra ID tenant using UPN as the filter. Details on this method and sample code in multiple languages can be found here.

API Permissions Needed: User.Read.All

UPN vs Email Differences
  1. For PwC staff and contractors: Email and UPN are the same

    • Example: bob@pwc.com is both UPN and email in Entra ID for the user.
  2. For guest accounts: The UPN is a Microsoft calculated value based on the SMTP address of the user.

    • Example: bob@companyabc.com would have a UPN of bob_companyabc.com#EXT#@pwc.onmicrosoft.com

Therefore, when searching guest user accounts, you should use email and not UPN.

Sample Code:

GET https://graph.microsoft.com/v1.0/users/USERUPN

By default, a limited set of properties are returned:

  • businessPhones, displayName, givenName, id, jobTitle, mail, mobilePhone, officeLocation, preferredLanguage, surname, userPrincipalName.

Add ?$select= to return specific attributes:

GET https://graph.microsoft.com/v1.0/users/USERUPN?$select=displayName,mail,userPrincipalName,userType,createdDateTime,id

Add /memberOf to return groups a user is a member of:

GET https://graph.microsoft.com/v1.0/users/USERUPN/memberOf

Reference: Microsoft Graph User Get Documentation


Get Group Information

This method allows an application to query for an Entra ID Security Group and return group information. Details on this method can be found here.

API Permissions Needed: GroupMember.Read.All

Sample Code:

GET https://graph.microsoft.com/v1.0/groups/{{id}}
tip

If you want to return members of a group, add /member:

GET https://graph.microsoft.com/v1.0/groups/{{id}}/member

Reference: Microsoft Graph Group Get Documentation


Add Group Member

This method allows an application to add a member to a Security Group in Entra ID. Details on this method can be found here.

When adding a group member, you must specify the Group Object ID ({{group-id}}), in Entra ID as well as the Object ID ({{id}})of the user being added.

API Permissions Needed: GroupMember.ReadWrite.All

Sample Code:

POST https://graph.microsoft.com/v1.0/groups/{{group-id}}/members/$ref
{
"@odata.id": "https://graph.microsoft.com/v1.0/directoryObjects/{{id}}"
}

Bulk Operations:

To add multiple members at a time, up to 20 members can be added in a single request:

PATCH https://graph.microsoft.com/v1.0/groups/{{group-id}}/
{
"members@odata.bind":[
"https://graph.microsoft.com/v1.0/users/{{user-id-1}}",
"https://graph.microsoft.com/v1.0/users/{{user-id-2}}",
"https://graph.microsoft.com/v1.0/users/{{user-id-3}}"
]
}

Reference: Microsoft Graph Add Group Member Documentation


Remove Group Member

This method allows an application to remove a member from a Security Group in Entra ID. Details on this method can be found here.

Excercise Caution

If /$ref is not appended to the request and the calling app has permissions to manage the member object type, the member object will also be deleted from Microsoft Entra ID; otherwise, a 403 Forbidden error is returned. For example, an app with both GroupMember.ReadWrite.All and User.ReadWrite.All permissions will delete a user. Please use this method with care.

API Permissions Needed: GroupMember.ReadWrite.All

Sample Code:

DELETE https://graph.microsoft.com/v1.0/groups/{{group-id}}/members/{{directory-object-id}}/$ref

Reference: Microsoft Graph Remove Group Member Documentation


References

NameDescription
Overview of Microsoft GraphGraph API overview
Working with Users in Microsoft GraphUser reference
Identity LDAP GuideTBD

Additional Resources

Microsoft Documentation

For the latest updates and detailed documentation, visit the Microsoft Graph API documentation.

Quick Start Guides