Create online meeting on behalf of user MS Graph API - azure-active-directory

In our project we are trying to integrate MS Teams with Web application using MS Graph API.use case is OnlineMeeting for Virtual Events.the attendees may or may not have microsoft account.
Created Azure Ad Account and created new tenant and created new user(given Global Administrator role) and registered new Application and given required API permission users.readWrite.all and onlineMreeting.readWrite.all to Application and Delegated Users.
Initially i was using UserCredientials flow(no manual authentication since its not in our usecase user should be authenticated automatically through java) to get accessToken.since its not recommended to use username and credientials(ROPC flow),so now trying to get accessToken only using clientId and clientSecret using adal4j and i am able to get accesstoken but not able to use token for endpoints with /me/onlineMeeting.since token doesnt contain required permission and scope.
so i had tried to reach endpoint with token got from clientid and secret using /users/{id}/onlineMeeting but it gives error like Application does not have permission to Create online meeting on behalf of this user
referred https://learn.microsoft.com/en-us/graph/cloud-communication-online-meeting-application-access-policy
its mentioned to change access-policy.
is there any way to create online meeting on behalf of user without changing access policy?
to create onlinemeeting on behalf of user do we need skype business account?
onlinemeeting can created by two endpoint /onlineMeeting & /events
so does /event in calender api require any additional previlages like office365 license to create online meeting?
to implement these usecase whats the microsoft account Type,azure ad account
and what are all the license and azure subscription need?
to create onlinemeeting only with dialin do we need any special license

is there any way to create online meeting on behalf of user without
changing access policy? to create onlinemeeting on behalf of user do
we need skype business account?
No. We have to set the access policy to use Application token to create online meeting on behalf of a user. To create an online meeting with Microsoft Graph, we don't need skype business account. But if you want to create online meeting through UI / web client, you have to need Teams license. (When I use a new account without being assigned any O365 license, it shows some license error but it's then bypassed. So I think it's a bug. I think we should need skype business account / Teams license to create the online meeting)
so does /event in calendar api require any additional previlages like
office365 license to create online meeting?
Yes. We need O365 Exchange Online license to create /event.
to implement these usecase whats the microsoft account Type,azure ad
account and what are all the license and azure subscription need?
In summary, you need at least AAD work or school account and O365 Exchange Online license.
to create onlinemeeting only with dialin do we need any special
license
Microsoft graph doesn't support creating onlinemeeting only with dialin. See audioConferencing. It's read-only.

Related

How to allow external users to sign in to an app that is secure by Microsoft identity using Azure AD

I have an app (ASP.Net Classic) that is using Azure AD authentication. Now, we want to allow user outside of the organization to sign in. I read few document B2C and B2B, but I am unable to see which one to good for me.
I am looking that members in the organization should sign in and doesn't have to create new account. One of the option B2B suggested that to add user to in AD as a guest user but this is the manual process, it would be good if it can be automated. Also that doesn't describe how user would send the request to for login info.
It depends on your use case.
Imagine a large company. They have Azure AD for their employees. Now they want some suppliers to have access to their billing system. Those suppliers are guest users. That's B2B.
For guest users, an admin can send an invitation email that contains a redemption link.
B2C is for the customers of the company. They use the company's e-commerce system. They do not need access to the billing system.
B2C is self-service i.e. these users self-register and can change their profile or reset their password.

Using personal account (live.com) to get an access token for my app

I am having trouble getting an access token using the password grant auth end point.
I created an app registration in my Azure account which is tied to my personal live.com Microsoft account.
In the application settings I've set the supported account types to AzureADandPersonalMicrosoftAccount (Accounts in any organizational directory (Any Azure AD directory - Multitenant) and personal Microsoft accounts (e.g. Skype, Xbox))
When I attempt to to authorize via my personal account's username/password using the https://login.microsoftonline.com/{{TenantId}/oauth2/v2.0/token end point using grant_type=password I get the following error:
AADSTS50034: The user account {EmailHidden} does not exist in the xxx-xxx directory. To sign into this application, the account must be added to the directory.
I am not sure how this is possible as I am obviously the only member of my Azure AD.
The app, Todo Inventory is listed under the applications in the user profile as shown below:
Note that I am successfully able to get an access token using the auth code flow described in the documentation here: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow
But I want to use the password grant instead but nothing I tried seem to be working.
Am I missing something here..?
Microsoft identity platform doesn't support resource owner password flow for personal accounts. https://learn.microsoft.com/azure/active-directory/develop/v2-oauth-ropc
The Microsoft identity platform endpoint only supports ROPC for Azure AD tenants, not personal accounts. This means that you must use a tenant-specific endpoint (https://login.microsoftonline.com/{TenantId_or_Name}) or the organizations endpoint.

Why does Microsoft Dynamics 365 ask for delegated admin in Azure app registration

I'm following a guide online to generate an access token to access Microsoft Dynamics 365 Customer Engagement: https://eax360.com/dynamics-365-online-connect-using-postman/.
All of it works fine, however I am wondering why delegated Admin permissions need to be supplied in Azure Active directory during app registration. I have seen a lot of guides explain that permissions must be delegated but the above site documents the process well. As a general rule, I thought that starting with the lowest security permissions was the norm. I am new to Azure AD so thoughts are very much welcome.
If your app will be a client which allows the authenticated user to perform operations, you must configure the application to have the Access Dynamics 365 as organization users delegated permission.
Application permission means that you want your app to access Common Data Service without a user.
So whether to use delegated permission in Azure app registration depends on your needs. It is not mandatory.
But we can see that the Application permissions in Azure app registration is gray out. This is because Microsoft provides a different way to implement it.
We need to create a Common Data Service application user an then bound it to the registered app. After that, we could connect using the application secret. See the details here: Connect as an app.

Need to update contacts on user's Microsoft Outlook, do they really need to have an Active Directory?

Every documentation or tutorial I follow on how to programatically access Outlook's API seems to point to the same pattern:
Application redirects user to Azure so he can authorize (OAuth) the app access to his account's data.
Every time Azure Active Directory is mentioned as a cloud-based credential/access manager.
I'm having a hard time to understand why exactly AD is even needed. And even if it is, that means that should a company desire to integrate an application with the employees calendars, for example, they would need to have an AD just for authentication purposes? Does this make sense if I want to publish an application on Azure for any kind of customer?
Every Office 365 customer has an Azure AD for authentication. If you want to get at users contacts in O365 you have to authenticate using Azure AD.
If you want to get at contacts in Outlook.com, Microsoft provides the same authentication flow for Microsoft Accounts (MSA) that Outlook.com uses.
This means you can use the same authentication flow and call the Microsoft Graph to get contacts no matter if they are an Office 365 user or an Outlook.com user. Your app does the same auth flow and makes the same calls.

How can I transfer or share apps, created in Microsoft app registration portal. I'm using Azure Active Directory and v2.0 endpoint

I'm using passport-azure-ad library to authenticate people into our app. We are using v2.0 endpoint. I have created multiple applications in Microsoft app registration portal. And have a lot of redirect url's because we have a lot of different environment apps. It was registered under my Microsoft employee account. Now I need to transfer ownership to another developer. How can I do it? Do I need to recreate all this apps in another account? I assume that this will create a new app id's and thus will ask for permissions for all users again. Is there a way to transfer ownership and not recreate all apps again?
Assuming you created your applications using your Azure Active Directory account (like your Microsoft Employee Account) you will have access to an "Owners" field where you can add new owners to the application which are in the same tenant as you.
If you are trying to transfer an application to a user from a different Tenant or using an MSA account, that is not currently supported, but something that is being considered for the future.
If you need to create a new application id, you will not be able to transfer the consent that you had from the first app over to this second one. That is just not really possible nor something we would look to support due to the security implications.

Resources