I have an application and I wanted to create a meeting event in the
user's Outlook Calendar.
In my AzureAd application, I am planning to give
"Calendar.ReadWrite" Application Permission.
Do I need to give Mail.Send permission to send a meeting invite from the user Calendar?
Or Calendar.ReadWrite permission is enough?
Calendar.ReadWrite permission is enough.
Event meeting invitation will be sent Automatically.
Related
I've been evaluating Azure Active Directory B2C as a solution for an identity provider I need for an upcoming project.
During my evaluation I noticed the following behavior that I am not sure should be possible:
I am in my B2C tenant and I invite a new guest user. In this case it is for a different email address that I control. This email address has no association to this B2C instance nor the parent AD instance, the Azure account or anything related. It is a throw away account I am using for testing.
I get the invitation sent to that address and log in through a different browser in incognito mode. I create my account and complete that flow.
Now here is where I am slightly concerned with security:
Logged in as this user I am able to do the following:
Log into the B2C instance and see some top level info such as the TenantId, etc...
I do not see other users BUT I can click on the "New Guest User" button ("New User" is greyed out) and can attempt to create/invite users. I am blocked from all the operations I tried but it seems strange to surface this UI.
Even though it said the operation was blocked my invitation to another email address I control actually went through. I was able to go through the invitation flow. There were some errors and it even said the invitation code was not valid... but despite this the invitation completed and I was able to log into the tenant management UI with this new user.
This user was also able to create invitations.
I also see this new user that was invited by the guest in my user list logged in as the account admin.
So my questions are:
Is this by design? Why?
Is this a possible bug?
Can this be blocked?
Why can B2C guest users invite other users and initiate the flow?
Why can B2C guest users even log into the tenant management site?
I can't imagine why a default scenario would allow new users that have not been given any privileges to view your tenant and invite other guests. In my scenario this should not be possible.
The idea of guest users in B2C is to invite other people who can be admins.
These people are not local users.
If you want to invite people to be local users, use a magic link.
https://graph.microsoft.com/v1.0/me/sendMail
I am trying to call sendMail in graph and received error:
Graph explorer (official site) needs permission to access resources in your organization that only an admin can grant. Please ask an admin to grant permission to this app before you can use it.
I understand that I need to ask an admin, but I don't know who to ask or what the procedure is like. My tenant is "Microsoft"
Thanks for any input!
The application requires one or more permissions which only Global Admin can consent for. There are some permissions for which standard users can provide consent but if the application needs high-level permission with which any changes can be made to the directory, the above message is displayed and only the Global Administrator can consent to those permissions.
So you would need to contact Global Administrator to provide consent. for microsoft.com tenant, you can open a request here. Please refer to a similar question it may help you
You have granted the application permission without the admin consent. The easiest way is to redirect the user to the administrator consent endpoint, then log in with the administrator account, and click the Accept button to grant the administrator consent for your application.
You need to request the URL in your browser:
https://login.microsoftonline.com/{tenant_id}/adminconsent?client_id={client_id}
I'm trying to develop an app in Teams to help team owners invite external guests to their teams. The app uses graph api /invitations call in the backend to get the job done. We are restricting users who can invite guests by assigning them the User.Invite.All api permission in Azure portal under AD App registration blade. What we found was that even users who have not been assigned this permission are able to invite guests. Am I doing anything wrong?
If you gave the delegated permission User.Invite.All to the app, and the user is able to invite a user, then the user already had rights to invite users.
They would be able to go to e.g. portal.azure.com, and invite users from there as well in that case.
If you gave the app permission User.Invite.All to the app, then any user using the app can invite users, since the app itself has the permission and the user info is not even present in the access token.
I would like an AAD app to act on behalf of a user, without requiring the user to login to authenticate himself. E.g., I would like an app to be able to send an email from a user's account on the user's behalf programmatically using Graph API, but based on an event, and without user sign in each time to authenticate. Is this something that is possible using AAD delegated permissions?
I cannot use the client credentials flow using application permissions, because my admin will not grant access to my app, so I am looking for a viable workaround.
Thanks in advance!
You will need the user to consent your app using his/her e-mail address. Or an admin consenting the app to use everyones e-mail address. No other way.
Check out this article which describes dealing with long term access to APIs without presence of the user. And this here, describing the offline_access scope.
But, without someone letting you use their e-mail, you cannot use it. Period.
We want to create an API App(Main purpose is to contact our organizations Office 365 Graph endpoint and send email) in Azure.. however our frontend website doesn't use Azure AD for the user authentication.. however we want our backend APi to be able send email in one of the following ways
1) send email as any user
2) send email on behalf of a service account
we are trying to explore the possible options and based on the investigation done so far, this(option 1) can be done using admin_consent - Can someone help with the steps we need to follow to create such app and deploy.
additionally is there a way to create an API app without login screen being prompted during the execution of the API - while using user_consent?
Option 1
In order for an app/daemon to send email as any user, it must have the send mail as any user app permission.
Give that permission on the Microsoft Graph API to the app, then grant the permission by clicking the Grant Permissions button in the portal, or by going through the admin consent flow.
Your API can then authenticate with its client credentials and get an access token to send email.
The bad side of this approach should be obvious, the app gets rights to send emails as anyone in your org.
Option 2
You could alternatively create an account for the API, and then use the Resource Owner Password grant flow to authenticate. You would then give the delegated permission for sending email as the signed in user.
The bad side of this is the flow for authenticating. If the account's password expires, there is no way for you to reset it from there, you would have to intervene to fix the problem.
Consent
You cannot go through consent without the browser UI.