We are using Azure AD as well as Slack today. For most services we are using SCIM o provision users. All users have a profile image in Azure AD. As far as I understand it Slack does not support profile image when using SCIM as they only have scim 1.1. So is there some way or have anyone solved this in another way? My knowledge of writing advanced script and using apis is limited. I want my Azure user imaged replicated to Slack.
It isn't supported or possible to transmit pictures using Azure AD's SCIM provisioning service today. It's a feature we've seen requested before and we're working on solving the problem.
If you are going to attempt to populate the picture in Slack today, it will have to be done via some form of scripting/automation on your end calling an API endpoint of Slack's that allows for upload of profile pictures.
Related
I'm confused about the guideline I have to follow to embed some Power BI reports in a react app. I've been reading this documentation but I don't understand why I need an Azure AD app. By now I've created four Power BI reports and I've published them to the web (making them public and accessible for everyone). So, I've got four PBI links to access them. But I want to create a web app (probably with React) to embed them all in one link.
I understand that Azure covers authentication features, but my app will only show information, doesn't need users to log in or something. So, I guess Azure helps to authenticate to the PBI account I'm using. But if this is the case, why PBI doesn't ask me for authentication when I share the reports links with anyone?
Thank you in advance!
You need Azure AD app to have identity for your application, to authenticate to Azure AD (using MSAL for example) and for using the Power BI REST APIs. Check the following article: https://learn.microsoft.com/en-us/power-bi/developer/embedded/register-app
Since you are already logged in you don't need to login to PowerBi again, There are two ways to embed your PowerBI reports,
Publish to web -> Does not require authentication (Public reports)
Embed with authentication -> Hyperlink and token based ( Requires Azure AD)
You can check more information here
In a mobile application we are generating some images that we would like to upload to the client's cloud.
The client is using OneDrive For Business, with all the 360 suite (I have no more information about it yet).
What we would like to do, is to be able to store the images in a OneDrive account, without the user having to sign in. All the documentation I found to authenticate to OneDrive includes an interactive sign-in process which we don't want:
https://learn.microsoft.com/en-us/onedrive/developer/rest-api/getting-started/graph-oauth?view=odsp-graph-online
I have found that for Microsoft Graph there is the possibility of using the app's own identity to sign in (only REST), but it is not 100% clear to me that this authentication can grant access to OneDrive.
https://learn.microsoft.com/en-us/graph/auth-v2-service
Since I am not familiar at all with Microsoft cloud infrastructure I would appreciate some info.
Is it actually possible to access a OneDrive folder authenticating with the app's own identity?
Yes it should be possible to work with Microsoft Graph API and One drive files using application identity (i.e. without a user sign-in)
REST API's that should help
Do know that there are many SDK's/Client Libraries available for Microsoft Graph API that you can work with depending on your platform. e.g. Microsoft Graph .NET Client Library. As you've mentioned Only REST, I'm giving links for direct REST APIs here.
Uploading files (upto 4 MB) - Upload REST API
Least permission required will be Files.ReadWrite.All (under application permissions and Admin consent will be required first for this application permission. In case you aren't familiar with consent process, take a look here: Azure AD Consent Framework and mention in comments, I can add a little more detail if needed)
Uploading larger files - Resumable Upload REST API
Authentication
From a flow standpoint you will need to make use of OAuth 2.0 Client Credentials Grant Flow to authenticate
NOTE: Please do note that this flow is meant only for confidential clients. So you shouldn't make use of it directly from a mobile client or even desktop client (like WPF or console application), as these are public clients which can not securely handle client secrets. Your mobile client should call a backend API, that in turn can call Microsoft Graph and uses client secrets, acting like a daemon using Application permissions.
At the end of this link there are code samples available for .NET Core 2.1 and ASP.NET MVC.
I am developing a office add-in.
This office Add-In is supposed to retrieve the term store from SharePoint.
By following this tutorial:
https://learn.microsoft.com/en-us/office/dev/add-ins/develop/create-sso-office-add-ins-aspnet
I managed to get an access token to be used for Graph api. However the Graph does not expose any way of getting the term store. Is there a way we can generate an access token to be used with SharePoint and maintain the SSO?
It might be possible by registering an Azure AD v1 app but I could not find any documentation describing that.
I have a similar requirement, but in my research I wasn't able to find a good solution for this scenario.
I think it is probably possible to use a provider hosted SharePoint add-in. And then use the Authorization Code flow for obtaining an access token. Since the SharePoint add-in is trusted it will not require user login.
Of course this does mean the add-in needs to be deployed in SharePoint. If your Office add-in is distributed through the store this isn't really a great solution.
Hopefully there are other ways of achieving the same.
You could call SharePoint Online APIs (via REST or CSOM) with Azure Active Directory Apps. To call APIs secured by Azure AD, your app must acquire an access token from Azure Active Directory.
Please first refer to this document for integrating applications with Azure Active Directory. Then use Azure Active Directory Authentication Library (ADAL) to easily authenticate users to cloud or on-premises Active Directory (AD), and obtain access tokens for securing API calls.
I'm building a service where each user has a calendar, I want to sync users 365 calendar events into their calendar, the tricky part seems to be, that this should be done repeatable by background job on the server, to keep them in sync.
I feel like I've read a bible of documentation from Microsoft, but still gotten nowhere. I eventually stumbled upon this article https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds which allows a server to query the graph api, on behalf of users. This is exactly what I want.
Having created a Azure account, and Active Directory service, I found that only users within the tenant can use this, which makes it rather useless, requiring to add users manually from azure panel.
AADSTS50020: User account 'm#****.com' from identity provider 'live.com' does not exist in tenant 'Default Directory' and cannot access the application 'c0193dea-5145-430a-9c90-325f1229a1fc' in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
So I'm back at square one, how can I achieve what I described?
I'm not looking for a code implementation, merely a description of how to navigate the monstrosity of Microsoft.
Thank you
Update: Accordingly to Marc link. I tried to flick the multi tenant option, and change the endpoint to use common instead of tenant id. Sadly i'm still getting the same error.
You cannot sign-in to AAD with a non-AAD account using the v1 Endpoint. If you want to use a consumer Microsoft Account (#outlook.com, #hotmail.com, #live.com) then you need to use the Converged Auth model provided by the v2 Endpoint.
I have a walkthrough for the v2 Endpoint that you might find helpful: Microsoft v2 Endpoint Primer. It is similar to the v1 Endpoint but you'll need to register via https://apps.dev.microsoft.com rather than the Azure Portal. Also, v2 apps use Scopes instead of Resources and are multi-tenant out of the box.
This is a broad a question for Stack Overflow. That said, you're incorrect about Azure AD. It is absolutely not limited to a single-tenant. You do however need to register it as a multi-tenant application:
How to sign in any Azure Active Directory (AD) user using the multi-tenant application pattern
We've been running an Angular app in a custom masterpage during the last year, using the Sharepoint REST api to retrieve user properties, data from lists etc., which has been working fine. As the application is hosted on Sharepoint Online, accessing the page requires a login thus making the request digest available so further authentication is not necessary.
Now however, we want to start using some of the functionality in the Microsoft Graph API. From what I can gather this requires OAuth2 authentication against the Azure Active Directory, involving among other things a redirect to the AAD login page.
Does this mean I have to:
1) Login via the organizations (standard Microsoft) login page to access the Sharepoint Online site.
2) Redirect to the Azure AD login page and back again?
Or can I leverage the login that the user already did when logging into Sharepoint Online?
Sorry if the question is a bit vague, we are all still very new to this.
When registering your application on Azure AD you will give the app access to Files/Sharepoint REST api and Microsoft Graph API. See this picture the app has access to several apis (Exchange, Graph and AD) you must add sharepoint APIs in your case.
Regarding the authentication, I am afraid that the Sharepoint model does not provide a token that will enable you to request the Graph API see this. You will have two authentications, one to access the Sharepoint site, as you said, and the other "within" the sharepoint iframed add-in to log into your AAD's registered app. This will be an OAUTH process through login.microsoft.com. Have a look at my Outlook add-in Keluro Mail Team on the Office store, I think it is similar to what you want to achieve.
You can use the same token from graph.microsoft.com. I have a sample using Asp.Net Core 1.0 and the.Net ADAL but the same authentication flow is used when using ASP.NET 4.6. Just make your auth request against ms graph on startup then acquire access token to auth against SharePoint.
https://github.com/edrohler/com.ericrohler
Hope this helps.