Is it possible to access sharepoint online from desktop app with azure ad token, but as a currently logged user?
I already registered client app in the azure ad and i'm able to connect to share point when the api permissions are set to "Application permissions", but when i set the permissions to "Delegated permissions" I can't access sharepoint site.
What i need is a way to create sp ClientContext based on the token i get from the azure. I know it's possible to try with SharePointOnlineCredentials, but i don't want to mess with users credentials.
To get the Access Token for Azure, pls use the below article.
active-directory-dotnet-native-headless
Below are the steps you have to follow:
Followed the steps mentioned in the article
Added Office 365 Sharepoint Online API access permissions for the App.
Selected necessary permissions for the App.
Related
I have a php application that I want active directory users to be able to login to using azure sso. Getting this working with simplesamlphp was really easy.
Now I am trying to allow non organization users to be able to login as guests.
I updated azure AD to allow external entities, and then created a workflow allowing AD users, microsoft.com accounts and one time password. I have enabled "guest self-service signup" and I have associated this user flow with my azure application however the authentication flow hasn't changed at all. There isn't any option for guests to login. Am I missing something? I am using the azure ad federation metadata document xml in the simplesaml metadata converter and using the output of that for my metadata provider in simplesaml.
Here is the screen a user gets when trying to sign in to azure:
As per below link, we can assign Global Administrator or Security Administrator role in Azure AD to an user and that provides full access to Microsoft Cloud App Security portal.
https://learn.microsoft.com/en-us/cloud-app-security/manage-admins#office-365-and-azure-ad-roles-with-access-to-cloud-app-security
However, with these roles users get privileged admin access to other features of Azure AD as well. We want restrict the role to provide full access in Microsoft Cloud App Security portal only. Is it possible to create a custom role with permissions only for Microsoft Cloud App Security?
Unfortunately it's not supported to create a custom AAD role with the full access permission of Microsoft Cloud App Security portal.
Currently, permissions for Application registrations and Enterprise applications are supported in custom roles. See the details here.
The full access permission of Microsoft Cloud App Security portal should be microsoft.directory/cloudAppSecurity/allProperties/allTasks. You can see that it's not listed in the page when I try to look for it in Azure portal.
You can query microsoft.directory/cloudAppSecurity/allProperties/allTasks in this page and choose the one with the least permissions to assign to users who need to be assigned the Cloud App Security portal administrator role.
Recently Microsoft has came up with a new role named "Cloud App Security Administrator". This role provides full admin access to MCAS without providing any privileged access other Azure AD configurations. Didn't find any documentation, but it is visible in Azure AD portal.
I am a developer working on an application that will access O365 data via the Graph API. I have registered an application under my company account. I have authentication working on a per-user basis. Now I am trying to get it to work so that a tenant administrator can grant permission to my application for data access on an organization-wide basis. I have this working as well - I used the /adminconsent endpoint to bring the administrator to a page where he granted the consent.
What I am wondering about is the line in the documentation that says "You can rely on an administrator to grant the permissions your app needs at the Azure portal". I am trying to figure out what that procedure is so I can document it for admin users. I thought perhaps it was to go to App Registrations - there I see an option to create a new registration. But this has it's own Client Id. Don't I somehow have to give it the Client Id of my own application? Or is the idea that the tenant admin will supply the Client Id of his app to my app? Or am I in the wrong area altogether?
BTW in case it is relevant, I am not using any authentication library, just making direct http calls from a C++ program running on the Windows desktop.
Per my understanding, your application is an multi-tenant application. Only you or the administrators in your tenant can grant the permissions to your application. The administrators from other tenants can grant consent to use your application, but they can not control the permissions.
Update:
You can grant admin consent by calling admin consent endpoint.
https://login.microsoftonline.com/common/v2.0/adminconsent?
client_id={your_tenant_client_id}
&state=12345
&redirect_uri=http://localhost/myapp/permissions
&scope=
https://graph.microsoft.com/.default
If you want to grant admin consent via Azure portal. The application must already been provisioned in your tenant. For example, an app could be provisioned in your tenant if at least one user has already consented to the application.
I registered multi tenant Office 365 application in Azure AD admin center and configured required permissions that this application asks for. Also I created web service that uses this application.
My web service had been working for half a year and at some point I extended functionality of my web service and now it requires several new permissions. Also I realized that some permissions are not required for my web service any more.
So I added extra permissions and removed those that I don't need in Azure AD, saved the permissions and clicked "Grant permissions" button.
In my web service I perform re-authentication flow in order to update access token for working with created Office 365 application and use extra permissions. But when I get access token using my web service and decoded the token on this site I don't see that extra permissions were provisioned. Also I see that my web service gets token with those permissions granted that I removed from my application. So even after re-authentication user from another tenant that use my web service gets token with "old" permissions set.
Why so? How can I provision all the application permissions I previously set up for my Office 365 application in Azure AD to the tenant that uses my service? I just need the permission set in the token be up to date with those I configured in Azure AD.
We have an Azure Web App published that includes pages with Excel Add In integration using the Office.JS library. We've secured the Web App using Azure AD authorization and it is working well as long as the user it logged into Office/Excel with the same domain credentials. How can we allow our customers who are logged into Office with their companies credentials get access to our Add In site using credentials within our domain? Federating the 2 domains would work but isn't an option in most cases.
You could use Azure B2B to invite your customers as guest users in your AAD.
You could invite the user by using the Azure portal as an Azure AD administrator.
Azure Active Directory > Users > All users > add New guest user
For the details, you could read here.
Or you could use the powershell:
New-AzureADMSInvitation -InvitedUserDisplayName "Sanda" -InvitedUserEmailAddress sanda#fabrikam.com -InviteRedirectURL https://myapps.azure.com -SendInvitationMessage $true
For the details, please refer to this docs.
If you want to bulk invite users, you could create a CSV file, and then use the powershell to import it. For the details, you could read bulk invite B2B.