I'm working on creating a 3rd party application that will read/update a users office 365 calendar. My code works fine with a user who in part of the same tenant as the application. However, when I try to do the same thing with a users from a different office 365 account it doesn't work. For example when I log in with the following it works:
This one doesn't work:
I have set them both up as owners within my azure.portal.com application.
The users have granted the application access to their calendars, but for some reason the one on a different tenant does not work. Any idea?
Related
Are Azure Active Directory app roles only supported for accounts in the same tenancy?
I am trying to use Azure Active Directory to authenticate users both on my tenancy, others, and social accounts, and be able to manually assign different app-level roles.
What I would like:
Users would sign up using any of these methods, and I would see them in the 'Users and groups' blade of the Enterprise Application in Azure portal (or I could invite them). I would assign app roles (roles specific to my app, eg engineer/technician/residential user) via the 'Add user/group' button.
When logging in to my app, I retrieve the app roles via idTokenClaims.roles[]
What happens instead:
This works fine for user accounts already in my Azure tenancy. But for other Microsoft accounts (eg theirname#outlook.com or MS accounts created with any email address), the user doesn't appear in Azure portal after logging in unless I manually invite them. After inviting them (and accepting the invite), I see a user like theirname_outlook.com#EXT##mytenancy.onmicrosoft.com. I can assign app roles to this user, but their idTokenClaims.roles[] is not returned.
Other social accounts (eg Twitter, facebook) seem to not be supported at all
What else I tried
I also investigated AD B2C, which gives the developer more control over the login flow, and supports other social accounts other than MS (which looks good), but it seems that doesn't support app roles at all.
Am I trying to use the wrong tool for the job?
All I want to do is support any user to sign up to my app, and for an admin to set what their app-specific roles should be.
Update
I am using the MSAL auth library, following the instructions
https://login.microsoftonline.com/Enter_the_Tenant_Id_here should be one of the following:
If your application supports accounts in this organizational directory, replace this value with the Tenant ID or Tenant name. For example, contoso.microsoft.com.
If your application supports accounts in any organizational directory, replace this value with organizations.
If your application supports accounts in any organizational directory and personal Microsoft accounts, replace this value with common.
To restrict support to personal Microsoft accounts only, replace this value with consumers.
Because I wanted this to work with any social account, I chose https://login.microsoftonline.com/common. This shows a UI that allows you to use any organisation or personal MS account, or sign up for a personal MS account with any email address. But I noticed the objectId returned for personal accounts is different to the id when I manually invite the account in azure portal. I changed to use my TenantID instead, and that worked. Personal accounts that have been previously invited via portal can log in. Other personal accounts get an error and cant log in. App roles are now returned for these personal accounts. This now partially solves my original problem, but I still have some unsolved issues:
this method shows a slightly different UI that doesn't allow the user to sign up for a new MS account in this flow
I still can't use other oauth accounts eg Twitter/Facebook. Do these not support app roles at all?
the instructions quoted above seem incorrect, clearly it is possible to log in using "accounts in any organizational directory and personal Microsoft accounts" via TenentID, not common, once they've been invited to the app
App roles absolutely support guest accounts. But as you can see, the id token of the guest account does not seem to contain the roles claim, and it is not clear whether this is by design. But the roles claim will appear in the access token.
I think an access token you can be used, and the access token also contains user information.
I'm trying to manage multiple outlook calendars using a single account as a proxy, so all other accounts share their personal calendar with this "master" account and within this one i can add, edit or delete events "for everyone".
The problem is that i can't get the account grant the Calendar.ReadWrite.Shared to the app, even though that in my app this permissions are configured as recommended.
Azure portal - app permissions:
permissions of the app in azure portal
msalconfig:
msal configuration used
The "funny" thing is, with the account used to create the app in the first place everything works, but with any other account not.
I even created another app with the intended final account and nothing. This is the, incompplete permissions, resul:
actual result
This is the desired result:
desired result
If you just want to make a proxy to modify calendars for all users, have you tried application-only Auth and grant Calendars.ReadWrite permission with application type to it? Based on this permission official comment: Read and write calendars in all mailboxes which seems to meet your requirement.
Every documentation or tutorial I follow on how to programatically access Outlook's API seems to point to the same pattern:
Application redirects user to Azure so he can authorize (OAuth) the app access to his account's data.
Every time Azure Active Directory is mentioned as a cloud-based credential/access manager.
I'm having a hard time to understand why exactly AD is even needed. And even if it is, that means that should a company desire to integrate an application with the employees calendars, for example, they would need to have an AD just for authentication purposes? Does this make sense if I want to publish an application on Azure for any kind of customer?
Every Office 365 customer has an Azure AD for authentication. If you want to get at users contacts in O365 you have to authenticate using Azure AD.
If you want to get at contacts in Outlook.com, Microsoft provides the same authentication flow for Microsoft Accounts (MSA) that Outlook.com uses.
This means you can use the same authentication flow and call the Microsoft Graph to get contacts no matter if they are an Office 365 user or an Outlook.com user. Your app does the same auth flow and makes the same calls.
I am developing a multi-tenant Office 365 daemon that requires access to user calendars.
I have successfully registered in the company tenant (Tenant1) that has deployed this app using certificates and I am able to get access tokens.
Now I created a separate AAD tenant (Tenant 2) and logged in to daemon app using administrator account of Tenant 2, it prompted the Admin Consent screen and I provided consent. There was no errors returned.
When I tried to get an app token however, I am able to get a token but with blank permissions. If I call the Office 365 API using this token, I get a 401.
I was of the view that service principal objects should be created. Also I am unable to see this app in Tenant 2 app registrations.
Do all my consumers have to register this app manually in their AD tenant and modify application manifest file to add certificate details?
I am not sure about the benefit of multi tenancy if that's the case.
I found the follow in the Azure Active Directory documentation:
The following diagram illustrates the relationship between an application's application object and corresponding service principal objects, in the context of a sample multi-tenant application called HR app. There are three Azure AD tenants in this scenario:
Adatum - the tenant used by the company that developed the HR app
Contoso - the tenant used by the Contoso organization, which is a consumer of the HR app
Fabrikam - the tenant used by the Fabrikam organization, which also consumes the HR app
You do not need to have each tenant register your application. In fact, you shouldn't since having dozens (or hundreds) of unique App IDs floating around would only create headaches for you.
Each tenant does however need to execute the Admin Consent workflow. This will authorize the App ID you've registered on your end to access the scopes you've requested.
Generally, I recommend using the v2 Endpoint and the apps.dev.microsoft.com portal for registering your app. While you can also register your app in your own Active Directory, the portal makes it a lot easier to manage.
The general process is:
Register you application in the Registration Portal
Populate the "Application Permissions" in the Microsoft Graph Permissions section.
Launch the Admin Consent workload using https://login.microsoftonline.com/common/adminconsent?client_id=[APPLICATION ID]&redirect_uri=[REDIRECT URI]
Get a beer
A couple of tips:
The Registration Portal only supports MSA (i.e. personal) accounts at the moment. I'd suggest creating a new Outlook.com account for this purpose so you can easily share the credentials with folks who need them internally.
If you create a shared Outlook.com account, you should also set up forwarding rules for all of the interested parties internally. This is in case something should every go wrong or change down the road and you need to recover the account.
I wrote a v2 Endpoint and Admin Consent primer that you might find helpful. They assume you're using the Authorization Code flow but the concepts remain the same for Client Credentials.
We are planning to create two sharepoint web applications using SharePoint 2010 Enterprise Edition.
All Users that have access to web app 1, should also be able to access web app 2.
This authentication shall be powered by server 2003 active directory.
--> do I need to use claims based authentication?
If so --> can I use Windows Based Authentication with NTLM for that?
The only thing I really want is that users navigating from web app 1 to web app 2 (and vice versa) do not have to authenticate twice.
I do NOT want to configure Kerberos if it is not absolutely necessare though...
Can you give me any hints?
Thanks!
EDIT:
ok - I'll try to be more precise:
In our SharePoint 2010 environment, we've got two web applications running
http(s)://humanresources.domain.com
http(s)://sales.domain.com
Both are running on the same IIS and have host headers configured (with wildcard domain certificate for HTTPS).
Both apps provide a link to the other web application (sales -> humanresources and humanresources -> sales)
Now whenever someone logged in to sales navigates to humaresources, I do not want that that person needs to login again. Therefore I thought I would need claims based authentication???...
Please enlight my brain! :D
EDIT 2:
Thank you for your answers!
#Panagiotis Kanavos - yes we have Users accessing the site from outside our environment: 1) Users which have an AD accound and are working on their laptops outside of our building (e.g.: they have been all day at a customer and are working at home for the remaining hours) 2) We plan to have users without an AD Accound --> Forms Based Authentication: (e.g.: customers accessing our TFS 2010 project protals to get an overview of the project). As far as I know, if you want FBA and WIN-Auth you need to configure Claims Based Authentication...
However configuring a Web Application with Claims Based Authentication did not work. I chose "Enable Windows Authentication" together with "Integrated Windows authentication -> NTLM" as we do not have Kerberos configured (and I'd love to leave it like that ;-)).
However the Users could not login to that application sometimes, and five minutes afterwards it worked. Additionally, when I added permissions to an AD user, SharePoint seemed to save the Token instead of the Group-/Account Id:
e.g.: Instead of MyDomain\user1 it saved something like "0|=MyDomain\user1" and for groups it even only saved weird character strings "022-12.3"
Could it be the case, that my 2003 windows AD does not support that?
IF you are using Active Directory and running both sites within your domain you should not be challenged when users go to either site. It just becomes an implementation issue about who has access to what, either via AD Groups or SharePoint groups.
Claims based authentication is a bit of a different animal. You need to have a security token which contains a number of "claims" about the user, for example UserA is a member of HR and UserB is a member of Sales. Based on these claims you can then have your site/application respond correspondingly. Claims based auth is relatively new for SharePoint and Microsoft and is a bit of steeper learning curve. It may make more sense if you have a mixed mode environment, with both AD and Forms Based Users getting access. However with your described heterogeneous environment it doesn't seem like it's needed.
More info on SharePoint 2010 Authentication is available here.
John
The easiest solution is to create an AD group with the users of both sites and add the group as a user to the Members Sharepoint group of each site. This way users will not have to login at all since Sharepoint will detect the identity of the logged-in user automatically.
Why are you asking about login, claims, and why are you using certificates? None of this is necessary in an intranet scenario where the farm and users are in the same domain or if the farm's domain trusts the user's domain. Do you have users accessing the site from outside your domain?