Every documentation or tutorial I follow on how to programatically access Outlook's API seems to point to the same pattern:
Application redirects user to Azure so he can authorize (OAuth) the app access to his account's data.
Every time Azure Active Directory is mentioned as a cloud-based credential/access manager.
I'm having a hard time to understand why exactly AD is even needed. And even if it is, that means that should a company desire to integrate an application with the employees calendars, for example, they would need to have an AD just for authentication purposes? Does this make sense if I want to publish an application on Azure for any kind of customer?
Every Office 365 customer has an Azure AD for authentication. If you want to get at users contacts in O365 you have to authenticate using Azure AD.
If you want to get at contacts in Outlook.com, Microsoft provides the same authentication flow for Microsoft Accounts (MSA) that Outlook.com uses.
This means you can use the same authentication flow and call the Microsoft Graph to get contacts no matter if they are an Office 365 user or an Outlook.com user. Your app does the same auth flow and makes the same calls.
Related
In our project we are trying to integrate MS Teams with Web application using MS Graph API.use case is OnlineMeeting for Virtual Events.the attendees may or may not have microsoft account.
Created Azure Ad Account and created new tenant and created new user(given Global Administrator role) and registered new Application and given required API permission users.readWrite.all and onlineMreeting.readWrite.all to Application and Delegated Users.
Initially i was using UserCredientials flow(no manual authentication since its not in our usecase user should be authenticated automatically through java) to get accessToken.since its not recommended to use username and credientials(ROPC flow),so now trying to get accessToken only using clientId and clientSecret using adal4j and i am able to get accesstoken but not able to use token for endpoints with /me/onlineMeeting.since token doesnt contain required permission and scope.
so i had tried to reach endpoint with token got from clientid and secret using /users/{id}/onlineMeeting but it gives error like Application does not have permission to Create online meeting on behalf of this user
referred https://learn.microsoft.com/en-us/graph/cloud-communication-online-meeting-application-access-policy
its mentioned to change access-policy.
is there any way to create online meeting on behalf of user without changing access policy?
to create onlinemeeting on behalf of user do we need skype business account?
onlinemeeting can created by two endpoint /onlineMeeting & /events
so does /event in calender api require any additional previlages like office365 license to create online meeting?
to implement these usecase whats the microsoft account Type,azure ad account
and what are all the license and azure subscription need?
to create onlinemeeting only with dialin do we need any special license
is there any way to create online meeting on behalf of user without
changing access policy? to create onlinemeeting on behalf of user do
we need skype business account?
No. We have to set the access policy to use Application token to create online meeting on behalf of a user. To create an online meeting with Microsoft Graph, we don't need skype business account. But if you want to create online meeting through UI / web client, you have to need Teams license. (When I use a new account without being assigned any O365 license, it shows some license error but it's then bypassed. So I think it's a bug. I think we should need skype business account / Teams license to create the online meeting)
so does /event in calendar api require any additional previlages like
office365 license to create online meeting?
Yes. We need O365 Exchange Online license to create /event.
to implement these usecase whats the microsoft account Type,azure ad
account and what are all the license and azure subscription need?
In summary, you need at least AAD work or school account and O365 Exchange Online license.
to create onlinemeeting only with dialin do we need any special
license
Microsoft graph doesn't support creating onlinemeeting only with dialin. See audioConferencing. It's read-only.
I'm following a guide online to generate an access token to access Microsoft Dynamics 365 Customer Engagement: https://eax360.com/dynamics-365-online-connect-using-postman/.
All of it works fine, however I am wondering why delegated Admin permissions need to be supplied in Azure Active directory during app registration. I have seen a lot of guides explain that permissions must be delegated but the above site documents the process well. As a general rule, I thought that starting with the lowest security permissions was the norm. I am new to Azure AD so thoughts are very much welcome.
If your app will be a client which allows the authenticated user to perform operations, you must configure the application to have the Access Dynamics 365 as organization users delegated permission.
Application permission means that you want your app to access Common Data Service without a user.
So whether to use delegated permission in Azure app registration depends on your needs. It is not mandatory.
But we can see that the Application permissions in Azure app registration is gray out. This is because Microsoft provides a different way to implement it.
We need to create a Common Data Service application user an then bound it to the registered app. After that, we could connect using the application secret. See the details here: Connect as an app.
In our Azure active directory, we have 3 different office 365 subscriptions, each with some 20 odd users. And my license is part of one of those subscriptions. I've created an application under "App registrations" and given Microsoft Graph API permissions. When I call any Graph API, it returns only the data for the subscription that I am part of. How the API determines this, since there is no email account related info in the API requests. I would assume an app in the Azure AD can access all the subscriptions in the same tenant. Is there a way to fetch data across all the office 365 subscriptions?
as per your response on what you meant by subscription, you should have no issue accessing user data through regular graph calls, for example if you call the https://graph.microsoft.com/v1.0/users endpoint you should see all 60ish users,
make sure your app api permissions are correct. it sounds like under api permissions of your application registration, you may have given it delegated permissions instead of than applications permissions. if you are using delegated permissions, then you have to make sure that your user has the correct role assignment in azure ad. otherwise just switch to application permissions
if you have them set correctly, then as Allen Wu stated, please specify an example graph endpoint you are trying to get information from and maybe a screenshot of your api permissions page of your app registration.
I'm building a service where each user has a calendar, I want to sync users 365 calendar events into their calendar, the tricky part seems to be, that this should be done repeatable by background job on the server, to keep them in sync.
I feel like I've read a bible of documentation from Microsoft, but still gotten nowhere. I eventually stumbled upon this article https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds which allows a server to query the graph api, on behalf of users. This is exactly what I want.
Having created a Azure account, and Active Directory service, I found that only users within the tenant can use this, which makes it rather useless, requiring to add users manually from azure panel.
AADSTS50020: User account 'm#****.com' from identity provider 'live.com' does not exist in tenant 'Default Directory' and cannot access the application 'c0193dea-5145-430a-9c90-325f1229a1fc' in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
So I'm back at square one, how can I achieve what I described?
I'm not looking for a code implementation, merely a description of how to navigate the monstrosity of Microsoft.
Thank you
Update: Accordingly to Marc link. I tried to flick the multi tenant option, and change the endpoint to use common instead of tenant id. Sadly i'm still getting the same error.
You cannot sign-in to AAD with a non-AAD account using the v1 Endpoint. If you want to use a consumer Microsoft Account (#outlook.com, #hotmail.com, #live.com) then you need to use the Converged Auth model provided by the v2 Endpoint.
I have a walkthrough for the v2 Endpoint that you might find helpful: Microsoft v2 Endpoint Primer. It is similar to the v1 Endpoint but you'll need to register via https://apps.dev.microsoft.com rather than the Azure Portal. Also, v2 apps use Scopes instead of Resources and are multi-tenant out of the box.
This is a broad a question for Stack Overflow. That said, you're incorrect about Azure AD. It is absolutely not limited to a single-tenant. You do however need to register it as a multi-tenant application:
How to sign in any Azure Active Directory (AD) user using the multi-tenant application pattern
I created a "Web app / API" app in our organization's "xxx.onmicrosoft.com" Azure Active Directory. The app's "Multi-tenanted" property has been set to "Yes".
We configured OpenID Connect (we use https://github.com/mitreid-connect/) to use the following URLs:
https://login.microsoftonline.com/common/oauth2/authorize
https://login.microsoftonline.com/common/oauth2/token
Please note that we used "common" in the URLs and we didn't use "xxx.onmicrosoft.com" because we want people from outside "xxx.onmicrosoft.com" to be able to authenticate and access our app.
With those settings, the people from xxx.onmicrosoft.com can properly authenticate and access the app.
However, when I use my personal live.com account (with username xxx#gmail.com) to access the app, I get AADSTS50020 error. I am able to properly authenticate with my xxx#gmail.com account, but I do not get redirected to the Reply URL. I'm stuck on Microsoft's Web page with the following error msg:
AADSTS50020: User account 'xxx#gmail.com' from identity provider
'live.com' does not exist in tenant 'xxx.onmicrosoft.com' and cannot
access the application '391e7103-ZZZZ-zz87-xxxx-7xxxxxd5xxxx' in that
tenant. The account needs to be added as an external user in the
tenant first. Sign out and sign in again with a different Azure Active
Directory user account.
What configuration do I need to change if I want people from any identity provider to be able to access my app ?
Like it has been stated here, I expected that people from anywhere could access my app without requiring more configuration on my side.
I'm asking this question because I'm in the process of getting certified for AppSource and this currently blocks me from being able to do so.
AppSource only requires work accounts to sign-in. You are using an #gmail account - which is a personal account - and because you are using the Azure Active Directory v1 endpoint in addition to common (https://login.microsoftonline.com/common), it can't accept personal accounts to sign-in directly - only work accounts.
You have three options:
If sign-in personal accounts is not a requirement for your application, then you can continue using the v1 endpoint and use a work account to sign-in/test your application. This will make you ready for AppSource certification.
If you need/ want to allow personal accounts in your application in addition to work accounts, then you can consider using the v2 endpoint (https://login.microsoftonline.com/common/v2.0) for Azure Active Directory. The v2 endpoint allow both personal accounts and work accounts to sign-in with no effort.A note is the v2 endpoint has some limitations: if you can live with these limitations (for example, your application only needs to sign-in users and eventually make queries against Graph API), then in general it should be fine to use, but if you need extra features like protecting your own Web API with scopes, then this feature is not released at this point (as November 2017). Please read this document for an updated list of limitations of the v2 endpoint.
A third (but less recommended option for AppSource) is to keep using the v1 endpoint and make your application to be single tenant - which is to change the endpoint from https://login.microsoftonline.com/common to https://login.microsoftonline.com/{yourtenantid}, and then use B2B invitations API to invite every external users (including work and personal accounts) to be part of your Azure AD tenant/organization. More information about B2B here as well.
The option '3' above have some consequences for management as well for AppSource: by using this option, you are required to have one Azure Active Directory tenant (if you don't have a tenant already, you can get one using these instructions), and the users being invited will be guests accounts of this tenant - this mean that you need to invite every external user to your application/ tenant. A multi-tenant application allows any user from any organization to sign-in to your application with less management on your side. In general for SaaS applications, multi-tenant configuration is recommended.
For AppSource, also the option '3' leads to a less-immersive user experience (Partner led trial), where the end user won't be able to access your application's demo right away - mainly because that they have to wait for the invitation's email and accept it (user has to accept being guest of your tenant) so that they can access your application.
For more information about AppSource requirements and trial options - please see this article.