I developed an app which has integration with Microsoft Graph API and uses Azure 2.0 API for authentication.
From Microsoft Graph I can get users.
Now I want to see a presense information for each user and therefore I need to use Skype for business online.
I send request to:
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root
And a user href is:
https://webdir0f.online.lync.com/Autodiscover/AutodiscoverService.svc/root/oauth/user
Than I got access token for https://webdir0f.online.lync.com from:
https://login.microsoftonline.com/<mytenant>/oauth2/v2.0/token
And token has not "roles" claim which is strange.
Than https://webdir0f.online.lync.com/Autodiscover/AutodiscoverService.svc/root/oauth/user returns me 500.
Is there a way to use Azure 2.0 to get access to Skype For Business Online?
Is there a way I can get presence information without a signed in user in Skype For Business Online?
UPD:
I was able to get access token for scope https://webdir0f.online.lync.com/Contacts.ReadWrite using client secret.
Small correction, what you're here isn't "Azure 2.0" but rather Azure Active Directory's "App v2" or, more commonly, the "v2 Endpoint".
The v2 Endpoint has several well-known limitations and not all APIs and features are supported. The Skype and Skype for Business APIs both lack support for the v2 Endpoint.
In general, unless it's a recently released API or it is surfaced by Microsoft Graph, then it will only work with tokens issued by the v1 Endpoint.
I managed to get access to Skype For Business using Azure 2.0 application. Just followed the guidelines.
During autodiscovery you need to set scope to next user or redirect uri like this: https://webdir0f.online.lync.com/Contacts.ReadWrite.
Than Azure 2.0 realizes it's Skype For Business uri and scope and works properly.
Though still Skype For Business API is old and very hard to use.
And I haven't found a way to get all other company user presence information from Sfb API.
Looks like it makes sense to wait until Trusted Application API will work.
Also trying to get Application token doesn't work.
Related
In a mobile application we are generating some images that we would like to upload to the client's cloud.
The client is using OneDrive For Business, with all the 360 suite (I have no more information about it yet).
What we would like to do, is to be able to store the images in a OneDrive account, without the user having to sign in. All the documentation I found to authenticate to OneDrive includes an interactive sign-in process which we don't want:
https://learn.microsoft.com/en-us/onedrive/developer/rest-api/getting-started/graph-oauth?view=odsp-graph-online
I have found that for Microsoft Graph there is the possibility of using the app's own identity to sign in (only REST), but it is not 100% clear to me that this authentication can grant access to OneDrive.
https://learn.microsoft.com/en-us/graph/auth-v2-service
Since I am not familiar at all with Microsoft cloud infrastructure I would appreciate some info.
Is it actually possible to access a OneDrive folder authenticating with the app's own identity?
Yes it should be possible to work with Microsoft Graph API and One drive files using application identity (i.e. without a user sign-in)
REST API's that should help
Do know that there are many SDK's/Client Libraries available for Microsoft Graph API that you can work with depending on your platform. e.g. Microsoft Graph .NET Client Library. As you've mentioned Only REST, I'm giving links for direct REST APIs here.
Uploading files (upto 4 MB) - Upload REST API
Least permission required will be Files.ReadWrite.All (under application permissions and Admin consent will be required first for this application permission. In case you aren't familiar with consent process, take a look here: Azure AD Consent Framework and mention in comments, I can add a little more detail if needed)
Uploading larger files - Resumable Upload REST API
Authentication
From a flow standpoint you will need to make use of OAuth 2.0 Client Credentials Grant Flow to authenticate
NOTE: Please do note that this flow is meant only for confidential clients. So you shouldn't make use of it directly from a mobile client or even desktop client (like WPF or console application), as these are public clients which can not securely handle client secrets. Your mobile client should call a backend API, that in turn can call Microsoft Graph and uses client secrets, acting like a daemon using Application permissions.
At the end of this link there are code samples available for .NET Core 2.1 and ASP.NET MVC.
I am building a custom mobile application that has a client, custom backend server (I'm building) and interacts with numerous other api's. One of these api's is Microsoft bookings.
The problem I'm facing is I need to be authenticated via server to server, with a shared client secret. I'm aware of the numerous docs from MS but have yet to find a solution. I'm wondering if Server to server is even possible with Bookings.
I am able to get an access_token server to server with these permissions. (I have granted 'all permissions' to this app in Azure AD already).
"roles": [
"Calls.JoinGroupCall.All",
"OnlineMeetings.Read.All",
"OnlineMeetings.ReadWrite.All",
"Application.ReadWrite.OwnedBy",
"Calendars.Read",
"People.Read.All",
"Application.ReadWrite.All",
"Calls.InitiateGroupCall.All",
"Directory.ReadWrite.All",
"Calls.JoinGroupCallAsGuest.All",
"Sites.Read.All",
"Sites.ReadWrite.All",
"Sites.Manage.All",
"Files.ReadWrite.All",
"Directory.Read.All",
"User.Read.All",
"Calendars.ReadWrite",
"Mail.Send",
"ProgramControl.Read.All",
"ProgramControl.ReadWrite.All",
"Calls.Initiate.All"
],
Those are the permissions from the decoded token. When I go to make calls to the Bookings api I receive 401.
I can however use this token to access different graph endpoints no problem.
I will note, that I am able to make successful calls to the bookings api through Graph Explorer with my account, not related to this 'Application in Azure AD'.
Does this resource in Azure AD need a bookings License?
Is this even possible S2S?
Are there any other ways to bypass this without user credentials?
Thanks.
So I spent over a week trying to solve this problem due to the MS doc nightmare. I'm only posting to help others!
Bookings doesn't support service to service yet. So if you wan't to implement this without a user physically signing in, IE. If you have a dedicated booking admin account credentials you have to hard code the clients credentials.
I found my answer here https://stackoverflow.com/a/49814924/9105626
Microsoft Bookings API doesn't seem to support "Application Permissions" so far.
Only permissions available are "Delegated Permissions", which means your token has to be acquired with the context of a signed-in user.
Here are two Microsoft documentation sources that I came across:
Microsoft Graph Permissions Reference - Please look at the "Bookings Permissions" section.
Microsoft Bookings Samples
I know you mention Server to Server authentication using a client secret. AFAIK, that case will NOT work directly, because clientId and clientSecret only provide an application's identity (which can't be assigned any permissions because there are no relevant application permissions available for this API).
Just in case you can have some User context involved, here is code from bookings samples link above, to acquire the token in a Native application using ADAL
var authenticationContext = new AuthenticationContext("https://login.microsoftonline.com/common/");
var authenticationResult = await authenticationContext.AcquireTokenAsync(
"https://graph.microsoft.com/",
clientApplication_ClientId,
clientApplication_RedirectUri,
new PlatformParameters(PromptBehavior.RefreshSession));
// The results of this call are sent as the Authorization header of each HTTPS request to Graph.
var authorizationHeader = authenticationResult.CreateAuthorizationHeader();
Suggestions on ways to make this scenario work
On Behalf Of Flow
Your mobile application client could prompt a user for credentials to act on Behalf of the user and call your backend web API, which in turn calls the downstream API like Bookings API. This is called Service to Service Calls on behalf of the User
Here is a code sample which shows exactly this with a native application (WPF) and an SPA. In your case, just replace the WPF application with your mobile client application for understanding purposes and rest of the scenario becomes very similar.
Calling a downstream web API from a web API using Azure AD
ROPC Grant (Not Recommended)
Resource Owner Password Credentials grant can help as your application will have end user password available to it, but it has multiple issues and any security guidance will discourage you from using it.
ROPC opens up security risks, doesn't follow best practices and has functionality issues as well. ROPC doesn't work with MFA enabled users as well as federated authentication users.
For all practical purposes, you should avoid ROPC as long as possible. You can find the same recommendation in ADAL documentation itself and multiple other documentations from Microsoft or even generally about OAuth 2.0.
I am creating a v2.0 application via the new Microsoft Application Registration Portal (apps.dev.microsoft.com) and I can't find where to add scopes for other non-Graph APIs. Specifically Skype for Business.
In the classic Azure portal, i had access to this screen which allowed me to add scopes for other APIs:
In the new Application Registration Portal, the only place I see to add scopes is here:
and Skype for Business is not an option there.
How do I add the Skype for Business scope to v2.0 apps?
The Skype for Business APIs (Web SDK, UCMA, UCWA, etc.) currently do not support the v2 Endpoint.
At the moment the majority of Microsoft APIs do not support the v2 Endpoint. Given the enormous legacy of APIs Microsoft supports, there unfortunately isn't an exhaustive list. Generally, unless the API documentation expressly states support for the v2 Endpoint or Converged Authentication it means you'll need to use the v1 Endpoint.
One aside on permissions with the v2 Endpoint. With the v1 Endpoint you requests access by "resource" and pre-defined the permissions you required within the Azure Portal. The v2 Endpoint no longer uses resources however; it now uses "scopes" that are dynamically defined during the authentication workflow. For more details see Scopes, not resources.
I'd recommend adding this request to the UserVoice site. This will help ensure this remains on product teams radar going forward.
We've been running an Angular app in a custom masterpage during the last year, using the Sharepoint REST api to retrieve user properties, data from lists etc., which has been working fine. As the application is hosted on Sharepoint Online, accessing the page requires a login thus making the request digest available so further authentication is not necessary.
Now however, we want to start using some of the functionality in the Microsoft Graph API. From what I can gather this requires OAuth2 authentication against the Azure Active Directory, involving among other things a redirect to the AAD login page.
Does this mean I have to:
1) Login via the organizations (standard Microsoft) login page to access the Sharepoint Online site.
2) Redirect to the Azure AD login page and back again?
Or can I leverage the login that the user already did when logging into Sharepoint Online?
Sorry if the question is a bit vague, we are all still very new to this.
When registering your application on Azure AD you will give the app access to Files/Sharepoint REST api and Microsoft Graph API. See this picture the app has access to several apis (Exchange, Graph and AD) you must add sharepoint APIs in your case.
Regarding the authentication, I am afraid that the Sharepoint model does not provide a token that will enable you to request the Graph API see this. You will have two authentications, one to access the Sharepoint site, as you said, and the other "within" the sharepoint iframed add-in to log into your AAD's registered app. This will be an OAUTH process through login.microsoft.com. Have a look at my Outlook add-in Keluro Mail Team on the Office store, I think it is similar to what you want to achieve.
You can use the same token from graph.microsoft.com. I have a sample using Asp.Net Core 1.0 and the.Net ADAL but the same authentication flow is used when using ASP.NET 4.6. Just make your auth request against ms graph on startup then acquire access token to auth against SharePoint.
https://github.com/edrohler/com.ericrohler
Hope this helps.
I am using Office 365 to manage my calendars. I would just like to publish one of my calendars to my blog. Also, I would like to fully control the style of the calendar. I can enter API URLs into the browser and basic authentication to access my own calendars. So, I could do that from the server to build my calendar page using a server side http client. In this case, I don't really need the full power of OAuth2, which is mainly for letting multiple visitors manage their own content on a third-party site.
It would be nice if Microsoft's Office365 libraries would handle this scenario. It could also include a step where I register for a keys similar to the way Google Maps does. Or do they offer this already?
Does anyone know what steps to take so my scenario would work? Also, would I run up against any usage limits for a popular blog?
While the API is supporting Basic at the moment, that will eventually go away. You can definitely make your scenario work using the authorization code grant flow that's in place today, but it sounds like you may be more interested in the client credential flow which we are going to be releasing support for soon. That would allow you as the administrator of your Office 365 organization to authorize an app to access calendars in your organization without requiring user sign-in.
You register for client IDs and client secrets via Azure AD.
Azure AD is included with Office 365, and registering apps doesn't include any additional paid Azure services.
The client IDs and secrets obtained with the Visual Studio tool are permanent, and not just for debugging. Can you point me at the documentation that said otherwise so I can get it corrected? :)