I would like to know about the access route to AAD on ExpressRoute.
What's new in Azure Active Directory?
https://learn.microsoft.com/en-us/azure/active-directory/fundamentals/whats-new#expressroute-support-changes
May 2018
ExpressRoute support changes
I would like to know that what kind of the endpoints of AAD will be stopped supporting on "Azure public peering".
Are all the endpoints in the following articles via the Internet?
Office 365 URLs and IP address ranges
https://support.office.com/en-us/article/office-365-urls-and-ip-address-ranges-8548a211-3fe7-47cb-abb1-355ea5aa88a2?ui=en-US&rs=en-US&ad=US
[Authentication and identity FQDNs]
Incidentally, I understand that the endpoints of " ExpressRoute for Office 365 BGP Communities = yes" will be supported continously after 1st Aug.
Thanks in advance !
As per the update, you will see the Azure AD traffic gradually shifting from ExpressRoute to the Internet. So you should not be seeing any issue, but if there is any change is there you will notified further.
For customers using O365 services and you might need to use ER for authentication traffic you may have to move to MS Peering. Below is the direction:
If you're on Azure public peering. Move to Microsoft peering and sign up for the Other Office 365 Online services (12076:5100) community. For more info about how to move from Azure public peering to Microsoft peering, see the Move a public peering to Microsoft peering article.
If you're on Microsoft peering. Sign up for the Other Office 365 Online service (12076:5100) community. For more info about routing requirements, see the Support for BGP communities section of the ExpressRoute routing requirements article.
If you must continue to use dedicated circuits, you'll need to talk to your Microsoft Account team about how to get authorization to use the Other Office 365 Online service (12076:5100) community. The MS Office-managed review board will verify whether you need those circuits and make sure you understand the technical implications of keeping them. Unauthorized subscriptions trying to create route filters for Office 365 will receive an error message.
Related
How does one get a domain into a healthy state using the Microsoft Graph Api?
Domains that are created and verified using the Graph Api always show with an exclamation mark and "Incomplete Setup" in the Office 365 management portal.
The steps performed by the GraphApi are as follows:
Create a domain using the graph api in tenancy. POST /domains
Get the domain txt records from graph api. GET /domains/{domainName}/verificationDnsRecords
Add TXT records to DNS zone on Cpanel (external)
Verify domain using Graph Api. POST /domains/{domainName}/verify
Set Services. PATCH /domains/{domainName}
However after performing all the above steps the domain still shows as in an incomplete state. The only way to get it to Healthy state is by using the portal.
Including step 5 or leaving it out doesn't make a difference at all.
How does one get a domain into a Healthy state using the Graph Api?
Office365 Domain section
I'm afraid that it's not supported to get a domain into a Healthy
state using Microsoft Graph API.
As you know, we cannot update DNS settings via Microsoft Graph API.
Although we can verify the domain, but the domain status which is
visible in portal is not exposed in Microsoft Graph domain properties.
And the O365 admin portal is calling another kind of API:
https://admin.microsoft.com/admin/api/Domains which is not exposed to
update the domain data.
Has this changed?
I think that it's not supported to get a domain into a Healthy state using Microsoft Graph API.
As you know, we cannot update DNS settings via Microsoft Graph API.
Although we can verify the domain, but the domain status which is visible in portal is not exposed in Microsoft Graph domain properties.
I followed this article to implment OAuth flow with the following authority url
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id=d8e21783-5956-4bef-80ae-fdd636006223&prompt=login&response_type=code&response_mode=query&redirect_uri=xxxxx&scope=offline_access+user.read+files.readwrite.all&state=xxxxx
The page provides two sign-in ways:
With email address.
Without entering the email address.
You can see this screenshot, green line is the first option and orange line is the second.
Both of the two login ways supports 「Windows Hello Face」 and 「Security Key」 (Passwordless)
However, the authorization will fail if I choose the second sign-in way.
AADSTS500202: User account from external identity provider 'live.com' is not supported for API version '2.0'.
Does this mean Microsoft OAuth flow not supporting the second sign-in way?
PS: The ancient authority URL (ref) supports the second sign-in
way.
GET https://login.live.com/oauth20_authorize.srf?client_id={client_id}&scope={scope}
&response_type=token&redirect_uri={redirect_uri}
This approach is no longer recommended.
Use your personal Microsoft account to get access to Azure and all
consumer-oriented Microsoft products and cloud services, such as
Outlook (Hotmail), Messenger, OneDrive, MSN, Xbox LIVE, or Microsoft
365. Sign up your organization - Azure Active Directory - Microsoft Entra | Microsoft Docs
Note: Usually approach using the Azure AD v2.0 endpoint is recommended. However, some enterprise scenarios may require using the original Azure AD endpoint.
Please check this Microsoft Docs on Error AADSTS50020 to check for relatable cause to troubleshoot.
References:
Get OneDrive data in UWP using Microsoft (Live) Accounts and Azure
AD - DEV Community
Authorization and sign-in for OneDrive in Microsoft Graph
You can raise a support request.
I developed an app which has integration with Microsoft Graph API and uses Azure 2.0 API for authentication.
From Microsoft Graph I can get users.
Now I want to see a presense information for each user and therefore I need to use Skype for business online.
I send request to:
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root
And a user href is:
https://webdir0f.online.lync.com/Autodiscover/AutodiscoverService.svc/root/oauth/user
Than I got access token for https://webdir0f.online.lync.com from:
https://login.microsoftonline.com/<mytenant>/oauth2/v2.0/token
And token has not "roles" claim which is strange.
Than https://webdir0f.online.lync.com/Autodiscover/AutodiscoverService.svc/root/oauth/user returns me 500.
Is there a way to use Azure 2.0 to get access to Skype For Business Online?
Is there a way I can get presence information without a signed in user in Skype For Business Online?
UPD:
I was able to get access token for scope https://webdir0f.online.lync.com/Contacts.ReadWrite using client secret.
Small correction, what you're here isn't "Azure 2.0" but rather Azure Active Directory's "App v2" or, more commonly, the "v2 Endpoint".
The v2 Endpoint has several well-known limitations and not all APIs and features are supported. The Skype and Skype for Business APIs both lack support for the v2 Endpoint.
In general, unless it's a recently released API or it is surfaced by Microsoft Graph, then it will only work with tokens issued by the v1 Endpoint.
I managed to get access to Skype For Business using Azure 2.0 application. Just followed the guidelines.
During autodiscovery you need to set scope to next user or redirect uri like this: https://webdir0f.online.lync.com/Contacts.ReadWrite.
Than Azure 2.0 realizes it's Skype For Business uri and scope and works properly.
Though still Skype For Business API is old and very hard to use.
And I haven't found a way to get all other company user presence information from Sfb API.
Looks like it makes sense to wait until Trusted Application API will work.
Also trying to get Application token doesn't work.
I have a website that uses OpenID Connect authentication/ADAL to authenticate users with an Azure AD. The application also uses the Microsoft Graph API to retreive user data from the AD.
Authentication has been working well from all kinds of devices ever since it was implemented a couple of months ago.
But a few weeks ago (on august 23rd, to be exact), authentication from mobile devices stopped working all of a sudden, although no changes was made in the code or (to my knowledge) in the company infrastucture.
In the AuthorizationCodeReceived event handler of my ConfigureAuth method, i aquire an authentication result in this manner:
var authenticationContext = new AuthenticationContext(settings.Authority);
var authenticationResult = authenticationContext.AcquireTokenByAuthorizationCode(context.Code, new Uri(settings.RedirectUri), new ClientCredential(settings.ClientId, settings.ClientSecret), resource);
where resource is the Microsoft Graph API URL.
However, ever since august 23rd, the AcquireTokenByAuthorizationCode throws an AdalServiceException with the message:
AADSTS50097: Device authentication is required.
If I omit the resource parameter in my AcquireTokenByAuthorizationCode call or change it to "https://graph.windows.net", for example, authentication from mobile devices works like a charm. But then I obviously cannot access the MS Graph API.
Is there a way to solve this so that i can access the MS Graph API and have users log on with mobile devices?
Sriram's answer is correct.
The company administrator has enabled conditional access policy for Exchange Online, which at present applies to Microsoft Graph as well. We are aware that this affects applications that use Microsoft Graph for artifacts other than mail/calendar, and are working on decoupling them. The change should roll out in the next few months. Please check with your company administrator if the policy can be relaxed. If not feasible, contact our support channel to request exclusion of Microsoft Graph from policy enforcement
I am using Office 365 to manage my calendars. I would just like to publish one of my calendars to my blog. Also, I would like to fully control the style of the calendar. I can enter API URLs into the browser and basic authentication to access my own calendars. So, I could do that from the server to build my calendar page using a server side http client. In this case, I don't really need the full power of OAuth2, which is mainly for letting multiple visitors manage their own content on a third-party site.
It would be nice if Microsoft's Office365 libraries would handle this scenario. It could also include a step where I register for a keys similar to the way Google Maps does. Or do they offer this already?
Does anyone know what steps to take so my scenario would work? Also, would I run up against any usage limits for a popular blog?
While the API is supporting Basic at the moment, that will eventually go away. You can definitely make your scenario work using the authorization code grant flow that's in place today, but it sounds like you may be more interested in the client credential flow which we are going to be releasing support for soon. That would allow you as the administrator of your Office 365 organization to authorize an app to access calendars in your organization without requiring user sign-in.
You register for client IDs and client secrets via Azure AD.
Azure AD is included with Office 365, and registering apps doesn't include any additional paid Azure services.
The client IDs and secrets obtained with the Visual Studio tool are permanent, and not just for debugging. Can you point me at the documentation that said otherwise so I can get it corrected? :)