How can I add a Azure AD group to a SharePoint Online site collection administrators through a console application.
My sample tested code, you may try it. TestSecurityGroup is an Azure AD security group.
Web web = clientContext.Web;
var SPGroup = web.SiteGroups.GetById(7);
User group = clientContext.Web.EnsureUser("TestSecurityGroup");
clientContext.Load(group);
User addUser=SPGroup.Users.AddUser(group);
clientContext.Load(addUser);
clientContext.ExecuteQuery();
Related
We installed an enterprise application through the Azure AD App Gallery. But when we try to config the Single Sign-on, it keeps saying:
The single sign-on configuration is not available for this application
in the Enterprise applications experience. HubSpot is a multi-tenant
application and the application is owned by another tenant.
Do we need to change some settings to allow the setup of Single sign-on?
We followed this tutorial but are now stuck on "Configure Azure AD SSO".
When added the hubspot application from Azure AD Enterprise application gallery like below ,you should be able to see if SSO setting is available or not and the ways it can be supported for sso.(Here i can be able to use SAML based SSO, or linked SSO)
Then you should be able to edit the saml configuration
For me when I search the hubspot app created in app registrations, its under supported account type of my organization only.
Please check if the App is registered and added as Multi-Tenant App in your case and users have to use login for particular tenant instead of common to avoid error.
Also user accounts need to be pre-provisioned into HubSpot prior to
sign-in .
Reference:
Sign in with My Apps portal and Azure AD SSO in multi tenants application - Stack Overflow
I have a WPF desktop using the WebView2 control, and it works quite nicely. The problem I am trying to solve is handling the authentication for users who find the repeated prompts when accessing our SharePoint Online (SPO) site within the WebView2 control annoying. I am not looking to access Graph API or the SPO API, just allow the user to navigate to our SPO site without login prompts. Our on-prem AD synchronizes with Azure AD.
A couple of applications I've developed:
An Office add-in using SSO with delegated permission and signed off by our admin so that users do not log in
A console app that has application permission to update all calendars in our organization via the EWS API, protected with Azure AD certificate authorization, although it initially used a secret
That said, how can I set up the app authorization so that my desktop WPF app can allow the users to access SPO without prompts?
According to your scenario, you can try the following things in your web view control such that you will no longer receive authentication prompts for Sharepoint online login.
• You trying to access SPO site within web view control, so you need to allow authentication for both the http clients, i.e., Windows store clients(classic)[System.Net.Http.HttpClient] and HTTP clients[Windows.Web.Http.HttpClient] connected to web view controls. You can do so by adding the new one in your code as below: -
var filter = new HttpBaseProtocolFilter();
filter.ServerCredential = new Windows.Security.Credentials.PasswordCredential("http://website","login","password");
Windows.Web.Http.HttpClient client2 = new
Windows.Web.Http.HttpClient(filter);
var response = await client2.GetAsync(new Uri("http://website"));
WebView.Source = new Uri("http://website");
• In this code, change the “login” and “password” to the credentials you want to use to login in the SPO site. Also, change the “http://website” to the SPO website and set the ‘enterpriseAuthentication’ parameter to off.
• Also, you can use the ‘’TodoListService” Service app for maintaining an in-memory collection of to-do-items for each authenticated user for login purposes.
Please refer the below links for more reference: -
providing domain/user credentials to webview control
https://learn.microsoft.com/en-us/previous-versions/windows/hh465283(v=win.10)?redirectedfrom=MSDN
https://learn.microsoft.com/en-us/samples/azure-samples/active-directory-dotnet-native-aspnetcore-v2/1-desktop-app-calls-web-api/
This way, hopefully the SPO site can be accessed through desktop WPF app without authentication prompts.
Thanking you,
We are working on integrating our app with MS Teams using a Teams app with a bot and a tab and we are struggling with the authentication.
Our scenario is:
We use Azure AD B2C for authentication to our app (using predefined user flows).
We have different customers that use Azure AD (each one with its own Azure AD tenant). We created a custom identity provider that enables sign-in/sign up users to our app using their own Azure AD credentials.
We created a bot channel registration using a "Generic Oauth 2" service provider to connect to our bot with Azure AD B2C.
Our challenges are:
Ideally, we want to implement SSO for our bot in Teams to allow our customers to be able to sign in to our app using their MS Teams credentials. We managed to authenticate using OAuthPrompt for Teams following this sample but the challenge we've seen is that the user needs to sign in every time that opens the bot (i.e. there refresh token is not working) and also we are not able to send a "domain_hint" query string to differentiate our customers.
Ideally, we want the authentication to be handled using only one bot channel registration
Probably it could be achieved by creating one channel registration for each customer but in the long-term, we'd need to create one bot for each customer and that could be difficult to maintain/avoiding our customers installing an App Registration on their Azure AD.
Anyone had similar experiences dealing with MS Teams apps for multiple Azure AD tenants using Azure AD B2C? How's the best way you recommend to handle this scenario?
Your help would be appreciated!
Thanks in advance!
If it helps to someone, after some research, we are doing the following for our scenario:
For the SSO in the tabs, given the limitation of OAuthPrompt to don't refresh tokens (we don't want users to sign in every time the token expires) we are following this solution posted months ago https://github.com/igrep/example-teams-bot-with-ms-account-refresh-token.
For handling multiple Azure AD tenants within B2C, given that we are using predefined user flows and we need to build a custom sign-in for our scenario, we are going to pass the get and pass the domain_hint from MS Teams to Azure AD B2C.
To implement SSO, please go through Add single sign on to a bot and also you can refer the code base in Expert Finder app template and it has implemented the same bot sign-in functionality and it is working fine.
Could you please take a look at multiple Azure AD tenants using Azure AD B2C for configuring multi tenant AD B2C.
We have a MDM solution where clients that utilize Azure AD can join and enroll (to our MDM) Windows 10 devices. The clients configure in their Tenants an On-Premise MDM app (that is selected from the Mobility MDM and MAM app gallery) in order to set and use our MDM.
We would like to have our MDM App showed in that gallery such as the image below. Does anyone can help me and show me some hints to make our MDM to appear in that Gallery?
I know that one step is that our MDM has to have its own Tenant in Azure AD and there create an App (my organization is developing) and set it as Multi-Tenant. But after that I am lost, I don't know what are the next steps.
Thanks in advance.
according to https://learn.microsoft.com/en-us/windows/client-management/mdm/azure-active-directory-integration-with-mdm#publish-your-mdm-app-to-azure-ad-app-gallery
to publish a on-prem based mdm, is no different than adding a normal app to the app gallery, in which case, in which case follow this documentation:
https://learn.microsoft.com/en-us/azure/active-directory/azuread-dev/howto-app-gallery-listing
they mention a portal that you can use and request access to submit request.
got a WPF app that I would like to authentication using Azure AD (got a sample that makes it work). Once authentication is done, I'd like to get a list of roles assigned to a user. I have added roles to the manifest of the app registration and saved it. I was then trying to follow this link :
Assign a user or group to an enterprise app
to assign roles to users but Users and Groups option is not available at all in the enterprise application for this app. It is available for web app, but not native. Am I missing something? Anyone knows of a good example that would authenticate user in WPF and retrieve roles (I have been looking into graph API to get user groups by so far have been unsuccessful).
Thank You
You didn't miss anything.
This is because that Native client registrations are multi-tenant by default. You don’t need to take any action to make a native client application registration multi-tenant. It means that you can sign in this application with any Users in Azure AD with some configuration. So, you wouldn't see Users and Groups in Native client in Enterprise Applications.
However,you can assign the users (without roles) to native applications by using cmdlets in PowerShell:
$appId = (Get-AzureADApplication -SearchString “<Your App's display name>”).AppId
$user = Get-AzureADUser -searchstring "<Your user's UPN>"
$servicePrincipal = Get-AzureADServicePrincipal -Filter “appId eq ‘$appId'”
New-AzureADUserAppRoleAssignment -ObjectId $user.ObjectId -PrincipalId $user.ObjectId -ResourceId $servicePrincipal.ObjectId -Id ([Guid]::Empty)
More information about the command for assigning a user to an application role, please refer to this document.