Authentication failed using Graph API - winforms

I am trying to build a Windows form app for cloud migration and while authenticating OneDrive using Microsoft Graph API, i am getting this exception.
Please help or give any workaround

Before you can execute a call against Microsoft Graph, you'll first need to authenticate that user and retrieve an access token. Each time you make a call to Graph, you'll include this token in your HTTP request Authorization header.
In order operate against a user's data, you'll also need to request the proper permission scopes during the authentication process. From what I understand of your scenario here , you'll need at least Files.ReadWrite.
If your application is build on .NET 4.5 or newer, you may also want to go with the Microsoft Graph .NET SDK. This will simplify calling the API itself. It will not however handle the authorization process. For obtaining the token you can use Microsoft Authentication Library (MSAL).
There is an excellent walkthrough for this as well: Call the Microsoft Graph API from a Windows Desktop app. While it isn't specific to Windows Forms, the concepts are pretty similar.

Related

Add service principal using Graph client Sdk using proof jwt

I need to add a key credential to Azure active directory app using one of the existing key credentials. The Api action for it is explained here. https://learn.microsoft.com/en-us/previous-versions/azure/ad/graph/api/functions-and-actions#addkey-add-a-keycredential-for-an-application--
I use an existing key credential to sign the jwt proof as explained and it works fine.
I need a similar functionality in the Active directory Graph client sdk. https://www.nuget.org/packages/Microsoft.Azure.ActiveDirectory.GraphClient/
The ActiveDirectoryClient.ServicePrincipals.AddServicePrincipalAsync method does not take a proof input. And currently if I call only taking an auth token it says "not enough privelge".
The nuget package that you have included has a last update of 10-17-2016.
Per the samples included in that Nuget package :
https://github.com/Azure-Samples/active-directory-dotnet-graphapi-web
https://github.com/Azure-Samples/active-directory-dotnet-graphapi-console
Both have been archived. This library linked is neither maintained nor supported anymore. My suggestion would be to move over to utilize ADAL so that you can make http calls to the AAD Graph API.
The more preferred option is the Microsoft Graph as Microsoft is
moving towards having all apis under the Microsoft Graph. And
Preferably moving to MSAL as that is the library that will be used
moving forward as well.
However the issue with that is the addkey is not supported yet under
the Microsoft Graph. See here for differences in the Microsoft graph
and the AAD Graph currently. The idea is that there will be parity
between the two over time.
For an example on using the ADAL library making a call to the Microsoft Graph please see the following sample : https://github.com/FrankHu-MSFT/ADAL-.NET-Console-Application
Note that your setup will be similar but the only difference is that you'll be getting an access token on behalf of the AAD Graph API and making calls to the AAD Graph API accordingly.
For more up to date MSAL samples making calls to the Microsoft Graph API, please take a look at the samples here : https://github.com/microsoftgraph/aspnet-snippets-sample
As ADAL and the AAD Graph API are both getting older, it is suggested to move towards the Microsoft Graph API and MSAL when possible.

Microsoft Graph. Access OneDrive with application own identity

In a mobile application we are generating some images that we would like to upload to the client's cloud.
The client is using OneDrive For Business, with all the 360 suite (I have no more information about it yet).
What we would like to do, is to be able to store the images in a OneDrive account, without the user having to sign in. All the documentation I found to authenticate to OneDrive includes an interactive sign-in process which we don't want:
https://learn.microsoft.com/en-us/onedrive/developer/rest-api/getting-started/graph-oauth?view=odsp-graph-online
I have found that for Microsoft Graph there is the possibility of using the app's own identity to sign in (only REST), but it is not 100% clear to me that this authentication can grant access to OneDrive.
https://learn.microsoft.com/en-us/graph/auth-v2-service
Since I am not familiar at all with Microsoft cloud infrastructure I would appreciate some info.
Is it actually possible to access a OneDrive folder authenticating with the app's own identity?
Yes it should be possible to work with Microsoft Graph API and One drive files using application identity (i.e. without a user sign-in)
REST API's that should help
Do know that there are many SDK's/Client Libraries available for Microsoft Graph API that you can work with depending on your platform. e.g. Microsoft Graph .NET Client Library. As you've mentioned Only REST, I'm giving links for direct REST APIs here.
Uploading files (upto 4 MB) - Upload REST API
Least permission required will be Files.ReadWrite.All (under application permissions and Admin consent will be required first for this application permission. In case you aren't familiar with consent process, take a look here: Azure AD Consent Framework and mention in comments, I can add a little more detail if needed)
Uploading larger files - Resumable Upload REST API
Authentication
From a flow standpoint you will need to make use of OAuth 2.0 Client Credentials Grant Flow to authenticate
NOTE: Please do note that this flow is meant only for confidential clients. So you shouldn't make use of it directly from a mobile client or even desktop client (like WPF or console application), as these are public clients which can not securely handle client secrets. Your mobile client should call a backend API, that in turn can call Microsoft Graph and uses client secrets, acting like a daemon using Application permissions.
At the end of this link there are code samples available for .NET Core 2.1 and ASP.NET MVC.

Skype For Business Online supproted by Azure AD 2.0?

I developed an app which has integration with Microsoft Graph API and uses Azure 2.0 API for authentication.
From Microsoft Graph I can get users.
Now I want to see a presense information for each user and therefore I need to use Skype for business online.
I send request to:
https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root
And a user href is:
https://webdir0f.online.lync.com/Autodiscover/AutodiscoverService.svc/root/oauth/user
Than I got access token for https://webdir0f.online.lync.com from:
https://login.microsoftonline.com/<mytenant>/oauth2/v2.0/token
And token has not "roles" claim which is strange.
Than https://webdir0f.online.lync.com/Autodiscover/AutodiscoverService.svc/root/oauth/user returns me 500.
Is there a way to use Azure 2.0 to get access to Skype For Business Online?
Is there a way I can get presence information without a signed in user in Skype For Business Online?
UPD:
I was able to get access token for scope https://webdir0f.online.lync.com/Contacts.ReadWrite using client secret.
Small correction, what you're here isn't "Azure 2.0" but rather Azure Active Directory's "App v2" or, more commonly, the "v2 Endpoint".
The v2 Endpoint has several well-known limitations and not all APIs and features are supported. The Skype and Skype for Business APIs both lack support for the v2 Endpoint.
In general, unless it's a recently released API or it is surfaced by Microsoft Graph, then it will only work with tokens issued by the v1 Endpoint.
I managed to get access to Skype For Business using Azure 2.0 application. Just followed the guidelines.
During autodiscovery you need to set scope to next user or redirect uri like this: https://webdir0f.online.lync.com/Contacts.ReadWrite.
Than Azure 2.0 realizes it's Skype For Business uri and scope and works properly.
Though still Skype For Business API is old and very hard to use.
And I haven't found a way to get all other company user presence information from Sfb API.
Looks like it makes sense to wait until Trusted Application API will work.
Also trying to get Application token doesn't work.

Which option is better, MSAL.js or OpenIdConnect nuget package at Web API

We have a SharePoint publishing site with anonymous access hosted on internet. As per the latest requirements, we need to implement user login (AzureAD, Microsoft personal and work accounts, and more) for some pages within the portal.
There are two approaches we have come up with:
Using msal.js file. Implementing login of user at client side itself and calling Partner Center Web API with user token to check the validity of the user plus performing required operations.
Create a Web API with with Microsoft.Owin.Security.OpenIdConnect nuget package at Web API end to implement login and also use it for doing out required operation of retrieving and modifying data from the backend.
Which approach may work best in our scenario?
Is there any other way to achieve this?
The difference between these two approaches is that they are using the different flows to integrate with the identity data provider.
The second approach that using the server-side code is using the authorization code grant flow which is a stand flow to interact with identity data provider.
The first approach that using the msal.js is using the implicit flow. is a simplified authorization code flow optimized for clients implemented in a browser using a scripting language such as JavaScript. In the implicit flow, instead of issuing the client an authorization code, the client is issued an access token directly.
More detail the flows using the OAuth 2.0 are defined in the OAuth 2.0 Authorization Framework.

Using Microsoft Graph APIs with Azure AD 1.0 Authentication

I'm trying to understand what is expected to fail (if anything) when using different Microsoft Graph REST endpoints with an access token that was obtained against the Azure 1.0 oauth endpoint (implicit flow). For example, I created a new app registration in Azure AD tenant, added the Microsoft Graph service and selected every single permission available - 66 in total. What I find is that I can use the access token I get from the https://login.windows.net/common/oauth2/authorize endpoint to execute basic directory queries against the https://graph.windows.net/ REST endpoint. However other things - like the "me" or OneNote REST endpoints fail with a 401 unauthorized error. As a side note - I can get ALL of these scenarios to work with the Azure 2.0 oauth endpoint and passing in SCOPES for my permission requirements.
So...based on all of that, I'm not sure if big parts of the Microsoft Graph endpoints are not expected to work in this scenario, or perhaps I'm passing in the wrong RESOURCE parameter when I redirect to the .../authorize endpoint to get my access code, or something else. So if there is any info that describes if this is not expected to be supported, or if it is other info we should know - for example, is there a different RESOURCE needed when using the 1.0 oauth endpoint (the only variable I'm seeing right now), or whatever. Any sort of specific details here would be appreciated.
Thanks.
An access token is available for one endpoint , you could check the aud(audience) claim in access token . That's why we suggest using microsoft graph api , since useing Microsoft Graph to build apps for organizations and consumers that connect to a wealth of resources, relationships, and intelligence, all through a single endpoint: https://graph.microsoft.com.
You said that execute basic directory queries against the https://graph.windows.net/ REST endpoint , so the access token could be used to call Azure AD Graph APi (https://graph.windows.net/) . If using that token to make microsoft graph api calls (https://graph.microsoft.com) , you can't do that since access token is not available for microsoft graph api endpoint .

Resources