I need to create a service which gets messages from specific office 365 mail box user100#atenant.onmicrosoft.com/.
My understanding is that in this case I need to specify required permissions in application registration for my app in the Azure management portal for Microsoft Azure Active Directory.
Is it possible to provide mail.read permission to the particular account instead of mail.read.all?
No , you need to write your own code in app to restrict access to particular account , and you should grant mail.read.all application permission which allows the app to read mail in all mailboxes without a signed-in user.
And if you only wants to read emails from particular account in a service , you could try delegate permission with mail.read and use the Resource Owner Password Credentials Grant.
Related
I am getting the below error message when my Application (A) is trying to access another application (B) which is hosted in a different Tenant. Both applications have been registered to support multi-tenant access (i.e Accounts in any identity provider or organizational directory (for authenticating users with user flows) within their respective tenant. The microsoft outlook account I am using is associated with both tenants. What am I missing?
'AADSTS650052: The app is trying to access a service 'xxx-xxxx-xxxx' that your organization 'xxx-xxx-xxx' lacks a service principal for. Contact your IT Admin to review the configuration of your service subscriptions or consent to the application in order to create the required service principal.
In order for an application to authenticate with a tenant, a service principal representing it must exist in that tenant. For multi-tenant apps this is created when you go through authentication to that app on the target tenant. So you need to do a login against your app with the target tenant as the authority.
I'm using OpenID Connect to authenticate users according to https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-protocols-oidc. I registered application in Azure AD and there are following user consents defined:
The problem is that only 3 users are authenticated while others get error 90094 with message:
Need admin approval
App needs permission to access resources in your organisation that
only an admin can grant. Please ask an admin to grant permission to this app before you can use it.
These 3 users who can sign-in are the ones who granted "Sign users in" and "Sign in and read profile" permissions (visible under "Granted By" column links on the screenshot) and this is the only difference in Azure configuration between them and the rest who cannot sign-in. All of users have been added to app through "Users and groups" page with the same roles. All users are from the same company's directory. Api permissions looks like following
Moreover I have setting
I don't know how to grant permissions to other users and I don't know how to extend list of permissions visible on the screenshot.
Any ideas?
I wonder if any changes in Azure Portal happened since November 2019 when I created and configured that app. There where no changes in my permissions since that time, so I didn't have more power that time. I've read various documentation on MSDN about consents and permissions but didn't find solution.
You are not the admin of your Azure AD tenant.
Please see this reference: Disable or enable user consent from the Azure portal.
I see that you have the setting: Users can consent to apps accessing company data on their behalf. But if you don't Enable the admin consent workflow, when the application is requesting permissions that the user is not allowed to grant, the users still can't consent to the apps by themselves.
Another method is that you need to use an admin account to log into Azure portal. And then grant admin consent for your tenant.
I am a developer working on an application that will access O365 data via the Graph API. I have registered an application under my company account. I have authentication working on a per-user basis. Now I am trying to get it to work so that a tenant administrator can grant permission to my application for data access on an organization-wide basis. I have this working as well - I used the /adminconsent endpoint to bring the administrator to a page where he granted the consent.
What I am wondering about is the line in the documentation that says "You can rely on an administrator to grant the permissions your app needs at the Azure portal". I am trying to figure out what that procedure is so I can document it for admin users. I thought perhaps it was to go to App Registrations - there I see an option to create a new registration. But this has it's own Client Id. Don't I somehow have to give it the Client Id of my own application? Or is the idea that the tenant admin will supply the Client Id of his app to my app? Or am I in the wrong area altogether?
BTW in case it is relevant, I am not using any authentication library, just making direct http calls from a C++ program running on the Windows desktop.
Per my understanding, your application is an multi-tenant application. Only you or the administrators in your tenant can grant the permissions to your application. The administrators from other tenants can grant consent to use your application, but they can not control the permissions.
Update:
You can grant admin consent by calling admin consent endpoint.
https://login.microsoftonline.com/common/v2.0/adminconsent?
client_id={your_tenant_client_id}
&state=12345
&redirect_uri=http://localhost/myapp/permissions
&scope=
https://graph.microsoft.com/.default
If you want to grant admin consent via Azure portal. The application must already been provisioned in your tenant. For example, an app could be provisioned in your tenant if at least one user has already consented to the application.
We have configured an azure active directory application so that the users to our website can log in via their Microsoft accounts. The problem is that if we do not grant admin access then the Sign in to the application fails with the error code AADSTS650056:
Misconfigured application. This could be due to one of the following: The client has not listed any permissions for 'AAD Graph' in the requested permissions in the client's application registration.
We are skeptical to click on "Grant admin consent" fearing that it may expose any vulnerability. Is this the right way to proceed? If not what are the alternatives so that this kind of consent is bypassed?
Each application registers permissions it requires. Some permissions can be granted by users, some other only by the administrator.
Let's suppose you have only permissions that can be consented by users. The first time they use the application, they'll be prompted (each user) to consent those permissions to the application.
If in the same scenario you click on grant admin consent, it is the equivalent of accepting it for all users on the tenant.
Now let's suppose the application registers permissions that require admin consent, you have no choice but to click that button if you want the application to work and be able to request tokens.
These permissions that require admin consent are permissions that either allow access to more or sensitive data in the organization.
I registered multi tenant Office 365 application in Azure AD admin center and configured required permissions that this application asks for. Also I created web service that uses this application.
My web service had been working for half a year and at some point I extended functionality of my web service and now it requires several new permissions. Also I realized that some permissions are not required for my web service any more.
So I added extra permissions and removed those that I don't need in Azure AD, saved the permissions and clicked "Grant permissions" button.
In my web service I perform re-authentication flow in order to update access token for working with created Office 365 application and use extra permissions. But when I get access token using my web service and decoded the token on this site I don't see that extra permissions were provisioned. Also I see that my web service gets token with those permissions granted that I removed from my application. So even after re-authentication user from another tenant that use my web service gets token with "old" permissions set.
Why so? How can I provision all the application permissions I previously set up for my Office 365 application in Azure AD to the tenant that uses my service? I just need the permission set in the token be up to date with those I configured in Azure AD.