We want to create an API App(Main purpose is to contact our organizations Office 365 Graph endpoint and send email) in Azure.. however our frontend website doesn't use Azure AD for the user authentication.. however we want our backend APi to be able send email in one of the following ways
1) send email as any user
2) send email on behalf of a service account
we are trying to explore the possible options and based on the investigation done so far, this(option 1) can be done using admin_consent - Can someone help with the steps we need to follow to create such app and deploy.
additionally is there a way to create an API app without login screen being prompted during the execution of the API - while using user_consent?
Option 1
In order for an app/daemon to send email as any user, it must have the send mail as any user app permission.
Give that permission on the Microsoft Graph API to the app, then grant the permission by clicking the Grant Permissions button in the portal, or by going through the admin consent flow.
Your API can then authenticate with its client credentials and get an access token to send email.
The bad side of this approach should be obvious, the app gets rights to send emails as anyone in your org.
Option 2
You could alternatively create an account for the API, and then use the Resource Owner Password grant flow to authenticate. You would then give the delegated permission for sending email as the signed in user.
The bad side of this is the flow for authenticating. If the account's password expires, there is no way for you to reset it from there, you would have to intervene to fix the problem.
Consent
You cannot go through consent without the browser UI.
Related
I have a Azure Active Directory application and I have provided some of the user delegated permissions for accessing Graph APIs. For example 'user.read' and 'user.read.all' etc.
To provide User Consent for the Graph APIs which have Delegated permission. I need to login using my credentials to the test application (I developed) and then there will be a Popup displayed on the Web UI with title "Permissions requested" to grand the consent. I need to select Accept button to grand the consent.
My questions:
Is there a way we can preauthorize the user consent without following Web UI flow?
Just like the admin consent in Active Directory, is there a way to grant user consent?
Yes, it is possible through MS Graph API.
When you grant user consent, an OAuth2PermissionGrant object is created.
Admin consent also creates one but in that one the principal is set to be "all users".
You can also create these programmatically.
You can see the docs for the API endpoint here.
It is created under the service principal of your app and you specify consentType as "Principal" and principalId as the user's objectId.
I think you may try to hit this url and signed in with the admin account, then you may consent on behalf of your organization. This url is used to get auth code for using auth code flow(generate access token)
https://login.microsoftonline.com/hanxia.onmicrosoft.com/oauth2/v2.0/authorize?
client_id=your_azure_ad_app_clientid
&response_type=code
&redirect_uri=http%3A%2F%2Flocalhost:8080%2F
&response_mode=query
&scope=user.read
&state=12345
I have quite a strange issue (well I think it is)... I'm building a web application using Ionic Angular and this application needs to submit information to a SharePoint site within our company. Authentication for the application is handled using Microsoft Authentication Library for Angular (v1) and the users of the application can either be AzureAD Guest users, or actual company users. The application successfully authenticates both types of users and they are issued an IDtoken, along with an accessToken. The access token is then used to perform GET, PATCH and POST Graph API requests against particular lists within a SharePoint site.
If I'm logged in as a full user... there is no issue, the app can successfully perform all three request types against the lists. However, if I'm logged into the application as a Guest user, I can only successfully perform GET and PATCH requests, but not POST:
A Postman POST request using the access token retrieved via MSAL authentication
I have checked the scopes within the token using https://jwt.ms and confirm that the following scopes are present:
Sites.Manage.All
Sites.Read.All
Sites.ReadWrite.All
User.Read profile openid email
The permissions for the lists are granted through membership of an Azure AD Domain/Security group and both; the full user and guest user are members.
To further add to this, I've logged into the SharePoint site online as the Guest User and I can successfully See, Add and Edit List items from the list, but I can't seem to do this via the Graph API.
Has anyone seen this behaviour before, or has any pointers?
Thanks in advance.
This is my app registration setup regarding permissions:
API Permissions
Please check your permissions in Azure Portal. When getting the access token with a signed-in user, you need to make sure the delegated permission Sites.ReadWrite.All has been set, and grant admin consent for your tenant.
And the scope should be added this permission for requesting an access token.
POST https://login.microsoftonline.com/{tenant}/oauth2/v2.0/token
client_id=<client_id>
&scope=https%3A%2F%2Fgraph.microsoft.com%2FSites.ReadWrite.All
&code=<authorization_code, see https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-auth-code-flow#request-an-authorization-code>
&redirect_uri=<redirect_uri>
&grant_type=authorization_code
&code_verifier=ThisIsntRandomButItNeedsToBe43CharactersLong
&client_secret=<client_secret>
It may be a delay about 5-10 mins after adding the permission.
Our application allows users to authenticate via Azure Active Directory using OpenID Connect.
However, some organizations do not allow users to approve applications, and require administrators to approve the application first.
Right now, this means that if a user wants to connect using their work account, we have to first send them to Azure, where they then enter their password, and then are told that our application requires administrator approval. Not a great experience.
Ideally, I would like to give only users whose tenants allow them to approve new applications (or those that already have) the option of logging in via AAD. Is this possible to do through an API call?
Microsoft does not provide such an API for this purpose.
As a workaround, you can quickly check it using auth code flow: Request an authorization code.
Enter their password is necessary. Sign in to this url with customer's credential:
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&response_type=code
&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
&response_mode=query
&scope=https%3A%2F%2Fgraph.microsoft.com%2Fmail.read%20api%3A%2F%2F
&state=12345
&code_challenge=YTFjNjI1OWYzMzA3MTI4ZDY2Njg5M2RkNmVjNDE5YmEyZGRhOGYyM2IzNjdmZWFhMTQ1ODg3NDcxY2Nl
&code_challenge_method=S256
Then they can see if they need admin consent or not.
The essence is the same as the steps you described. But it can save a lot of time.
I am able to read other users email using microft.graph api. Need guidance as how to restrict mailbox access so that users can view its email alone.
I created an azure admin and added 3 users. I registered an app and granted Mail.ReadWrite api permission. I generated a token and was able to read others users email. Need guidance as how mailbox access can be restricted to specific user and particular user can access their own email
Need guidance as how to restrict the users from accessing other users email
Client credential allows the app to read all the information that it have access to without a user. It means that anyone who opens the app can see the information. See Get access without a user.
What you need is Get access on behalf of a user.
To get an access token, the user is redirected to the Microsoft identity platform /authorize endpoint. In the authorization code grant flow, after consent is obtained, Azure AD will return an authorization_code to your app that it can redeem at the Microsoft identity platform /token endpoint for an access token.
At last, use this access token to access the emails of the logged in user. You won't see other users' emails.
I was able to restrict my app to access specific user email by creating an application policy. This link helped me to achieve this https://learn.microsoft.com/en-us/graph/auth-limit-mailbox-access Now I am using client credential to generate app level token and access specific users email.
We have a webapplication that uses openid connect, with azure as the identityprovider, to sign in users. So users, when signing in is sent to a URL like:
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?response_type=id_token+token&client_id=3{clientId}&response_mode=form_post&redirect_uri=http://localhost:8765/ms/oidc/signon/response&scope=openid+profile+https://graph.microsoft.com/user.read&state=1234&nonce={nonce}
this works fine, but requires users to consent to our apps permission scopes the first time they use it.
We'd like to offer office365 administrators the ability to consent on behalf of their entire tenant, so we send them to an endpoint like:
https://login.microsoftonline.com/common/adminconsent?client_id={clientId}&state=12345&redirect_uri=http://localhost:8765
this also seems to work fine, and the admin i informed that they will consent on behalf of all users in their tenant. However, the user is still presented with the consent prompt on first login.
This does make sense, since the app is only registered with the user.read permission, so if we instead sent the user to
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?response_type=token&client_id={clientId}&response_mode=form_post&redirect_uri=http://localhost:8765/ms/oidc/signon/response&scope=https://graph.microsoft.com/user.read&state={state}&nonce={nonce}
without the dynamic permission request, and response type only set to token, the admin consent works, and users are not presented with the consent prompt.
So, I guess I have 2 questions:
1) is this how it's supposed to work, or is there some way to grant admin consent to the profile and openid scopes?
2) Am I actually missing anything by not requesting these(openid+profile) permissions? I don't receive and id_token in the response, but is seems the authentication_token already contains even more information than the id_token does anyway
1) is this how it's supposed to work, or is there some way to grant admin consent to the profile and openid scopes?
It seems a bug in azure ad v2.0 consent framework , well-known scopes(openid,profile) should be granted by default when you do admin permissions. Please refer to this link .
2) Am I actually missing anything by not requesting these(openid+profile) permissions? I don't receive and id_token in the response, but is seems the authentication_token already contains even more information than the id_token does anyway
You don't use OpenID connect since you haven't added the openid scope ,so id_token is not returned . But since you have the user.read permission of microsoft graph api , you could use microsoft graph api to read the user's basic information . Id_token and access token are different ,the id_token is used to identify the authenticated user. The access_token is used to prove access rights to protected resources . Please click here for more details.