We have created a Microsoft Teams tab app with bot integration that we want to distribute to various organizations either manually or via an App Store. In summary,
We created Tabs App with Microsoft Bot using node.js botbuilder package.
We provided zip archive to another organization (another tenant Id).
Organization uploaded our app using Microsoft Teams Admin panel and approved permission in Permission tabs.
Question is how can we receive the tenant id from the organization we are deploying to without asking their admins to go to Azure Active Directory and look it up. Once provided, the graph api and the multi tenant bot does work fine. We are trying to avoid asking their admin to provide us the tenant id and want to retrieve it automatically upon the app being uploaded or on startup.
Thank you.
The best place to get the tenant id is from the access token you are provided by logging in to your app. Look for the 'tid' value.
I'm assuming you are talking about stream lining the company wide admin consent for your application.
What you can do is have a web site that a customer's admin can log into (using standard Microsoft OAuth interactive flow). You can then pull the Tenant ID from the access token and then run through the Microsoft consent process. Once consent process redirected back to your web site, you can do your own customer onboarding if required.
Related
I have a specific SharePoint site that I have been asked to integrate my web based application with in a read-only fashion using my backend server.
I currently have an app with Default Directory only (Single tenant) access
which I am modifying Application API permissions to also require Sites.Selected, however this one is requiring that I obtain Admin consent
I have had an absolute atrocious time trying to figure out how to obtain access to my specific site and not grant access to every single site in my tenant
I'm working on a dummy azure account prior to asking my ops team for the real permissions from the real ecosystem, but I dont have a sharepoint site to test on because I dont know how to set it up, the IT department team who manages it is very slow to answer so its difficult to move the ball forward without knowing exactly what I need before asking.
Under "Enterprise Applications" > {My Application Name } > Permissions (left sidebar), i see a big blue button that I read about in some docs, but i'm scared to grant the permissions because it says I give my app access to the default directory which I don't want to do, and it provides nowhere for me to specify my "selected" site
does anyone have more information on how I can grant a specific site to my app?
every article I run to talks about admin confirmation but neglects to tell me specifically how it's done
Default Directory is just a default name for your tenant, and not related to any default collection of sites. See my tenant name v6pz1 in the image
For this Sites.Selected permission, it's a 2-step process for giving your app access to the sites.
The app needs to be given permission to the site at the SharePoint level
The app needs to be granted admin consent to access the sites through the Graph API
You see this described in the MS Graph permissions reference table as well.
Allow the application to access a subset of site collections without a signed in user. The specific site collections and the permissions granted will be configured in SharePoint Online.
To actually grant your app the SharePoint permission to a site, you can use the MS Graph endpoint to create permissions
Design
Outlook Add-in that shows sales specific information based on the message (content, sender, etc)
Daemon that subscribes to new messages for the sales team and processes messages as they come in. Runs with application authentication
Scenario
We are developing a multi-tenant add-in that show sales specific information based on the email they are viewing. Since the sales team may be a single person, group or multiple people.
Question
How would the daemon running as an application use the graph to pull in users assigned to it?
Office 365 Admin Screenshot
You would need an Azure AD Application registered with Mail.Read persmissions. The add-in would sign in as the user. Then have the add-in subscribe to the users mailbox on the users behalf. The subscription would include the URL of a backend web api that Microsoft Graph subscription service would call.
You would need to register a new Azure AD Application (if you don't have one created already) for the backend web api. Then you would want to grant the correct permissions scopes to it. For your scenario you would require each tenant to admin consent this application, because you would need access to messages in many users mailboxes using application permission Mail.Read. The reason for this is because the webhook does not call your web api with any user token that you could use to then actual fetch the details of the message.
More info on change notifications (webhooks) is here https://learn.microsoft.com/en-us/graph/webhooks
I have created an app in https://apps.dev.microsoft.com portal with name GroupsApp and I have given couple of permissions as below:
I have created client id and secret to use in my application. I am using asp.net MVC (with 4.5.1 .net framework) web application.
I am getting some groups info and displaying on the screen. If I am logged with my account it is working fine. But if I logged in as another user then it is giving me issue as below:
I have formatted url as below: https://login.microsoftonline.com/948894dc-c0e2-43e5-a7e6-1d21dd183c9d/oauth2/authorize?client_id=75acb700-e675-4dc4-9deb-d3f68f6911a1&response_type=code&redirect_uri=http://localhost:34280&prompt=admin_consent and trying to granted the permission. Here I have logged in as admin and given permissions.
Now if I check with normal user same issue is happening.
How should I give the permissions to this application.
I am not able to find any option to approve the permissions from the Azure portal.
Now if I check with normal user same issue is happening.
How should I give the permissions to this application.
I am not able to find any option to approve the permissions from the Azure portal.
I could encounter the same issue according to your settings. I assumed that you may hit the Admin-restricted scopes of AAD v2.0 as follows:
Some high-privilege permissions in the Microsoft ecosystem can be set to admin-restricted. Examples of these kinds of scopes include the following permissions:
Read an organization's directory data by using Directory.Read
Write data to an organization's directory by using Directory.ReadWrite
Read security groups in an organization's directory by using Groups.Read.All
Although a consumer user might grant an application access to this kind of data, organizational users are restricted from granting access to the same set of sensitive company data. If your application requests access to one of these permissions from an organizational user, the user receives an error message that says they are not authorized to consent to your app's permissions.
You could Using the admin consent endpoint and follow this Build an app with admin restricted scopes using the v2.0 endpoint github code sample to ensure your app can gather permissions for all users in a tenant, including admin-restricted scopes.
My web application uses Azure Active Directory for authentication. In my Azure Portal I have an application reference which hooks into the AAD, I also have all the relative keys in place within the web application itself. Everyone in my organisation can log in without any problems but any new user accounts that are added get a message:
You can't access this application Company App Registration Name needs
permission to access resources in your organization that only an admin
can grant. Please ask an admin to grant permission to this app before
you can use it.
This is a message that only new accounts get, I can see these new accounts within the AAD and they accounts are identical to other employees, it's as if it's out of sync. Does anyone know what I have done wrong or why new accounts are not automatically picked up?
I believe you can solve your issue by having an Administrator of your tenant consent to the application on-behalf-of the entire tenant, which should include all new and existing users.
To do this, the Administrator can simply go to a login endpoint with the query string prompt=admin_consent.
https://login.microsoftonline.com/<TenantID>/oauth2/authorize?client_id=<AppID>&response_type=code&redirect_uri=<RedirectURI>&prompt=admin_consent
You can use this template URL, and simply fill out the variables with your application and tenant information. Then, hand it to the administrator and have them consent to the app.
Let me know if this helps!
I am creating an iOS app for internal use. We have a Google Domain. As part of the functionality of the app, I want to be able to search for all users in that domain. This can already be done in Gmail, the Apple Mail app, and others.
I found that you can use the Admin SDK for users.list to do exactly what I want to do. I created a Client ID for the iOS app and authorized my app to perform users.list.
However, now I get a permissions error for users who sign in with OAuth2:
I found that you can create a service account to make API requests on your behalf if you delegate it to have the authority. I'm not sure if this is what I want to do since this seems more like something for a secure server to do rather than an app. I'm also not sure how this integrates with a user (from our domain) who signs in with OAuth being able to list our users.
Is it possible to list/search the users in a Google domain purely through OAuth / frontend app?
Aside from caching your own list, I think there are two ways to give users the ability to list all users:
A. Undocumented call to this GAL API:
https://www.google.com/m8/feeds/gal/your-domain-goes-here/full?alt=json (source). You can test this in the Google OAuth Playground by selecting the scope for the Contacts V3 API or using the string https://www.google.com/m8/feeds/.
B. In the Admin console, create an "all users" group. Assign to a newly created Admin Role. Grant the admin role "read" in Privileges > Admin API Privileges > Users > Read (checked).