I can query my own One Drive for Business account files as 'The Global Admin' using Microsoft Graph API. I cannot query another One Drive for Business user's files as 'The Global Admin' using Microsoft Graph API.
Own Files:
https://graph.microsoft.com/v1.0/me/drive/root/children
Another User:
https://graph.microsoft.com/v1.0/users/xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx/drive/root/children
I am using an Azure AD registered app with following Application permissions:
Files.ReadWrite.All
Sites.Read.All
Sites.ReadWrite.All
User.ReadWrite.All
offline_access
However, when I go to Office 365 Admin and
Choose that another One Drive for Business user (for which I could not query files using MS Graph API) => OneDrive => Get access to files => Click Create link files
then I can successfully query that another user's files using MS Graph API.
If Global Admin needs to query files of all user accounts using MS Graph API when there are 100s of users then this method might not be practical.
Is there any easier way or programmatically possible to give Global Admin the permissions to query files of all user accounts using MS Graph API. If yes, how do we do that.
Thanks!
As you've observed, a tenant admin cannot implicitly access any user's content. You have the power to grant yourself that access but that is cumbersome to do at scale. If you're a tenant admin you have another option though - use an "app-only" (i.e. application permissions) token. You'll have to consent the app for your tenant, but after that it can access content across your tenancy.
Related
I have a specific SharePoint site that I have been asked to integrate my web based application with in a read-only fashion using my backend server.
I currently have an app with Default Directory only (Single tenant) access
which I am modifying Application API permissions to also require Sites.Selected, however this one is requiring that I obtain Admin consent
I have had an absolute atrocious time trying to figure out how to obtain access to my specific site and not grant access to every single site in my tenant
I'm working on a dummy azure account prior to asking my ops team for the real permissions from the real ecosystem, but I dont have a sharepoint site to test on because I dont know how to set it up, the IT department team who manages it is very slow to answer so its difficult to move the ball forward without knowing exactly what I need before asking.
Under "Enterprise Applications" > {My Application Name } > Permissions (left sidebar), i see a big blue button that I read about in some docs, but i'm scared to grant the permissions because it says I give my app access to the default directory which I don't want to do, and it provides nowhere for me to specify my "selected" site
does anyone have more information on how I can grant a specific site to my app?
every article I run to talks about admin confirmation but neglects to tell me specifically how it's done
Default Directory is just a default name for your tenant, and not related to any default collection of sites. See my tenant name v6pz1 in the image
For this Sites.Selected permission, it's a 2-step process for giving your app access to the sites.
The app needs to be given permission to the site at the SharePoint level
The app needs to be granted admin consent to access the sites through the Graph API
You see this described in the MS Graph permissions reference table as well.
Allow the application to access a subset of site collections without a signed in user. The specific site collections and the permissions granted will be configured in SharePoint Online.
To actually grant your app the SharePoint permission to a site, you can use the MS Graph endpoint to create permissions
We have a daemon app that connects to teams using MS graph. It's using "Application Permissions" mode and Admin consent is granted for most permissions. We are able to add channels (private or 'standard'), add/remove members, etc... from this service based on company requirements. All is well.
For the ChannelMessages, we'd like to be able to retrieve them based on userPrincipalName, from the same tenant that the app is registered in. (I know there is an ChannelMessage.Read.All with Application Permission and it requires us to submit a form to MS, we are not currently pursuing that route...).
Do we have to create ConfidentialClientApplication object to communicate with MS graph? If so, how do we create a ClaimsPrincipal or ClaimsIdentity, based only on userPrincipalName? Or is there a different solution to this problem?
Your help is appreciated.
thanks,
Art
I'm developing an application on Microsoft Graph that runs as a daemon, and needs access to many accounts. As a result, I'm using a service account, also known as client credentials (using this method).
I can request the proper scope (calendars.readwrite) however as far as I can see, I cannot restrict to which calendars I have access. In my case, I only need access to the meetingroom calendars, and I'm afraid that organisations will not allow my application if I can also read and write from/to the CEO's calendar.
Is there any way (either while creating the app, or during/after giving admin consent) to restrict my app to only a subset of calendars? Or should I approach this problem differently and (e.g.) not use a service account in the first place?
What is the minimum set of permissions require in AAD App to access graph API -checkMemberGroups ?
Here are the list of permissions I tried with. Can this set be reduced any further? And am I missing any mandatory permissions?
Delegated Permissions -
Microsoft Graph API
Read all users' full profiles
Read all groups
Access directory as the signed in user
Sign in and read user profile
Windows Azure Active Directory
Read all users' full profiles
Read all groups
Access directory as the signed in user
Sign in and read user profile
If you were developing checkMemberGroups with Microsoft Graph, there is no need to config the corresponding permission for the Windows Azure Active Directory.
And to call the this API, if you have granted the User.Read.All, there is no need to grant other three permission. As the document mentioned that One of the scopes is required.
It depends on the type of data you want to get from Graph. If you just want to sign in the end user and get their basic profile info, you can simply set Sign in and read user profile.
Each scope relates to some data or endpoint you want to access. Figure out that list of data your scenario requires, then compare that with the scopes.
After some experimentation, it seems that the minimum permissions are the following:
/me/checkMemberGroups
User.Read
GroupMember.Read.All
/users/{userId}/checkMemberGroups
User.ReadBasic.All
GroupMember.Read.All
I am currently working on an application that allows users to upload/download files. My company wants to have user files stored in their One Drive and not on our server. The only problem with this is that we want to avoid double authentication in order to access their OneDrive account.
For example we have n users associated with an organization. This organization has a single OneDrive account that all of the users will share (legal?). Once a user authenticates to our application, the idea is to have our application sign them in without user interaction by using the Live API so that they may access their organizations files.
Do we have to authenticate every time we wish to use this service or just once?
It's not a big deal for us to do this once for every organization when setting up their account but a requirement is to avoid double authentication. We want the OneDrive storage to be transparent to the user.
Does this violate any of Microsoft's Terms and Conditions?
Thanks! Any input is appreciated as I've never worked on a cloud based application before. If OneDrive isn't a viable solution are there any other recommended services my company could look at?
Consumer OneDrive isn't intended for business use and sharing a single OneDrive account for multiple people isn't recommended either. You should look into OneDrive for business for your scenario: https://onedrive.live.com/about/en-us/business/.
OneDrive for Business uses the SharePoint developer APIs: http://blogs.msdn.com/b/sharepointdev/archive/2013/08/13/access-skydrive-pro-using-the-sharepoint-2013-apis.aspx
I found that the Box API does not support a grant type of passworrd. Neither does OneDrive or DropBox. Without this grant type it is impossible to sent a username and password to log a user in.