I'm looking for the right approach to connect a 365 identity to a backend service that works on behalf of me in MS Graph.
I have searched a ton of articles, but all I find which is good enough details is stuff that requires admin concent not the client /me namespace
I can get a client token but my issue is to renew the client token automatically because it only lasts for x time.
I use Node.JS as backend..
Any ideas / direction?
Please use "Get access on behalf of a user " flow , follow the docs - https://learn.microsoft.com/en-us/graph/auth-v2-service , hope this will be helpful to you , let us know if your have any concern.
Microsoft Graph exposes application permissions for apps that call Microsoft Graph under their own identity (Microsoft Graph also exposes delegated permissions for apps that call Microsoft Graph on behalf of a user).
please check doc- https://learn.microsoft.com/en-us/graph/auth-v2-service#2-configure-permissions-for-microsoft-graph
For more detailed information about the permissions available with Microsoft Graph, see the - https://learn.microsoft.com/en-us/graph/permissions-reference
Related
I'm having difficulties finding documentation for auth0 and microsoft graph integration. My end goal is to have a SPA that can login with a microsoft profile to auth0 (connected to azure ad). Then I want my app to get a token for microsoft graph and do some api calls.
As I've understood it so far, auth0 does not allow you to get the access token to different identity providers in a front end application, but rather that they should use a proxy to get this token. My flow therefore is:
I login with a SPA auth0 app (using a microsoft identity)
This is then used to authenticate to a backend server using a api registration in auth0
The backend has its seperate machine-to-machine app in auth0
Backend api uses this seperate app to get access token to auth0 management api
Current user is fetched (based on the logged in user from front end app login) from management api,
Here i find an access token under the azure identity (if I do the same in the front end, the access tokens are omitted)
Token does not work to call graph, I am unsure of where to send it next.
I am aware that the above is probably completely wrong, that's why I am here :)
My questions are:
1) Is it even possible to get an access token for microsoft graph starting from a login to auth0 in the way I want it to. If not, can it be done from a backend?
2) Does anyone have a link that discusses this, ideally with some code samples.
To answer your first question:
1) Is it even possible to get an access token for microsoft graph starting from a login to auth0 in the way I want it to. If not, can it be done from a backend?
I have had the chance to authenticate apps using the microsoft identity library called MSAl whose documentation is found here. It gives a pretty detailed way to authenticate directly from your SPA.
I have also used the microsoft javascript sdk as it comes inbuilt with token caching and refreshing so that I do not need to build that for myself.
In relation to this,
Does anyone have a link that discusses this, ideally with some code samples.
You can find the samples well described in the samples section of the SDK
I hope this helps.
I'm trying to help someone to ingest Office 365 Alerts with the Graph Security API. This requires SecurityEvents.ReadAll as minimum permission. The docs mention that the permission setting is done in the Microsoft Graph API Explorer (see e.g. this blog). However, the account admin insists on setting the permissions using Azure AD. The question is how that is actually done. Azure AD / Enterprise Applications / Graph Explorer apparently doesn’t list any permissions. Would anyone know how to achieve this?
Many thanks!
If you want to test Graph Security API in Microsoft Graph Explorer, your just need to set SecurityEvents.Read.All in Microsoft Graph Explorer.
If you want to call Graph Security API in your app, you should set SecurityEvents.Read.All in the app registered on Azure portal.
You could refer to Authentication and authorization basics for Microsoft Graph to learn more about how to handle the permissions and authorization to call Microsoft Graph API.
I am building an app (HTTPS calls from LabVIEW) that will update my enterprise OneNote notebooks on Office 365 without the need for any user interaction. Hence I have opted for using the Client Credentials flow and granting Application permissions in Azure AD to my app (Read and write all OneNote notebooks) through Microsoft Graph.
I have referred to the instructions mentioned in the following pages:
https://msdn.microsoft.com/en-us/office/office365/howto/onenote-auth-appperms
https://developer.microsoft.com/en-us/graph/docs/concepts/permissions_reference
https://learn.microsoft.com/en-gb/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds
https://developer.microsoft.com/en-us/graph/docs/concepts/auth_v2_service
https://developer.microsoft.com/en-us/graph/docs/concepts/onenote-create-page
I am able to get an access token from Microsoft Graph but once I try to use it to update my notebooks by making a POST call to the URL
https://graph.microsoft.com/v1.0/me/onenote/pages
I get the error:
"The OneDriveForBusiness for this user account cannot be retrieved." Code - 30108
However, I am fully able to access OneDriveForBusiness online using the same account which created the app and the tenant ID of which I used to grant permissions. Can someone please clarify if there are certain restrictions regarding the type of O365 and OneDriveForBusiness subscriptions that are necessary for my requirements? Which particular subscription or their combinations thereof should allow me to achieve the flow I need?
You cannot use /me with Client Credentials. /me is an alias for /users/{currentUserId but since you're using Client Credentials, there is a User in context for the API to map that alias to. You are effectively calling /v1.0/users/NULL/onenote/pages in this case.
You need to explicitly specify the User you want to access:
/v1.0/users/{userId or userPrincipalName}/onenote/pages
I'm trying to create an Amazon Alexa service that will take advantage of the Microsoft Graph... This is built with Node.js.
Currently when using my standard Outlook.com Microsoft Account to sign in, I get redirected to a Microsoft page that says
Microsoft account is unavailable
Microsoft account is unavailable from this site, so you can't sign in or sign up. The site may be experiencing a problem.
You can sign in or sign up at other Microsoft Sites and services, or try again later at this site.
I have been using https://login.microsoftonline.com/common/oauth2/v2.0/authorize as my authorization URL in the Alexa config account linking section. and using the Node Microsoft Graph JavaScript SDK library in my code.
I'm wondering if the Node library I'm using is the correct one? Has it been deprecated? Or is there something else going on here?
A common misunderstanding with Microsoft Graph is the separation of concerns between the API and Authentication.
You do not actually authenticate against Microsoft Graph. Instead you authenticate against the directory that holds your account, for organizational accounts this is Active Directory and for consumer accounts this the Outlook.com.
Once you have authenticated, you use the token you received back to identify yourself when calling Microsoft Graph API.
This is where you (and many others) get tripped up at first. Just as there are two concerns (Auth & API), there are also two separate SDKs. For Node.js you're looking for:
Microsoft Authentication Library (MSAL): This handles authentication for both Azure AD and Microsoft Accounts.
npm install msal
Microsoft Graph JavaScript Client Library: This is the client library for Microsoft Graph. It will provide the objects and methods you need to simplify calling the APIs.
npm install #microsoft/microsoft-graph-client
This should give you the tools you need to get started. There are some things around App Registration, OAUTH and Admin Consent that you'll likely run into as well. For these, you might find these helpful:
Microsoft v2 Endpoint Primer
v2 Endpoint and Implicit Grant
v2 Endpoint and Admin Consent
Hope this helps!
First post...here goes. I am trying to display email from a shared mailbox but run into "ErrorAccessDenied Access is denied. Check credentials and try again".
The user does have permission to the mailbox, I can access/read email in Outlook and in O365 portal. In my app I have also assigned Mail.Read.Shared and Mail.ReadWrite.Shared scopes.
At first I tried Graph Explorer
https://graph.microsoft.com/beta/users/<userPrincipalNameOfSharedMailbox>/messages
but same ErrorAccessDenied, assumed Graph Explorer did not have Mail.Read.Shared scope.
Next I tried to modify Microsoft Graph Snippets Sample for ASP.NET 4.6
I added Mail.Read.Shared and Mail.ReadWrite.Shared and was prompted to accept these permissions
• Read and write mail you can access
• Read mail you can access
but I get the same error when I try get mail from the shared mailbox
IUserMessagesCollectionPage messages = await graphClient.Users["userPrincipalNameOfSharedMailbox"].Messages.Request().GetAsync();
There was a similar post here Microsoft Graph API SDK .NET Issues getting other users emails and the answer implies this is possible. If it is can anyone provide some insight as to what I am missing? thanks
Right now, accessing shared messages is not supported for the authorization_code flow, but it is supported for the client_credentials flow. In order to incorporate this functionality, you will have to change your flow to incorporate this.
Here is an article on creating a client_credentials flow app if you are interested in going this route.