/users/{userId}/onlineMeetings - create meeting with application token - microsoft-graph-api

I have a proxy application that would create for every user365 the onlinemeeting,
So I have read this:
documentation update in march
and it seems that for each user in azure, I have to run a powershell command to allow my application to generate a meeting.
in the example there is this policy with 3 parameter (in the doc explain two parameter) so I'm so confuse:
New-CsApplicationAccessPolicy -Identity Test-policy -AppIds "ddb80e06-92f3-4978-bc22-a0eee85e6a9e", "ccb80e06-92f3-4978-bc22-a0eee85e6a9e", "bbb80e06-92f3-4978-bc22-a0eee85e6a9e" -Description "description here"
It seems that a policy needs to be created first....
And then the policy has to be associated with each user... one at a time....
Isn't there something global for all users?
Let me explain better: once the application type permissions are activated on
OnlineMeetings.Read.All OnlineMeetings.ReadWrite.All
why do I need to do anything else?
In other API (like create calendar event for example here) the policy rule is not necessary... but is necessary only the permission API

I have solve:
There are a -Global parameter that When you use this cmdlet without specifying a user identity, the policy applies to all users in your tenant, except any that have an explicit policy assignment. To skip a warning when you do this operation, specify this parameter.
Grant-CsApplicationAccessPolicy -PolicyName "ASimplePolicy" -Global

Related

How to verify a domain so a schema extension can be added to ms graph?

My root question is: How do I add a schema extension to ms graph?
This document describes how to add a schema extension but misdirects the user on how to verify a domain.
So when I tried this:
var schemaExtension = new SchemaExtension
{
Id = "domain_subscriberInfo",
The error message received is:
Your organization must own the namespace domain-name as a part of one of the verified domains.
This documentation says: "If you don’t have a verified vanity domain, you can just set the id to a schema name (without a domain name prefix), for example, mySchema. Microsoft Graph will assign a string ID for you based on the supplied name, in this format: ext{8-random-alphanumeric-chars}_{schema-name}. For example, extkvbmkofy_mySchema."
But this code:
var schemaExtension = new SchemaExtension
{
Id = "extkvbmkofy_subscriberInfo",
Results in this error message:
Your organization must own the namespace domain-name as a part of one of the verified domains.
This link describes how to check verification but does not describe how to put a domain in a verified state. I took a guess and tried adding a txt record with text specified in the output of VerificationDnsRecords but that is just me guessing and it doesn't work.
Documentation says "For an unverified domain, the isVerified property of the domain is false." I will have to assume isVerified is false because the call to Verify() crashes with
Domain verification failed with the following error: 'Error in DNS verification. code=MissingRecord'.
How do I get past these issues to add a schema extension to ms graph?
See this example to create a schema extension using just a name (rather than a domain namespaced name).
To add a custom domain, add the domain (which is unverified), then get the verificationDnsRecords for the domain you added and use that info to update your domain configuration with your domain registrar. You can then try to verify. Sometimes it can take an hour for the DNS to refresh, so verify could fail initially. You can follow some more visual steps here through the Azure Portal.
Calling verify should not get an internal server error. Can you repro for some fresh client request id and timestamp please? Our trace logs are only retained for 30 days I'm afraid.

How to do User Impersonation in Apache Sling or Jackrabbit Oak?

Or more specifically:
Given I am signed in as the 'admin' user, and I want to to impersonate a user 'testSiteUser'
Given the 'testSiteUser' node (rep:User) does not have a protected String[] property called rep:impersonators set with a value containing admin
How do to update the protected property rep:impersonators such that it contains admin?
Once the user node has this set, I'm confident that setting a cookie sling.sudo should allow user impersonation.
What I have tried so far..
curl -F:name=testSiteUser -Fpwd=testSiteUser
-FpwdConfirm=exampleSiteUser
-F'rep:impersonators'=admin
-F'rep:impersonators'#TypeHint='String[]'
-u admin:admin
http://localhost:8080/system/userManager/user.create.html
Which responds with 500
javax.jcr.nodetype.ConstraintViolationException: Attempt to set an
protected property rep:impersonators
According to the JCR Spec
16.3.12 Interaction with Protected Properties
Many features of JCR expose repository metadata as protected properties defined by mixin node types. For example, locking status is exposed by the properties jcr:lockOwner and jcr:lockIsDeep defined by mix:lockable. Changes to protected properties can only be made indirectly through a feature-specific API (for example, Node.lock), not through a generic write method like Node.setProperty. Such changes are not governed by the jcr:modifyProperties privilege, but rather by the particular feature-specific privilege, for example, jcr:lockManagement (see §16.2.3 Standard Privileges).
Perhaps the only way is to write my own Java code as shown below, but I'm pretty sure there should be a REST API to do this...
Authorizable authorizable = userManager.getAuthorizable(user.getId());
Principal admin = userManager.getAuthorizable("admin").getPrincipal();
jackrabbitUser = (User) authorizable;
Impersonation impersonation =jackrabbitUser.getImpersonation();
impersonation.grantImpersonation(admin);
Basically rep:impersonators is a read only property that is managed "indirectly through a feature-specific API" What is the API and procedure to do user impersonations using Apache Sling or Jackrabbit Oak?
I understood your question, that you want to add an impersonator via a REST-call.
As you already found, all security related properties are protected. So they can only be manipulated via API-calls - and not directly written to.
But AEM already has a lot specialized REST-API's for its own user interface. To find them you should first perform the desired action on the normal AEM UI. Then check with the browser network inspector, which http-request was made by the browser.
In your case go to the classic user manager (http://localhost:4502/useradmin).
There you find the curl:
curl 'http://localhost:4502/home/users/J/JfiFIrTqxwUamu2BvWj-' \
-u admin:admin \
-F_charset_=utf-8 \
-FmemberAction=sudoers \
-FmemberEntry=alex
In the example I added for user alex2 the impersonator alex. So alex can impersonate to alex2.
For the user alex you need the repository-path, which is encrypted meanwhile for security reasons. But this path is easy to find with the querybuilder. As example the following query:
http://localhost:4502/bin/querybuilder.json?path=%2fhome%2fusers&property=rep%3aauthorizableId&property.value=alex2&type=rep%3aUser
or via the querybuilder UI http://localhost:4502/libs/cq/search/content/querydebug.html
path=/home/users
type=rep:User
property=rep:authorizableId
property.value=alex2

Jenkins integration with AD

I am working on integrating a new Jenkins instance with AD. I have installed the required plugins. When I try to add a domain, it asks for info such as domain name, domain controller, etc.
I am not fully clear on the BindDN field. If I leave it blank and test the domain, it throws this warning
Leaving blank Bind DN means that any operation performed will use anonymous binding. Keep in mind that this is not recommended as some servers do not allow it by default.
I then provided a user account in BindDN which exists in the domain. Now on testing the domain, it is throwing this error log:
DC_Name:389
java.net.UnknownHostException: DC_Name
at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:184)
at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)
Pls share some inputs to complete the integration with AD.
There is information provided in the Jenkins wiki page for the AD plugin, as well as some ldap tools to help diagnose.
<DOMAIN_NAME> -> Domain Name: support-cloudbees.com
<searchbase> -> Organization Unit we want to look into.
In the example, it is OU=Support, DC=support-cloudbees, DC=com
<binddn> -> Bind DN.
In the example, CN=felix, OU=Support, DC=support-cloudbees, DC=com
<passwd> -> Bind Password
<userid> -> User we want to look for. We can look for the managerDN itself or for a different user on the tree.
In the example, this can be set-up for example to CN=felix, OU=Support, DC=support-cloudbees, DC=com.
As described here,
The Bind DN is comprised of the user and the location of the user in
the LDAP directory tree. Each element of the Distinguished Name is
pointed out: The first part is the user CN=user1. The second part is
the container CN=Users. The third part is the domain DC=example and
DC=com
Did you correctly specify "the location of the user in the LDAP tree" ? The error appears to be with a DC value.
Ours is in the form:
cn=<Acct Name>, ou=<some_value>, ou=<some_value>, dc=<some_value>, dc=<some_value>
YMMV. Try use the ldap tools mentioned to validate.

Is it possible to set permissions on variable groups via the REST API?

I was curious if anyone knows how to set permissions (add/remove groups) to variable groups via the REST API. I know there is the security namespace, however it requires a resource guid and I am not sure how to get that for a specific variable group?
You want security namespace "Library" ( you need to convert it to proper namespace_id ) and with token "Library/$project_id/VariableGroup/$variable_group_id"
POST https://dev.azure.com/{organization}/_apis/accesscontrollists/{securityNamespaceId}?api-version=5.1
For ACL management REST API see https://learn.microsoft.com/en-us/rest/api/azure/devops/security/access%20control%20lists/set%20access%20control%20lists?view=azure-devops-rest-5.1
Example request:
"value": [
{
"inheritPermissions": true,
"token": "Library/$project_id/VariableGroup/$variable_group_id",
"acesDictionary": {
"Microsoft.TeamFoundation.Identity;S-1-9-1551374245-1204400969-2402986413-2179408616-0-0-0-0-1": {
"descriptor": "Microsoft.TeamFoundation.Identity;S-1-9-1551374245-1204400969-2402986413-2179408616-0-0-0-0-1",
"allow": 31,
"deny": 0
}
}
}
]
Warning1 - At the moment the Microsoft doc on that topic is quite incomplete ( see, for example my comment on github issue asking for clarification of variables groups authentication mechanism ).
Warning2 - Be careful with ACL changing requests for ALL variable groups in project ( e.g. token=Library/$project_id/ ), because you might end up with removing permissions from all users on your Ado project and it's could be hard to change it back.
I am afraid it is not possible to set variable groups permission via api.
There is only group id we can get from variable group api below, no resource id in the response.
https://dev.azure.com/{organization}/{project}/_apis/distributedtask/variablegroups?api-version=5.1-preview.1
When i tried fetching the http request trace with F12 chrome. There is a value at the end of request url looks like the source id. And it is the project id combined with the variable group id. Donot know if this is resource guid you were looking for.
https://dev.azure.com//_apis/securityroles/scopes/distributedtask.variablegroup/roleassignments/resources/39e13f04-cb4e-4fa8-b2f1-0ee8f4fc82c5%241
I managed to reverse engineer who to do this. If anyone is curious on how it works feel free to talk a look at the powershell library for Azure DevOps I have put together -- https://github.com/ravensorb/Posh-AzureDevOps

What is the purpose of each parameter in a MailChimp unsubscribe URL?

In the following URL, that unsubscribes a user from a list:
http://xxxxx.us2.list-manage.com/unsubscribe?
u=87f537bccxx35e53a1890e0d9&
id=40dcxx6cd6&
e=c4aaxx1dd6&
c=9a6xx11963
What does each parameter do?
Today I had to learn what each nondescript parameter means so that I could generate URLs for each email I send through Mandrill. It wasn't that easy to discover their meaning, but here are the one's I've come up with and how I found out what they are.
http://xxxxx.us2.list-manage.com/unsubscribe?
u=87f537bccxx35e53a1890e0d9&
id=40dcxx6cd6&
e=c4aaxx1dd6&
c=9a6xx11963
URL format:
Protocol can be http or https.
Your username comes next
In the example, us2 is the MailChimp datacenter where your account resides. That's different for each account. (https://apidocs.mailchimp.com/api/2.0/) It's good practice to specify a DC even though the documentation says that it isn't required. Specifying it will cut down on unnecessary latency.
list-manage[n].com can work with or without the number at the end of the domain, or it can have a 1 or a 2. Changing that doesn't appear to matter, but I think it has something to do with their load balancing.
/unsubscribe can also be /subscribe or /profile (The latter appears to be dependent on the "e" parameter. (See below) When you don't specify it, it states, "List member profiles cannot be updated from test campaigns or archive pages" and if you specify an invalid value, you get an error page.
u Is a unique identifier for your account. Every list on your account uses it. (See http://kb.mailchimp.com/lists/signup-forms/find-the-unsubscribe-link-for-your-list for how you can view the various URLs for your account.)
id is your list ID
e is the euid as documented on https://apidocs.mailchimp.com/api/2.0/lists/subscribe.php
c I haven't seen this one yet, but my guess is that it's the campaign ID.
Also, when you wish to prefill subscribe and unsubscribe forms, you can use the following GET params.
EMAIL Allows you to enter the subscriber's email
MERGE1 Allows you to enter the subscriber's first name
MERGE2 Allows you to enter the subscriber's last name

Resources