My application wants to access all users' mailboxes. For that, I am getting permission from Admin consent. Now I want to get the user details of the admin who consented to the application. I know we can't use Me context ('/me' API end-point) as we are getting consent without a signed-in user.
Is there any way by which we can get user details of the admin who consented to our application using the access token?
Thanks in advance.
To the best of my knowledge, the access token does not contain user details of the admin who consented to your application. One way to get this information is by viewing activity reports in the Azure portal. You might also consider working with the activity reports API provided by Microsoft Graph.
Please let me know whether this helps and if you have further questions.
Related
As of now, I have created an application that has certain permissions to access Mail Information of certain users in an organization. Till this point, admin from the organization would create the service and provide the credentials.
However, as a plan to scale the application to multiple organizations, I'd like to send a mail to admin to grant access for the permissions and automatically get the credentials.
I'm open to alternative ideas. Any ideas if the above is even feasible?
This is quite impossible to automate the complete process creating, and admin still need to approve the permission in Azure AD. What you can do here is ,just create the application and if user tries to access the app but they can't give consent ,they need to trigger a request for admin approval that can be sent by an email .
To allows admin consent request to be sent via email Configure the admin consent workflow , please follow the docs - Azure AD | Microsoft Docs
Hope that process will help you .
I have a question about handling permission grants of inboxes via Microsoft Graph API.
Is it possible via Microsoft Graph API to grant another user the access permission to my inbox messages?
I dont found any suitable operation until now.
Retrieving relased mailboxes from another user works fine, but how to make my own inbox visible to specific user that he has the grant to access my inbox?
I dont found a operation under:
https://graph.microsoft.com/v1.0/users.....
or https://graph.microsoft.com/v1.0/me.......
Thanks for your help
According to the documentation, you'll need delegated access.
If the app has the appropriate delegated permissions from one user, and another user has shared a mail folder with that user, or, has given delegated access to that user.
At this moment you have no way to share your mailbox by using the api. If you however shared your mailbox with some other user, they will be able to access it.
I think it's a good thing that you cannot share your mailbox from an app, because it would be easy to compromise a mailbox of some user by a malicious app. If you really want you might be able to share the users mailbox by using EWS (that is the same connection the Outlook app uses).
My organization has an institutional e-mail account in Outlook 365.
There is a small number of users who are responsible for managing that mailbox, reading, answering, forwarding and sending messages from that account.
I am writing a web application (PHP) to automate some messaging operations, so I implemented access to that account using Microsoft Graph. But this requires to login using that account's credentials, and I wouldn't like to share account's password (which I have) with those users.
Is it possible to to grant permission for those users' accounts so MS-Graph will allow them to read/write/send messages from that account, once they have logged in? If so, how would it done?
If this post lacks some relevant information I'm not remembering now, please comment and I'll edit to add it.
Thank you very much.
You could use admin consent for that purpose. Administrator can grant access for the entire tenant, and users will not be prompted for consent afterwards
https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent#requesting-consent-for-an-entire-tenant
I'm building an app that shows users people they might be interested in talking to. If a user says he's interested in a person I show them, I want my app to create this person as a contact in my user's SalesforceIQ.
How do I do this? I see from the API documentation https://api.salesforceiq.com/#/ruby#documentation_contacts_create-a-contact that I can create a contact if I know my user's username and password, but of course I don't want my users to give me this information. Is there some way for the user to OAuth or whatnot by clicking a button that authorizes me to add things to their SalesforceIQ?
The SalesforceIQ API uses HTTP Basic authentication and does not currently support OAuth according to their documentation.
For a SalesforceIQ user to grant API access to your app to create contacts and for other privileges, the SalesforceIQ admin creates an API Key and API Secret for your app which is then used for the HTTP Basic authentication username and password. This way no user needs to provide your app with their credentials. This is configured in the SalesforceIQ admin UI under Settings > Integrations > Create New Custom Integration.
For the admin to provide these credentials to your app, you can have a UI where the SalesforceIQ admin enters this for your app to store and use with the API for their account.
This is described in the following places, briefly in the API Reference and in detail in a Help Desk article with screenshots of what the SalesforceIQ admin needs to do:
API Reference: Requesting Access
API Reference: Security and Authentication
Help Article: Set up API access
I have a Google Marketplace app that is currently using OpenID for federated login.
When an admin installs the application to the domain users are able to login via a site.com/login/domain.com link.
Currently when a user uses this link they are being asked to consent once again for "Know who you are on Google" scope. I understand that this is something to do with my OpenID realm not matching. The problem is I cannot find where to edit that realm in the new console. My research shows that OpenID has been abandoned for OAuth2 authentication. Please correct me if I am wrong.
Is there a good example anywhere that shows how to authenticate a user that an admin has already granted scopes for on the domain so that they do not get asked to consent again? I've looked up and seen documentation to make a call to https://accounts.google.com/o/oauth2/auth but I'm unaware of how to actually skip the user consent since the admin already authorized the scopes domain-wide.
Using C# but I'm open to any example as I'm sure I can figure out how to get it back into C#.
If you read this post on the google groups, then it seems it is intentionally :
This is an intentional change to more precisely communicate to users
the set of permissions that is being granted. Through knowledge of the
user's email address it is possible, via indirect means, to locate the
user's profile address. In the interest of more accurate disclosure,
thus, we are prompting users to approve such disclosure.
The new tokens issued include permissions to obtain public profile
information, in accordance with the modified text. You can use
https://developers.google.com/accounts/docs/OAuth2Login#userinfocall
to obtain the subset of user's profile information that is publicly
linked from the user's profile. The user's profile Id, which is always
public in that endpoint, is also a more reliable identifier for the
user (as email addresses can be changed on accounts). We recommend
that you store the user's profile id to ensure that email changes
don't cause account confusion.