I have an application integrated with O365 via SSO.
I wrote an Add-In for it that operates on Graph. When a user logs in, Add-In receives their access token to act on their behalf. I need a "Refresh Token" to act on behalf of the user even when the user is not logged in.
Can I request a "Refresh Token" in an independent inquiry for later use by receiving an "Access Token"?
Related
I have integrated microsoft teams in my project where a user can give us access to create meetings on teams on his/her behalf. But now I want to give the user a option to disconnect his/her account i.e. we will no longer be able to create meetings on user's behalf.
I am facing few problems in this flow:
I am unable to find an API where I can send request on user's behalf
to invalidate a access/refresh token.
If I remove the token stored at my end and then user again tries to connect their Microsoft account with our website it no longer asks for user's consent(which is basic requirement for OAuth) to give access to our app(if user is logged in Microsoft account on the browser he/she do not see the consent page and account is directly connected with our website and we get the refresh/access token).
Can someone help me on this?
At the end all what I want is when user tries again to connect his/her Microsoft account with our app he/she see the consent page(every time he tries to connect account) and then user clicks the allow button which will give us access and refresh token.
If the user has granted access to the application, Azure AD will issue an access token and a refresh token for the resource.
The lifetime of the access token is usually about 1 hour. During its lifetime, even if the application is deleted, it is still available, but you will not be able to use the refresh token to obtain the access token again.
1)To invalidate access token on users behalf, Refer this DOC.
2)For fetching the access token using the refresh token please refer this DOC.
Hope this helpful.
An alternative solution for prompting the user to the consent page is just simply appending the prompt="consent" in the OAuth2 URI prameters:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?response_type=code&client_id=xxx&redirect_uri=xxx&scope=xxx&state=xxx&access_type=offline&prompt=consent
_____↑↑↑↑↑↑
Here you can find the documentation about the parameters.
We recently migrated from on premise exchange to Microsoft 365 and I'm wanting to turn on 2FA for all users (Enable security defaults). However this disables SMTP authentication which we have been using for sending mail from a distribution group address. (Not achievable via EWS as it doesn't have a physical mailbox)
From what I can see, the only method would be to set up a SMTP relay or send via Microsoft Graph.
I've tried going down the Microsoft Graph route, and here's what I've got so far.
Create application in Azure Active Directory > App Registrations
Add Mail.Send and User.Read.All (Application, not delegated) API Permissions and have granted Admin Consent.
Request token using the following
Generate auth code via https://login.microsoftonline.com/{AzureApi.TenantId}/oauth2/v2.0/authorize?response_type=code&client_id={AzureApi.ClientId}&redirect_uri={WebUtility.UrlEncode(RedirectUrl)}&scope=offline_access%20Mail.Send%20User.Read.All [using admin credentials]
Post request to https://login.microsoftonline.com/{AzureApi.TenantId}/oauth2/v2.0/token with the following request body.
{ "grant_type": "authorization_code", "client_id": "AzureApi.ClientId", "client_secret": "AzureApi.ClientSecret", "code": "insert auth code", "redirect_uri": "insert redirect URL" } to get the bearer token
Once I have the token, Now I perform a request to send some mail
https://graph.microsoft.com/v1.0/users/{fromAddress}/sendMail
This works when fromAddress is the email address of the user that requested the token, however when I try to send from a different address it gives this error {"error":{"code":"ErrorAccessDenied","message":"Access is denied. Check credentials and try again."}}
I even tried adding the SendAs permission to the token user for the mailbox I was trying to send as, but this didn't make any difference. Regardless - I want to be able to send as any user without delegating permissions to each mailbox.
Glad of any help. Thanks!!
The behavior you are getting is expected because you are using delegated permissions - authorization code flow. This flow will not allow your app to send email as any user except the user that is signed in/"requested the token".
In your case you can add the permissions as application permissions and then use Client Credentials flow with either secret or certificate(more secure). Your token request will look like the Get Access Token Section. Note that this means two things:
Your app will need to be secured on server side to protect the credentials.
An admin will need to consent to the permissions on Azure AD
Your app will be able to send emails as any user in your tenant so it is very sensitive.
With application permissions you only need Mail.Send
I need to be able to monitor a user's Hotmail or Outlook account in the offline mode via a backend. But the user can sign up and authorize the account access either from a web app e.g. Laravel or Lumen or from a Cordova mobile app or another SPA interface such as Angular. Basically, the app is configured on https://apps.dev.microsoft.com for an implicit flow.
Since the app requires a backend offline processing lets say few times a day - I will need a refresh token to renew the access_token. There are two ways to get consent from the Azure AD.
authorize = id_token + token (But the limitation is that id_token is only client specific). This approach is more suitable for fetching the emails when client is running and user is online.
authorize = code and then generate access_token and refresh_token.
Question - would option 2 work for both hotmail/outlook.com and O365? If the access and refresh tokens are generated by the client - would they work for both online and offline access of a user's account and email.
Of course you can. But if you want to receieve a refresh token in token response, your app must request and be granted the offline_acesss scope.
The offline_access scope gives your app access to resources on behalf
of the user for an extended time. On the work account consent page,
this scope appears as the "Access your data anytime" permission. On
the personal Microsoft account consent page, it appears as the "Access
your info anytime" permission. When a user approves the offline_access
scope, your app can receive refresh tokens from the v2.0 token
endpoint. Refresh tokens are long-lived. Your app can get new access
tokens as older ones expire.
REQUEST EXAMPLE:
// Line breaks for legibility only
https://login.microsoftonline.com/{tenant}/oauth2/v2.0/authorize?
client_id=6731de76-14a6-49ae-97bc-6eba6914391e
&response_type=code
&redirect_uri=http%3A%2F%2Flocalhost%2Fmyapp%2F
&response_mode=query
&scope=openid%20offline_access%20https%3A%2F%2Fgraph.microsoft.com%2Fmail.read
&state=12345
Actually, if you use code grant flow to sign in AAD, you will see this Page:
If you click Yes, you will consent offline_access scope.NOTE: This works for both MSA and AAD Account.
You can see more details about offline_access sope in this documentation.
My goal is to write some code to enable an Office 365 user to access files in OneDrive for business via REST API. I have registered an application in Azure AD (Web App/single tenant) and have a redirect URI to receive the OAuth token. I want to use the "delegated user identity with OAuth" scenario. To see how it works, I use the "Office 365 OAuth Sandbox" here: https://oauthplay.azurewebsites.net/. When I "Authorize using own account" and enter any valid Office 365 user credentials, I get an access token back. When I replace the client ID and redirect URI in the authorization URL with the info of my registered app, I can only get the token when I enter a user registered in my app (otherwise I get an error 50012 during sign-in). What do I have to change in my configuration to allow any Office 365 user to get an authorization token (like the Sandbox does) ?
You need to mark your web application as multitenant, or Azure AD will constrain all callers to be from the tenant in which you provisioned the application.
Take a look at https://github.com/AzureADSamples/WebApp-WebAPI-MultiTenant-OpenIdConnect-DotNet for an example of a web app that is multitenant and invokes a Microsoft API. Note that you don't necessarily need to validate issues as shown in the sample, just do what makes sense for your scenario (which might mean even not validating).
Situation description:
I need to dynamically download reviews from an Facebook page to display them on my site. For testing purposes I'm using a page access token generated from the user (page admin) access token (using Graph API Explorer). Unfortunately this token is short lived.
As stated in the Graph API documentation (https://developers.facebook.com/docs/facebook-login/access-tokens) to obtain long lived page access token I need to use long lived user access token. To obtain long lived user access token I need to post a request using short lived user access token and my FB app credentials.
To automate the whole process for the admin of my site I want to obtain his user access token and then process it in the way to obtain a long lived page access token (I created an app specifically for this use).
My question is: how can I make a call that asks a user for permission to 'manage_pages' and returns short lived user access token? I don't want it to have anything to do with my site registration and login process, I'm not using Oauth, I'm not logging users via Facebook. I want user to type his FB credentials, grant my app his 'manage_pages' permission and that's it. I'd like it to be as similar to 'Get Access Token' feature in Graph API Explorer (https://developers.facebook.com/tools/explorer).