I am trying to create a flow process to automate creating CSV files which contains the student, teacher assignment, submissions, and submission outcomes. I have registered an app in Azure AD and I can connect to this fine via PowerShell with delegate permissions and see all of the data I need.
However, when I try to connect with application permissions EduAdministration.Read.All, EduAssignments.Read.All and EduRoster.Read.All, I can only see basic Class and Student information. So calling https://graph.microsoft.com/v1.0/education/classes works but calling https://graph.microsoft.com/v1.0/education/classes/CLASSID/assignments does not (I get a "Resource not found for the segment 'assignments'").
As I have an admin account which is a member of the CLASSID team, I can see all of this information if running from graph explorer with delegated permissions.
So, is there something else I need to do to get the application .Read.All permissions working or are there a tutorial of how to connect to graphs with Flow using delegated permissions?
There are a couple of things going on here:
"Resource not found for the segment 'assignments'" Error
You're receiving this error because you're attempting to call the Assignments endpoint in v1.0. Assignments is still in Beta, so you need to use /beta, not /v1.0.
Once you get past the segment error, you will still have a permissions issue. The Assignments endpoint only supports Delegated scopes. The inverse is true for Classes which only return limited information using Delegated scopes. In order to call both endpoints, you'll want to have two separate tokens (one delegated, one application):
For /education/classes/{id}, use the Application scope EduRoster.Read.All.
For /education/classes/{id}/assignments/, use the Delegated scope EduAssignments.Read.
Related
The Azure port still uses the Azure AD Graph API in some places. One thing it uses this for is to list API permissions. For this, the portal uses the REST API target GET https://graph.windows.net/myorganization/applicationRefs/c5393580-f805-4401-95e8-94b7a6ef2fc2?api-version=2.0 (example shown for Office 365 Management API). I've searched and cannot seem to find a way to list similar permission sets using the Microsoft Graph API. Is there a way to access this using the Microsoft Graph API?
Ok, was going to upvote one of the previous answers, but my profile is too new. :( You can do this by reading the MS Graph service principal in your tenant as described above. This PowerShell code gives an example (it's used in a command called Find-GraphPermission in the autographps and autographps-sdk modules.
Basic approach is:
Get app-only permissions from the appRoles property of the servicePrincipal
Get delegated permissions from the publishedPermissionScopes property
Each element of appRoles has an id that can be read or written from a given appRoleAssigment object on an app's servicePrincipal in your tenant. Note that each appRole element has a value property that is the common friendly name of the app-only permission (e.g. BitlockerKey.ReadBasic.All
A similar id and value pair exists for each element of publishedPermissionScopes which gives you the delegated permissions. You can use those ids with oauth2PermissionGrant objects under the segment /oauth2PermissionGrants to enumerate consent grants for a given servicePrincipal (and thus app) in your tenant or grant or remove consent
Note that the ids for both appRoles and publishedPermissionScopes are the same in all tenants, so you can actually perform this same mapping of friendly names to ids for any tenant, and use a static snapshot. This can be useful as your application may not be able to read the Microsoft Graph servicePrincipal object. If you store a static version, you'll have the mapping regardless and you'll only miss any new permissions that get added to Microsoft Graph for new APIs.
This file contains a snapshot of the MS Graph servicePrincipal as a fairly readable JSON-like PowerShell hash table: https://github.com/adamedx/autographps-sdk/blob/main/src/common/DefaultScopeData.ps1
For this requirement, you can use this microsoft graph api: https://graph.microsoft.com/v1.0/applications/<object id of the application>
It will response the result like below screenshot(please pay attention to the field requiredResourceAccess):
The content under requiredResourceAccess is the API permissions of this application. The type scope means the permission is Delegated type and the type role means the permission is Application type.
Then please refer to steps below to know which permission does the id under resourceAccess field refer to.
Copy the resourceAppId, in my screenshot is 00000003-0000-0000-c000-000000000000. And request the graph api: https://graph.microsoft.com/v1.0/serviceprincipals?$filter=appId eq '00000003-0000-0000-c000-000000000000'
Copy one of the id under resourceAccess field in the response of first graph api. For example copy the first id a154bxxxxxxxxxxx59 in my first screenshot. And then search this id in the response of second graph api, we can find this id refer to User.Read.All permission.
I would like to add additional Azure AD attributes as Claims to a ClaimsPrincipal created by the "out-of-the-box" ASP.NET MVC template (i.e. app.UseOpenIdConnectAuthentication(...))
I tried implementing something similar in the SecurityTokenValidated notification as shown in this article, however it seems I'm running into a bit of a chicken-and-egg problem with my scenario:
I need to call the Graph API to get the additional user attributes for the Claims, but I don't have the token yet (I don't think) at this point in the process to be able to call the API.
Seems like I'm missing something obvious here.
You have many solutions here, but two stand out:
In securitytokenvalidated you do have a token, the one sent to your app for sign in purposes. You can use it in an onbehalfof flow to get a token for the graph, and use it right within that notification. You can refer to the sample here, it's for web API but the concept is the same
You can configure your app to access the graph with its own application identity. You can get that token at any time, then. See here
I am trying to use the Desire2Learn REST API to return semesters, but I'm getting a 403 Not Authorized error.
The request I am making is:
GET /d2l/api/lp/1.1/outypes/semester
I am making this call while authenticated to the system as a student user.
This is a test environment, so I have full control of the student user's permission, but I haven't found which permission setting controls access to the semester org unit. Is it possible for someone with lower level permissions to make this call?
What permission would this user need to be able to make this call?
Thanks!
Student-type user roles are not typically given permission to make calls like this one.
The particular permission at play here is likely Org Unit Type Editor > Can Create and Edit Org Unit Types at the root organization level (you'll notice that the same behaviour is at play around the API call to retrieve the entire catalog of known org-unit types); however, you almost certainly do not want to grant this role permission to a student role: the role permissions for this tool bind together the ability to create and edit org unit types with the ability to see their definitions.
I am trying to implement XPagesSBT on localhost.
I have followed this article http://heidloff.net/home.nsf/dx/12152011034545AMNHECAP.htm and the SBT document by Niklas and was trying to implement dropbox oAuth.
I have also placed http://localhost/XPagesSBT.nsf/ and http://localhost/WebSecurityStore.nsf in root folder
but still i get this error
Error while executing JavaScript action expression
Script interpreter error, line=1, col=26: Error calling method 'isAuthenticated()' on java class 'com.ibm.xsp.extlib.sbt.services.client.endpoints.DropboxEndpoint'
No application is registered with id XPagesSBT and provider Dropbox
if(!#Endpoint("dropbox").isAuthenticated()) {#Endpoint("dropbox").authenticate(true);}
do i need to make any other configuration /setup to XPagesSBT db? or it wont work with Localhost?
I don't remember exactly anymore but reading my blog entry you linked it says you shouldn't use Anonymous:
"Additionally there are a couple of security related settings which are important to understand. First of all you need to assign access to the document with the application keys to the ID with which you signed the two NSFs. In the screenshot above I've entered both OpenNTF servers and my own user ID. When you use the web UI to do this these names are added to the document in an authors field and a readers field.
In the last step you need to configure the ACL of the security store. Anonymous must not have access to this database. All users who you want to be able to use the Social Enabler OAuth functionality need to have author access. This is so that their user keys can be stored in this database so that they only have to do the OAuth dance once. "
It should work on localhost. It looks like a configuration issue with SBT not being able to read the security tokens from the websecuritystore.nsf . Did you create the Dropbox Application Key with an admin id and sign the websecuritystore with the correct id?
Padraic
I want to use Facebook as an authentication source for my application (a website) users. I do not want my application to have anything but basic and email permissions. Thus, my application must not be able to publish to a user's wall for example. In other words, I want to restrict the allowable set of values for the scope parameter and I want this restriction to occur on the application's configuration pages (on the Facebook site itself).
Normally this would be easy, just specify 'email' for the scope parameter of the OAuth URL/call.
However in this case there is another factor and this is: a hacker may gain access to the app and change the OAuth call to specify more permissions. Then an unsuspecting user will typically (or at least possibly) grant those permissions and the hacker will be able to grab the OAuth token and perform actions on behalf of that user.
I'm not interested in discussing the whys of this issue, just in finding of there is a way to specify that my application can only use a specific set of values for the scope parameter. Ideally this specification of the scope restriction be done in the application configuration page on Facebook itself.
However, I am interested in alternate solutions that involve using SAML, OpenID or some other authentication only mechanism (even if I cannot get the users email address). I'm not interested in using RPX.
Please note: this is a complex question not a simple one. I have searched far and wide for an answer and have just found what amounts to the opposite of this question.
I'm pretty sure it's not possible to restrict the scope at application configuration level.
I'd say the tidiest workaround would be to query the permissions of a user on signup, check that they match the allowed permissions, and subscribe to the (permissions realtime updates)[http://developers.facebook.com/docs/reference/api/realtime/]. Your app will be notified of any changes in permissions granted to users.
This should allow you to block any server side API calls through application logic, or (ban)[https://developers.facebook.com/docs/reference/api/application/#banned] a user which escalates permissions.