I have come across the following scenario during testing.
User A logs into my app and connects to Xero Company A. Going through OAuth 2.0 (offline) I get a list of tenants which only contains Company A. Can use that tenant ID all good.
User B logs in and connects to Xero Company B. Going through OAuth 2.0 (offline) they select their company BUT the list of tenants returned does not have Company B and does include Company A.
Why is that?
Related
We have created a Microsoft Teams tab app with bot integration that we want to distribute to various organizations either manually or via an App Store. In summary,
We created Tabs App with Microsoft Bot using node.js botbuilder package.
We provided zip archive to another organization (another tenant Id).
Organization uploaded our app using Microsoft Teams Admin panel and approved permission in Permission tabs.
Question is how can we receive the tenant id from the organization we are deploying to without asking their admins to go to Azure Active Directory and look it up. Once provided, the graph api and the multi tenant bot does work fine. We are trying to avoid asking their admin to provide us the tenant id and want to retrieve it automatically upon the app being uploaded or on startup.
Thank you.
The best place to get the tenant id is from the access token you are provided by logging in to your app. Look for the 'tid' value.
I'm assuming you are talking about stream lining the company wide admin consent for your application.
What you can do is have a web site that a customer's admin can log into (using standard Microsoft OAuth interactive flow). You can then pull the Tenant ID from the access token and then run through the Microsoft consent process. Once consent process redirected back to your web site, you can do your own customer onboarding if required.
I'd like to ask if anyone knows if Microsoft Graph give us the possibility (even if beta) to get all the licenses from the users in all the domains I manage in my partner portal.
For now I use : GET /users (beta) + GET /subscribedSkus to get a list of all the licenses from my domain.
But the thing is that I manage more domains than mine for my customers with the partner portal and the info that matters for me is their data.
Is there a way to get this data without having to login with each of their admin accounts ?
Example:
my domain, smth#example.onmicrosoft.com (Partner) (3 Users)
customer domain 1, smth#customer1.onmicrosoft.com (15 Users
customer domain 2, smth#customer2.onmicrosoft.com (32 Users)
customer domain 3, smth#customer3.onmicrosoft.com (8 Users)
With Microsoft Graph, I'd like to login with my smth#example.onmicrosoft.com and get the info of the licenses of all the domains I manage (58 Users). But right now I only get the info of my own domain (3 Users).
Edit: added the example part.
It is not possible to sign in once and access more than one domain at the moment. However, if you know the list of domains ahead of time, you could provision a mult-tenant and and set an app-only credential for your app and then sign in to PowerShell using the app-only credential (e.g. Connect-AzureAd if you're using AzureAD module or Connect-MgGraph if you're using ms graph powershell module). So you'd have an outer loop in your script that would for each tenant sign in using the local credential (hopefully a certificate and not a symmetric key!). The reason to use app-only is then you won't have to provide interactive credential challenge response, it can be fully automated. However, it does mean you need to provision the system that runs the scripts with access to the secret for the app.
I'm developing app using MS Graph Education API and able to create school and add user in this school. But I can't find this created school in dashboard.
Shouldn't it visible in that dashboard?
The Education API creates the schools as AAD administrative units. The Intune for Education portal was designed to work with School Data Sync, which creates the same types of objects as the Education API, but also creates a security group for the school. To get your school to show up in the Intune for Education portal, just create a security group as well for that school.
(Edit: Adding comment reply here since comment formatting on SO is just terrible)
You can tag the group with your school's ID. Here are the properties that SDS sets on the school security groups it creates. In this case, it's tagging a SG to be associated with the school whose "externalId" is "10001".
"extension_fe2174665583431c953114ff7268b7b3_Education_ObjectType": "SchoolSG",
"extension_fe2174665583431c953114ff7268b7b3_Education_AnchorId": "SchoolSG_10001",
"extension_fe2174665583431c953114ff7268b7b3_Education_SyncSource_SchoolId": "10001"
I am creating an iOS app for internal use. We have a Google Domain. As part of the functionality of the app, I want to be able to search for all users in that domain. This can already be done in Gmail, the Apple Mail app, and others.
I found that you can use the Admin SDK for users.list to do exactly what I want to do. I created a Client ID for the iOS app and authorized my app to perform users.list.
However, now I get a permissions error for users who sign in with OAuth2:
I found that you can create a service account to make API requests on your behalf if you delegate it to have the authority. I'm not sure if this is what I want to do since this seems more like something for a secure server to do rather than an app. I'm also not sure how this integrates with a user (from our domain) who signs in with OAuth being able to list our users.
Is it possible to list/search the users in a Google domain purely through OAuth / frontend app?
Aside from caching your own list, I think there are two ways to give users the ability to list all users:
A. Undocumented call to this GAL API:
https://www.google.com/m8/feeds/gal/your-domain-goes-here/full?alt=json (source). You can test this in the Google OAuth Playground by selecting the scope for the Contacts V3 API or using the string https://www.google.com/m8/feeds/.
B. In the Admin console, create an "all users" group. Assign to a newly created Admin Role. Grant the admin role "read" in Privileges > Admin API Privileges > Users > Read (checked).
I have an app that currently allows users to enter in a company name and we use the LinkedIn API to pull all the public posts that this company has made on LinkedIn.
The new API rollout has occurred and while I have a difficult time finding the information I need in the LinkedIn API docs it seems that no one can access company info for a company they are not an administrator of.
I am not trying to access company info or to change their page or anything like that, I just want a list of their public posts. I don't require my users to sign in and even if I did I doubt most of them are administrators of these company pages. Is this totally no-longer possible with the LinkedIn API?
The new API rules for Company profiles stipulates:
"New requirement for Companies API
All calls to Companies API endpoints will require the authenticated user to be flagged as an administrator of the LinkedIn Company Page that is the target of the API call. You become the administrator of a page when you create it. If the page already exists, you will have to contact the existing administrator to grant admin access to other LinkedIn members.
Your API call will return a 403 Forbidden error if you do not have the appropriate admin permission to interact with the target company."
Link here.
LinkedIn is making things really tough for everyone. You'll need to apply to be a partner, but even in your case, the admin would have to sign in. Effectively, unless you're akin to a Hootsuite that gets the page admin's rights for the sake of publishing, you're not going to be able to do what you were. Bummer.