In our Azure AD tenant we have quite a few Enterprise applications. Some of these are set up to use SAML SSO, and when this is initially set up, the certificate notification email is set to the person setting up the application.
Is there a way to query this information (as in the emails used for certificate notifications) using Microsoft Graph API?
Related
Is there a way for me to bypass the need to use OAuth for me to send out emails using the G-Suite platform in my application
I am still able to send out using the Microsoft 365 platform but some of my clients will not move to 365 and prefer G-Suite
You can use a service account. You will need to have the admin of the domain configure domain wide delegation to an account on the domain.
Once delegation is configured you can then use your code to impersonate a user on the domain and send emails on their behalf. This is what i normally do with sa a system designed for sending email conversation mails. When a user creates a new account the system could send an email conformation email. On behalf of say noreply#yourdomain.com
Your issue is going to be with the fact that your clients are the ones who own the domain so your going to have to get the google workspace admin for your client to set this up for you.
The other option would be to use standard oauth2 and authorize a user on the domain and send emails on their behalf.
The issue with that is going to be your application will need to be verified with one of the highest protected scopes. Your app will need to go though a security audit before it is verified. Last I checked that audit will cost you $15k-75k
Within a tenant that is synced via Azure AD Connect with an on-premises AD it is possible to enable password writeback if you met some requirements (have needed license, configured Azure AD Connect, enabled option in Azure).
Within the Azure Portal this state can be checked and be changed and it uses the following Azure API call:
https://main.iam.ad.ext.azure.com/api/PasswordReset/CheckWritebackConnectivityStatus
Unfortunately this call can't be done by myself, cause I don't have a valid token for this endpoint. So exists there any similar call within Graph (v1.0 or beta) to check if writeback is enabled or is it possible to get a valid token for this endpoint?
Currently no method is available within MS Graph to retrieve this information. So at least a feature request was made.
I'm trying to get change notifications for users to work with my application connected to Azure AD B2C.
I followed the following tutorial and the subscription is created successfully but I never get any change notification:
https://learn.microsoft.com/en-us/learn/modules/msgraph-changenotifications-trackchanges/1-introduction
After a bit of research I found some statements mentioning that B2C is not supported by Graph API:
https://learn.microsoft.com/en-us/graph/webhooks#azure-ad-resource-limitations
Azure AD B2C tenants are not supported.
Blog entry from 2016
https://learn.microsoft.com/en-us/archive/blogs/aadgraphteam/microsoft-graph-or-azure-ad-graph
Manage users in a B2C tenant (set local accounts, sign in names), Coming soon (preview)
Do not receive notifications about user profile updates
I wonder whether this still holds true especially because Microsoft announced that Azure AD Graph API should not be used anymore:
https://techcommunity.microsoft.com/t5/azure-active-directory-identity/update-your-applications-to-use-microsoft-authentication-library/ba-p/1257363
I ask this question here because Microsoft support redirected me to SO to ask questions about Graph API.
TLDR;
Does Microsoft Graph API support change notifications with Azure AD B2C in 2020?
Microsoft Graph API does not support change notifications with Azure AD B2C as of August 2020. Nor does AAD Graph support change notifications with Azure AD B2C as of August 2020.
You could use Azure Monitor and Event hubs to harvest events from the Audit Logs, such as a Sign Up event.
https://learn.microsoft.com/en-us/azure/active-directory-b2c/azure-monitor
I have some MDM solution that we've developed through which we want to support managing iOS devices. Even though we'd already been able to successfully enrol and manage iOS devices via the same, I am trying to figure out a way to secure all web service invocations with OAuth, which take place between the native app running on iOS devices, connecting to the Enrolment and other APIs deployed as part of the MDM solution. Apparently, we've got limited control over modifying the native app to embed OAuth access tokens in the form of HTTP headers or some other means to be able to send those access tokens across to the MDM APIs, as the app logic cannot be modified. Do we have any configuration in the Enterprise App that runs on iOS devices to enable OAuth (or any other form of authentication) or some other means, which I can effectively use to get my requirement implemented?
iOS enrollment flow associate with a challenge token in the SCEP payload (mentioned as Challenge). Once you do the authentication from MDM server side there needs to be a unique token generated based on your user identity and embed that in this SCEP payload. For subsequent enrollment calls this token is passed and once the enrollment success this can be fetched and validate the user. Ideally this is just a way to link the device to a specific user which could be a temporary token generated at your MDM server end which link to a user identity or something related. To follow that you could apply OAuth password grant type and get the token once the authentication happens. Then this OAuth token can be then set as this challenge token for future use. But unlike in other OAuth communications iOS will not send this token in header as the bearer rather this will be embedded in the xml payload with proper encryption and signing in place.
Further iOS support protocol extension to validate users with open directory service using an auth token. This will by default have the ability to communicate back and forth using the checkin endpoint.
One of my iOS apps contacts one of my services using Google Cloud Endpoints and I would like to restrict access to that service to instances of the app.
I've followed instructions about adding authorization and have created an iOS client ID that is tied to my app's bundle id and app store id. I've now difficulties understanding this part of the instructions:
If your iOS app is making calls to an Endpoint that requires
authentication, you must Add a Sign-in Dialog to your iOS client.
I do not want my users to log in but instead I want my app to present its credentials to the service for authentication without user interaction. I thought since the client ID is (presumably cryptographically) tied to the client ID and bundle ID only the app is (somehow) able to do so and that the client ID would effectively serve like a service account.
Is this type of app (not user) authentication scenario supported by Google Cloud Endpoints (for iOS clients) or do I have to roll my own app authentication by passing some secret in the application-level protocol? Here are some earlier related (unanswered) questions for Android clients.
I have concluded for now that Google Cloud Endpoints allows authentication only based on Google account credentials. What I need is a credential for the entire app (not its users) akin to a service account or an API key.
I have used service accounts for server-to-server communication. It does not seem possible to create service accounts for an app (as opposed to a GAE application).
GTLService has a property APIKey. However, if my client sets it to a public access key (iOS key) that I created for my GAE application in Google Developer Console the server returns error Access Not Configured. Please use Google Developers Console to activate the API for your project but there is no (obvious) way for configuring non-Google APIs such as my service API.
So until further notice I will add an API key to my application-level API requests and check it in each #ApiMethod.