I'm developing an application which uses application permissions (access without a user) to access these types of resources with Microsoft Graph API:
Get a user
List members
As I understand at least User.Read.All permission is required, but this will allow access to all the users and I need to restrict access only to specific set of users/groups which will be using the app. How is it possible?
Related
I am working on a Google Drive Migration project for migration of Google Drive Files to different destinations.
How do I access a user's Google Drive files of a different (i.e. customer's) Google Workspace.
I read about 2-legged OAuth and 3-legged OAuth
https://support.google.com/a/answer/2538798?hl=en
It says "Traditionally with Google, 2-legged OAuth is for administrator-managed applications, in that an administrator grants access to an application to access data for the Google service for ALL users in their domain. Common data requested for access include: Groups Provisioning, User Provisioning, Calendar, and Contacts."
Can I use 2-legged OAuth approach and ask Admin to sign-in and grant permissions to access Google Drive Files and Folders for ALL users in the domain.
If yes, how do I impersonate or access a particular user's Google Drive files using Drive APIs such as:
https://www.googleapis.com/drive/v3/files/root
or
https://www.googleapis.com/drive/v3/files?q={fileid}+in+parents
Thanks
Even Super Admins of a domain cannot access all users' files by themselves, so you can't just have an administrator log in to your app via OAuth to gain access to the entire domain. The article that you linked says that the 2LO approach has been deprecated and you cannot use it this way anymore:
Important: OAuth 1.0 2LO was entirely deprecated on October 20, 2016. The easiest way to migrate to the new standard is to use OAuth 2.0 service accounts with domain-wide delegation.
Instead, you need a Service Account that has been granted domain-wide delegation on your target domain. Here's an overview of how it works:
Create the GCP project that your migration app will use.
Enable the APIs that you will use. It should be at the very least the Drive API since that's what you're looking for.
Configure the OAuth consent screen of your project with the proper scopes and publish it.
Create a service account and setup its credentials.
Once your app is published, you can get the ID of the service account that you created and ask the other domain's admin to grant domain-wide delegation to it. This means that the other admin will add your service account's ID to their list, along with the allowed scopes.
Once the other admin has granted domain-wide delegation to your service account you can call your authorized APIs and impersonate their users. The exact syntax depends on your language but here are some examples.
Essentially, you need to gather a list of the users, then impersonate them one by one with your service account. With each impersonation you are acting as if you were the user so you can just call the Drive APIs normally to list the user's files and migrate them as needed. Without knowing your language of choice I cannot provide a specific example but I hope this gives you a general idea of how it works.
References:
Domain-wide delegation
API access with service accounts
I want to use the Microsoft Graph API to send messages to chats or channels.
I created an App in-app registrations.
Created a secret and I am able to get a token with this, using the below URI
https://login.microsoftonline.com//oauth2/v2.0/token
I also set the permissions to the below
I am trying to use the Teamwork API
POST /teams/{team-id}/channels/{channel-id}/messages
I get the below response
{"error":{"code":"Forbidden","message":"Missing role permissions on the request. API required one of 'Teamwork.Migrate.All, ChannelMessage.ReadWrite.All'. Roles on the request ''","innerError":{"date":"2021-08-10T19:01:16","request-id":"MyID","client-request-id":"MyID"}}}
Where would I assign these permissions would it be in API permissions or would I assign a new role in Roles and Administrators
Your issue is those are both application permissions where as all the existing ones are delegated permissions.
In the portal instead of clicking Delegated permissions click Application Permissions and you can add Teamwork.Migrate.All and ChannelMessage.ReadWrite.All.
Also note that these both require Admmin consent so you will have to have the admin either login first and grant permission, or send an admin a consent link to allow your app these permissions: https://learn.microsoft.com/en-us/azure/active-directory/manage-apps/grant-admin-consent
Go to portal.azure.com > Azure Active Directory Blade > App Registrations > Your App > API Permission > Graph API > Application permissions
You can find out more about delegated versus application permissions here: https://learn.microsoft.com/en-us/graph/permissions-reference#channel-permissions
I have a multi tenant app registered in Microsoft Active Directory that uses admin consent to gain access to some application scope APIs in the Microsoft Graph API. It uses the /token endpoint to get a token, then calls those Graph APIs. It's working perfectly.
https://learn.microsoft.com/en-us/graph/auth-v2-service#token-request
Now I want to enhance my app to access some delegated (user) scope APIs, that do not allow access at application scope. My app is already configured to request these delegated permissions from the admin at admin consent time. But I'd like to call these APIs as each user in the directory, not the admin who installed my app.
Importantly, it is not feasible for me to have every user in the organization individually go through the OAuth flow for my app.
Is that possible?
Can I impersonate a user somehow by exchanging my application token for a user token?
Can the admin do something programmatically to generate tokens as individual users for my app as if they had been put through an OAuth flow?
No, you cannot convert an Application token to a Delegated token. The only way to act as a specific User is for that User to "delegate" those activities to your application.
Note that Admin Consent only provides consent to your App to operate within a tenant. It is destinct from, not a superset of, User Consent. In order to obtain a Delegated token, you need to receive both User and Admin consent.
I am building an app (HTTPS calls from LabVIEW) that will update my enterprise OneNote notebooks on Office 365 without the need for any user interaction. Hence I have opted for using the Client Credentials flow and granting Application permissions in Azure AD to my app (Read and write all OneNote notebooks) through Microsoft Graph.
I have referred to the instructions mentioned in the following pages:
https://msdn.microsoft.com/en-us/office/office365/howto/onenote-auth-appperms
https://developer.microsoft.com/en-us/graph/docs/concepts/permissions_reference
https://learn.microsoft.com/en-gb/azure/active-directory/develop/active-directory-v2-protocols-oauth-client-creds
https://developer.microsoft.com/en-us/graph/docs/concepts/auth_v2_service
https://developer.microsoft.com/en-us/graph/docs/concepts/onenote-create-page
I am able to get an access token from Microsoft Graph but once I try to use it to update my notebooks by making a POST call to the URL
https://graph.microsoft.com/v1.0/me/onenote/pages
I get the error:
"The OneDriveForBusiness for this user account cannot be retrieved." Code - 30108
However, I am fully able to access OneDriveForBusiness online using the same account which created the app and the tenant ID of which I used to grant permissions. Can someone please clarify if there are certain restrictions regarding the type of O365 and OneDriveForBusiness subscriptions that are necessary for my requirements? Which particular subscription or their combinations thereof should allow me to achieve the flow I need?
You cannot use /me with Client Credentials. /me is an alias for /users/{currentUserId but since you're using Client Credentials, there is a User in context for the API to map that alias to. You are effectively calling /v1.0/users/NULL/onenote/pages in this case.
You need to explicitly specify the User you want to access:
/v1.0/users/{userId or userPrincipalName}/onenote/pages
Microsoft Graph API provides App-only authentication scheme, which works perfectly for the tenant that owns an application.
I have an Azure tenant and I created the application inside it following documentation guide. My application is now able to obtain an access token using https://login.microsoftonline.com/<tenantId>/oauth2/token endpoint, which allows me to query the Graph API for the users inside my tenant.
However, I would like my application to be able to obtain access tokens for other tenants as well. I suppose the external tenant owner should somehow insert my application inside their Azure tenant, apply certain app-only scopes and provide me the tenant id in order to query the token endpoint.
Is multi-tenancy possible for app-only authentication scheme?
How does the tenant owner insert my application into their Azure tenant?
Multi-tenancy for app-only is possible, however, in order to enable this you require two things:
You need to have a web UI for the tenant admin to sign in to and perform admin consent in order to, as you called it, "insert my application into their Azure tenant." Make sure you add the query string parameter &prompt=admin_consent.
More info on admin consent: https://azure.microsoft.com/en-us/documentation/articles/active-directory-devhowto-multi-tenant-overview/#understanding-user-and-admin-consent
Sample controller method that "signs up" the user for an app via admin consent:
https://github.com/Azure-Samples/active-directory-dotnet-webapp-webapi-multitenant-openidconnect/blob/master/TodoListWebApp/Controllers/OnboardingController.cs#L33-L58
You will need to keep track of which tenants consented to your application so that you can enabled the code that runs the app-only flow for them. Unlike the delegated flow, you can't use the common endpoint (https://login.microsoftonline.com/common) but rather need to use the tenant specific endpoint for each instance or run of the app only flow.