I am building an Excel Web Addin. I'll need to authenticate the user against Office 365 and publish the addin to AppSource / Office Store. What is the ideal authentication method to use?
I found tutorials for SSO authentication, but then I read on https://learn.microsoft.com/en-us/office/dev/add-ins/develop/sso-in-office-add-ins : "The Single Sign-on API is currently supported in preview only. It is available to developers for experimentation; but it should not be used in a production add-in. In addition, add-ins that use SSO are not accepted in AppSource."
Does this mean SSO applications will still not be accepted to the Store? What authentication flow should I use then? I only need the user to sign in a access my Web API via this identity. If possible, the user shouldn't need to reenter their credentials. Is there a code sample I could follow to get this done?
AppSource is not accepting add-ins that use the preview SSO system at this time.
To authenticate a user with a Microsoft Account or a Work or School (Office 365) account without SSO, the user will need to sign in again even if she or he is already logged into Office. Without the SSO system, the add-in has no way of knowing who is logged into Office, just as an web app open in a browser wouldn't know if Office is running on the machine or who is logged into it.
(Your choice of flow might be affected by whether you have a single page app (SPA) or a server-generated UI. Since you mentioned you have a Web API, I'll assume this is not a SPA.)
I don't know of any sample Office Add-ins that only authenticate the user; but there are a couple that log in the user and then use the Auth Code Flow to get an access token to Microsoft Graph.
PowerPoint Add-in Microsoft Graph ASPNET InsertChart. The Office app is PowerPoint, but the auth-related code would be the same for Excel.
Office Add-in Microsoft Graph ASPNET. This is nearly the same, but has Excel as the Office app. It's not polished. (See the Known Issues in the readme.)
But please keep in mind that an Office add-in is just a web app and -- with one exception -- authorizing a user is the same in an add-in as it would be in any other web app. So, you should be able to use the samples in Azure AD Quickstarts.
The one exception is that you have to open the AAD sign-in page in a special dialog window that is invoked with the Office.js displayDialogAsync API. The 2 samples I linked to above do this. You can get detailed guidance about using the Dialog for auth in the article Dialog API in Office Add-ins.
BTW, Microsoft is in the process of improving its documentation and samples for non-SSO auth. We hope to get these improvements published over the next few weeks.
Related
I am developing an application in ASP .Net MVC. I have Azure Active Directory authorization in it. Is it possible to set an email signature in Office 365 Outlook for domain users via API? My googling skills did not allow me to find any information about this. Before that, I used Google Workspace and it was possible. Now I'm in a situation where I have to transfer some things from Google API to Office 365, and I can't see anything about the footer.
What is the best way to do this. I can not find a link. Almost every example is using OAuth2 and native app version of the examples still wants the client app to pop up a browser.
My system does not have a browser. I can make REST requests but that is it.
I just want to use a simple client that can list things on a command line app just by using Outlook.com or Hotmail account. Not for a Work/School account (no Active Directory).
Long story short I don't want to be redirected to a website. I can make http request and parse the response.
These are my limitations. All implementations are in C or c++. Are there an examples with flow diagram?
Technically what you're looking for is the client_credentials grant. You can read about setting this up # Get access without a user.
This grant has some limitations. In particular, it only supports Work/School Accounts. This is because your application will require the consent of an administrator, something not available with a personal Microsoft Account (Outlook.com, XBox Live, etc.). You'll need an Active Directory to authenticate against. You can however set up Azure Active Directory for free.
We are trying to implement a calendar portal (C# ASP.NET MVC) where one admin can see multiple outlook(or office 365) users calendar and see who is available. So multiple accounts should be accessed from one ASP.NET MVC application.
First question : Is it even possible? (may be because I had already seen post on stackoverflow : EWS - Access All Shared Calendars )
Second question : What would be the right approach?
Third question : Is there any project available from Microsoft or article? (I could find any good one)
I have had gone through Using Azure Multi-Tenant application without an Office 365 subscription to access users calendar information and https://www.youtube.com/watch?v=0kvDyl5HShA.
I have had also get connected with a single user's account via OAuth2. It was successful.
Currently, we have this subscription. If any more information required then please comment. Then I will add more description as per necessary.
Thank you.
You could try to build Daemon or Service Apps using client credential grant flow as described in this blog, the service app that requires admin consent, but is authorized to access any user's mailbox/calendar information in your Office 365 tenant. You could click here for sample web app that uses client credential flow to access Users, Mail, Calendar, Contacts in Office 365 via Rest APIs .
This link you provided needs to associate your Office 365 account with Azure AD to create and manage apps .If you can have an existing Microsoft Azure subscription, you can associate your Office 365 for business subscription with it. .Otherwise, you'll need to create a new Azure subscription and associate it with your Office 365 account in order to register and manage apps. For more details ,please read how to set up your Office 365 development environment.
I am currently creating Universal Windows App (native) that uses Microsoft Graph API. For authentication, I used ADAL for .NET library by calling GetTokenAsync() on the AuthenticationContext (https://github.com/AzureAD/azure-activedirectory-library-for-dotnet). The library will automatically prompt a login window for the user to enter its credentials.
Later I was required to open a OneNote URL on a web browser. I managed to get the note URL from the Microsoft Graph API (OneNote API) and then I realized when I tried to open the URL on a browser I was redirected to the Microsoft login page (http://login.microsoftonline.com).
This is not very good for user experience because they needed to enter their credentials twice (on the ADAL prompt window and on the browser). Is there any way whatsoever so that the user can do the login activity only once?
User needs to enter their creds on Microsoft online website but not twice. please debug the app and store this context ticket so you can use it in your win universial app. by the way, make sure that you are not pointing your app to two different api endpoints. go with the Microsoft graph api endpoint but not any other legacy endpoint for your app. Hope this helps.
We are developing a web application using Microsoft Graph, where the signed in user can, Export all the calendar events to a third party calendar Application. After this initial export, we need to keep the exported data in sync with calendar changes via service app (a scheduled task running on server). This need to be a multi tenant application, as people from different organizations should be able to use this service.
Right now we did the authentication using OAuth 2.0 and OpenID Connect as described in this sample. Later we understood that the access token we get using this method cannot be used in the service app without user interaction. Considering our scenario what is the best way to achieve this?
I have read about App-only authorization method to do this. If we use this authentication method, the app need to be consented by a tenant administrator and the these applications are quite powerful in terms of what data they can access in the Office 365 organization. Considering we are developing a product used by different organizations, will it be feasible to use this method?
To use the client credentials OAuth2.0 flow (aka "App-only" or service account access depending on who's documentation you're reading) the admin for each tenancy will need to specify which scopes your daemon process can have for users in their tenancy. The end users can't give these scoping rights to your code themselves (as far as I know at least).
One thing to watch out for is that currently Graph API doesn't allow you to mess about with calendars that are attached to Office 365 Groups if you're using the client credentials flow. This is a pain for us, so we've raised it as an issue that needs fixing in the Office 365 feedback system. if that's an issue for you or anyone else, please throw a few votes at it so that it gets more attention at Microsoft. :-)