We are building a web app that lets Office365 customers create a realistic plan for their week, by showing them how much time they actually have to work each day (it's called Weekly if you're interested).
The problem we are running into however is that some companies, primarily large ones, block apps entirely from making Microsoft Graph calls to their users. What's tricky is that we send them to Office365 to grant us permissions, their company blocks the access request, and we never see those users again, so currently don't have any way of knowing what happened.
We'd like to be able to display our own message that says something like "Your company has blocked access to our application, please contact your IT department for help".
Is there any way of knowing before sending the user over to grant access that their company (the domain) even allows apps? If not is there some way to send the user back to the requesting app with some details about why the grant failed (did the user not grant permissions, did the company block access, etc.)?
Thanks for your help!
If the administrator disables the ability for users in the organization to consent then the error message will be something like:
AADSTS90093: An administrator of {tenantDisplayName} has set a policy that prevents you from granting {name of app} the permissions
it is requesting. Contact an administrator of {tenantDisplayName}, who
can grant permissions to this app on your behalf.
https://apps.dev.microsoft.com/portal/tools/errors?errorName=graph_user_unauthorized
Related
Recently the Teams API has been extended so that applications can set the availability / presence for a user logged into Teams: https://learn.microsoft.com/en-us/graph/api/presence-setpresence
However, the permissions for this API do not allow access with delegated permissions, only with permission type application:
https://learn.microsoft.com/en-us/graph/api/presence-setpresence?view=graph-rest-1.0&tabs=http#permissions
Am I right in assuming, that this means I will need an administrators consent from every tenant if I intend to build an application using this API?
Is it therefore impossible / impractical to implement this into my app that allows a user to set their presence based on the activity in my app? Because, and please correct me if I am mistaken, a user by themself cannot actually give my app the permission to do this. Right?
(Doesn't this make this api point sort of nearly useless?)
This API supports only Application permission, so on behalf of user token, you can not change the status where as using application token, you can update the status: https://learn.microsoft.com/en-us/graph/api/presence-setpresence?view=graph-rest-1.0&tabs=http#permissions
We have an app registered on Azure AD (we got app ID, secret, redirect URL). This app is a daemon/background application which is performing actions on behalf of a user, there is no signed-in user that can grant permissions. In particular, the app will periodically retrieve all emails from a particular outlook mailbox called my.test#org.com
We are following the permission scoping documentation and the permission documentation when there is no signed in user.
In my understanding we need
to give application-permissions on the API permissions page in Azure AD
create a security group which is somehow assigned to the mailbox we want to read from via
New-ApplicationAccessPolicy
-AppId e7e4dbfc-046f-4074-9b3b-2ae8f144f59b
-PolicyScopeGroupId EvenUsers#contoso.com <-- would I put here my.test#org.com or the ID of the security group?
-AccessRight RestrictAccess
-Description "Restrict this app to members of distribution group EvenUsers."
Is my understanding correct that both of the above steps are needed. It seems strange that in the first step we can only give tenant wide permissions to the application when we really only need to limit it to one particular mailbox.
Thanks for the help
The above steps looks good to me and i would do the same as well. Just provide necessary Graph permissions while you grant permissions to access your/others mailboxes - as described in the documentation/steps.
We have an instance of IdentityServer4 running and use it internally for our apps. Those app clients have the property RequireConsent set to false. The result is, you go to the apps website (app1.website), you are redirected to the identity server website (identity.website), where you log in, and redirected back to app1.website.
We also allow 3rd parties to build apps or integrations against our system. In their case, every user needs to approve the app on a consent screen, before they can get the refresh token for that user. There are 2 ways this can play out:
The 3rd party has a user management on their own, in that case they only need 1 user who initiates the connection, and this user's token is used for every further interaction with our system.
The 3rd party doesn't have their own user management, and instead relies on our identity server to authenticate users. This is something, we want to encourage more in the future, as it helps our partners to build their apps faster, since they don't need to deal with the whole user flow, like confirm email, forgot password, ...
However, the problem in option 2 is, that our app (which is B2B) has a user structure that is similar to slack. When one user in an organization approved an app, others should be able to use it without the need for a consent screen (especially since not all users are allowed to approve apps).
In the current scenario, if the organization owner, Alice, approved the 3rd party app X and told Bob to use it, Bob would still see a consent screen. If Bob were also an organization owner, he could approve the consent screen, but if he were just an intern in the company, he wouldn't be able to use the app X.
What I'd really want is to approve a 3rd party app on an organizational level. In azure active directory, what I'm looking for seems to be called Tenant Admin Consent. There is a similar question How do I trigger the admin_consent flow using IdentityServer 4 for a multi-tenant app? - however, We aren't using IdentityServer 4 as a middleman, but it's the final user management instance.
How can I configure / extend IdentityServer4, so that if the second user, from the same organization, tries to use an app, their refresh token will be automatically generated, without a consent screen?
Update: It's not about replacing Option 1 with Option 2. Big providers will keep their custom user management. But small app providers should be able to re-use our user management features. Once an app is "tenant wide" connected, any user from that tenant should be able to access it, as if the app config was RequireConsent=false (other tenants would still need to connect it with a consent screen first)
My organization has an institutional e-mail account in Outlook 365.
There is a small number of users who are responsible for managing that mailbox, reading, answering, forwarding and sending messages from that account.
I am writing a web application (PHP) to automate some messaging operations, so I implemented access to that account using Microsoft Graph. But this requires to login using that account's credentials, and I wouldn't like to share account's password (which I have) with those users.
Is it possible to to grant permission for those users' accounts so MS-Graph will allow them to read/write/send messages from that account, once they have logged in? If so, how would it done?
If this post lacks some relevant information I'm not remembering now, please comment and I'll edit to add it.
Thank you very much.
You could use admin consent for that purpose. Administrator can grant access for the entire tenant, and users will not be prompted for consent afterwards
https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent#requesting-consent-for-an-entire-tenant
I am trying to achieve the following:
an authenticated user uploads a video on my web application
my web app stores the video, logs it in our database etc. then connects to a Google account and makes a request to upload the video to a Youtube channel within that google account
I've created the Google account, enabled the youtube API, configured OAuth 2.0 access etc, but I'm not sure that any of the documented workflows meet my requirements. (For example I don't want any user interaction as part of the authentication process).
It looks like a Service Account ( https://developers.google.com/accounts/docs/OAuth2ServiceAccount ) is what I need, however these accounts dont appear to support all Google APIs, or at least not youtube.
Does anyone have any advice / has anyone implemented something similar?
When you say ... "For example I don't want any user interaction as part of the authentication process", how will that work.
The user might not be logged in to Google, or might be logged in to multiple accounts so will have to choose which account to use for your app. So the potential for user interaction is unavoidable.
Once the user has authorised your app, logged on to your app (ie. accessed it and you've stored his user id in the session), then future accesses will be devoid of user interaction; at least until he logs off.
The difference between service accounts and user accounts is not the auth flow. The difference is that with a user account, the API access is by the user via your app (so the video will be "owned" by the user. With a service account, your app IS the user (so the video will be owned by you).
I'm not saying that Service Account is wrong for you, just that your reason for going that way is not quite right.