I have a cron script that should read a specific user's Office 365 (for business) calendar. The script runs on a Unix server. For now it's perl and it uses the v1 Office 365 API, but python or node.js are also viable options.
I am also not an admin for this office/AD tenant. Allowing the script to read the calendars of all users is not possible.
I am able to read a calendar using OAuth2 if I do some user interaction, but not if I try to use a 'daemon'.
Is it possible to have a user 'allow' a daemon app to access its calendar forever?
You can refer to the following link:
Building Daemon or Service Apps with Office 365 Mail, Calendar, and Contacts APIs (OAuth2 client credential flow)
Related
Design
Outlook Add-in that shows sales specific information based on the message (content, sender, etc)
Daemon that subscribes to new messages for the sales team and processes messages as they come in. Runs with application authentication
Scenario
We are developing a multi-tenant add-in that show sales specific information based on the email they are viewing. Since the sales team may be a single person, group or multiple people.
Question
How would the daemon running as an application use the graph to pull in users assigned to it?
Office 365 Admin Screenshot
You would need an Azure AD Application registered with Mail.Read persmissions. The add-in would sign in as the user. Then have the add-in subscribe to the users mailbox on the users behalf. The subscription would include the URL of a backend web api that Microsoft Graph subscription service would call.
You would need to register a new Azure AD Application (if you don't have one created already) for the backend web api. Then you would want to grant the correct permissions scopes to it. For your scenario you would require each tenant to admin consent this application, because you would need access to messages in many users mailboxes using application permission Mail.Read. The reason for this is because the webhook does not call your web api with any user token that you could use to then actual fetch the details of the message.
More info on change notifications (webhooks) is here https://learn.microsoft.com/en-us/graph/webhooks
I am building an Excel Web Addin. I'll need to authenticate the user against Office 365 and publish the addin to AppSource / Office Store. What is the ideal authentication method to use?
I found tutorials for SSO authentication, but then I read on https://learn.microsoft.com/en-us/office/dev/add-ins/develop/sso-in-office-add-ins : "The Single Sign-on API is currently supported in preview only. It is available to developers for experimentation; but it should not be used in a production add-in. In addition, add-ins that use SSO are not accepted in AppSource."
Does this mean SSO applications will still not be accepted to the Store? What authentication flow should I use then? I only need the user to sign in a access my Web API via this identity. If possible, the user shouldn't need to reenter their credentials. Is there a code sample I could follow to get this done?
AppSource is not accepting add-ins that use the preview SSO system at this time.
To authenticate a user with a Microsoft Account or a Work or School (Office 365) account without SSO, the user will need to sign in again even if she or he is already logged into Office. Without the SSO system, the add-in has no way of knowing who is logged into Office, just as an web app open in a browser wouldn't know if Office is running on the machine or who is logged into it.
(Your choice of flow might be affected by whether you have a single page app (SPA) or a server-generated UI. Since you mentioned you have a Web API, I'll assume this is not a SPA.)
I don't know of any sample Office Add-ins that only authenticate the user; but there are a couple that log in the user and then use the Auth Code Flow to get an access token to Microsoft Graph.
PowerPoint Add-in Microsoft Graph ASPNET InsertChart. The Office app is PowerPoint, but the auth-related code would be the same for Excel.
Office Add-in Microsoft Graph ASPNET. This is nearly the same, but has Excel as the Office app. It's not polished. (See the Known Issues in the readme.)
But please keep in mind that an Office add-in is just a web app and -- with one exception -- authorizing a user is the same in an add-in as it would be in any other web app. So, you should be able to use the samples in Azure AD Quickstarts.
The one exception is that you have to open the AAD sign-in page in a special dialog window that is invoked with the Office.js displayDialogAsync API. The 2 samples I linked to above do this. You can get detailed guidance about using the Dialog for auth in the article Dialog API in Office Add-ins.
BTW, Microsoft is in the process of improving its documentation and samples for non-SSO auth. We hope to get these improvements published over the next few weeks.
As an exchange admin, I want to audit Graph API calls
Under Office 365 Security and Compliance section, Audit Log Search, I can find audit logs for other components such as Power BI but nothing for Graph.
I tried using Exchange Mailbox Activities but I don't see any audit logs when I access/update meeting items using Graph API.
Is there a way I can audit these calls?
To monitor the MSGraph app activities, you should check for 'Add OAuth2 Permission Grant' activity under Azure AD workload. But O365 Security & Compliance portal doesn't show the activities performed by Azure AD workload.
As a workaround, you shall use the Search-UnifiedAuditLog cmdlet.
sample code snippet for getting last month data
Search-UnifiedAuditLog -StartDate 4/23/2019 -EndDate 5/23/2019 -Operations "AddOAuth2PermissionGrant"
If you would like to explore the activities using a GUI interface then you shall try the Office 365 auditing reports available in AdminDroid Office 365 Reporter.
I need to build a background service (running on a schedule on a linux box) that would pull events from a 3rd party calendar and add them into a Office 365 account calendar.
I am stuck on authentication piece. Reading https://learn.microsoft.com/en-us/graph/auth-v2-service?view=graph-rest-1.0 I get to where I configure a platform for my app. If I select "Web" as the article suggests, I need to provide a callback URL to get the token, but my service doesn't expose any URL endpoints so there is no callback URL to provide.
How do I approach authentication of my service with Microsoft Graph?
It's a bit strange, but you have to fill the callback URL. Because you use Application Permissions you can fill it with whatever you want (valid uri)!
Like https://mybackgroundapp.com
If you're not using any of Microsoft Graph libraries you can use this to obtain a token.
We are trying to implement a calendar portal (C# ASP.NET MVC) where one admin can see multiple outlook(or office 365) users calendar and see who is available. So multiple accounts should be accessed from one ASP.NET MVC application.
First question : Is it even possible? (may be because I had already seen post on stackoverflow : EWS - Access All Shared Calendars )
Second question : What would be the right approach?
Third question : Is there any project available from Microsoft or article? (I could find any good one)
I have had gone through Using Azure Multi-Tenant application without an Office 365 subscription to access users calendar information and https://www.youtube.com/watch?v=0kvDyl5HShA.
I have had also get connected with a single user's account via OAuth2. It was successful.
Currently, we have this subscription. If any more information required then please comment. Then I will add more description as per necessary.
Thank you.
You could try to build Daemon or Service Apps using client credential grant flow as described in this blog, the service app that requires admin consent, but is authorized to access any user's mailbox/calendar information in your Office 365 tenant. You could click here for sample web app that uses client credential flow to access Users, Mail, Calendar, Contacts in Office 365 via Rest APIs .
This link you provided needs to associate your Office 365 account with Azure AD to create and manage apps .If you can have an existing Microsoft Azure subscription, you can associate your Office 365 for business subscription with it. .Otherwise, you'll need to create a new Azure subscription and associate it with your Office 365 account in order to register and manage apps. For more details ,please read how to set up your Office 365 development environment.