Google Console has "service accounts" and service accounts can be given write permissions to files. These files can then modified without any sort of user intervention and works as long as the service account has the appropriate permissions.
Is there anything similar for Microsoft Graph? We have a file in a SharePoint folder that we would like continued access to even if the people with access to that folder continuously changes.
Azure AD has a notion of Service Principals that can be used for this purpose.
Related
I am writing a .NET desktop app that uses the Microsoft Graph API to access the contents of my OneDrive for Business storage. I am logging in to Graph using my Microsoft work/school account U1, in my organization O1. Another Microsoft work/school account, U2, in a different organization, O2, has shared a folder with me. The folder shows up in "Shared With You" when I browse my OneDrive interactively in a browser, and I can make changes to the folder there. It also shows up as a DriveItem in the returned list when my app uses the "sharedWithMe" API call documented here (with allowexternal set to true).
All good so far. The problem is when I try to actually retrieve the shared folder using the returned DriveItem. I am following the guidance in the doc page to use a call like
GET /drives/{remoteItem-driveId}/items/{remoteItem-id}
to retrieve the folder, and I have the "Files.ReadWrite.All" permission. I believe I am doing this correctly in my code, because it works fine on other items shared with me by users in my organization. However, with the folder shared by U2, this call fails with an "itemNotFound" error. I don't understand why this fails. Is this a problem with my code, or some configuration that needs to be done in my organization O1, or in their organization O2, or a combination? Or is what I'm trying to do just not possible across organizations?
I have found a couple other folks who have had similar problems, but the resolutions are inconclusive: see here, here, and here. These links have suggested a couple directions:
could this be a problem with some sharing setting on the part of organization O2? Unfortunately I don't have any control over this org. But if I can give them a clear request, preferably with some Microsoft docs to back it up, I think they would be receptive. For example, does organization O2 need to add/invite my account U1 as an external/guest user to their Azure AD? I don't know for sure if they've done that.
one of the comments suggested that my app would need to be a multi-tenant app for it to access resources in another tenant. I do not want my app to be multi-tenant in the sense of allowing people in other tenants to login to it, but I do want my account to be able to access resources in other tenants that have been shared with me. I tried changing the app registration for my app to multi-tenant, and that didn't make any difference.
in the multi-tenant vein, I found this Microsoft doc, which states "In the code of your multi-tenant app, get the authentication token for other tenants and store them in the auxiliary headers. The user or application must have been invited as a guest to the other tenants." In my code I am using Microsoft.Identity.Client.PublicClientApplicationBuilder to sign my account in and get an access token, using the authority for my tenant. It sounds like my access token is only valid for resources in my tenant - how do I get a token for another tenant in my code?
Thanks very much for any suggestions, be they pointers to docs, code suggestions, etc!
I need to upload files to a client's shared folder on OneDrive, however, there's no way I can get them to allow Files.WriteAll for my application (I'm using application permissions, not delegation) -- I've asked them. Is there another way to do that?
I have looked into multiple SO questions about this and on Microsoft's documentation, and I believe it is not possible, but I would like to know from people with more experience using Microsoft's service if it is indeed true.
Trying to leverage the Microsoft Graph API within a daemon application to update a single OneDrive Excel file. How do I accomplish least privilege permissions to a single file. I have scoured the documentation for a straightforward explanation of this basic task, however no articles are instructive on how to proceed with this. The documentation appears to define least privilege as a distinction between the Office software entities, but not within folders and files of a OneDrive. Thanks in advance for guidance.
This isn't possible. The Files.{Read|ReadWrite}.All application scopes provide access to the entire Drive for every user.
From the Permissions documentation:
Files.Read.All: Allows the app to read all files in all site collections without a signed in user.
Files.ReadWrite.All: Allows the app to read all files in all site collections without a signed in user.
I am currently setting up an ASP.NET MVC application that will be hosted on the Windows Azure platform. The application may be used by hundreds of third parties, each with their own group of individual users, which will need to be authenticated by logging in. I am looking at using Windows Azure Active Directory (WAAD) for the authentication piece.
Obviously I can use WAAD to set up individual logins for each user, then add them to a group which has been set up for the third party they belong to.
This will likely be sufficient for most third parties. However, some may already have their own Active Directory (AD), which may or may not be a WAAD, with all of their users as members. I am wondering if there is a way that I can, relatively easily, provide a way for them to connect their Active Directory to my WAAD, allowing their directory users to authenticate with our WAAD.
I have read about integrating an on-premises AD with WAAD, either through synchronisation or using a federated login. However, all of the articles seem to be aimed at "your" on-premises AD linked with "your" WAAD. Obviously since you manage both directories there is inherent trust there. However, for obvious reasons, I only trust third parties to authenticate their users and do not want to open up a mechanism where they may be able to manage my WAAD and affect other people's users or groups.
So...
Can I connect a third party AD with my WAAD and let them authenticate their users for my application, without compromising the security of my WAAD?
If so, what is the best way to configure this set-up? Would I use the standard federated services software, for example, or is there something more suitable?
1) You can definitely expose Azure AD applications to users from other Azure AD tenants, without the need to manage their directories or give them any access to yours. The Azure AD documentation refers to those kind of app as "multi-tenant". You can find a detailed example in https://azure.microsoft.com/en-us/documentation/samples/active-directory-dotnet-webapp-multitenant-openidconnect/.
2) multi-tenant applications operate under the assumption that all the participating directories have their corresponding Azure ADS tenant. That is the case when, for example, they did set up Office365 or any other cloud service. Direct federation would not work in this scenario, given that the just in time provisioning of apps and the enforcement of permission and access rules relies on the directories and users being stored in shared infrastructure (though still completely isolated form each other, as is always the case in sound multitenant systems).
Please try the sample, hopefully it will help making the above more concrete. HTH
You can also look at the Azure AD B2B and B2C (in preview) options - https://blogs.technet.microsoft.com/ad/2015/09/16/azure-ad-b2c-and-b2b-are-now-in-public-preview/
I am initiating an App for Office project and I am trying to find out something critical.
Can I use my ASP.NET MVC built-in OAuth authentication to pair it with a Live account so my app logs-in the user into MS Office for Desktop apps.
This is needed so I can access OneDrive and use the share file editing there.
The architecture so far is:
Files stored in a single OneDrive or SharePoint server (TBD)
Desktop Office apps (Word and Excel) where the users work.
App for Office, installed in their Word and Excel. Users can authenticate on the back-end ASP.NET MVC server, using any 3rd party email address and a password.
I have used OAuth in ASP.NET MVC projects but not in integration with Office in an App for Office.
So, my question is if this idea is possible and HOW, or I have to give everyone an Office 365 account so they can connect via the integrate Office for desktop.
As we in our small company like to benefit from the OneDrive functionality, and also want to have selected shared and group folders offline available, we found a more or less perfect workaround.
We use the Goodsync software to synchronize. For this you create a sync job within Goodsync for the folders you want to have offline- available. Such a sync definition / call it folder pair / has a reference to the local folder, and on the other side a reference to the OneDrive folder. The reference to the OneDrive folder you describe like this: „sds://d.docs.live.net//“.
The OneDrive CID you can see for any shared OneDrive folder in OneDrive web whithin its web address (example: https://OneDrive.live.com/?cid=xxxxxxxxxxxxxxxx) . Similarly it works for OneDrive group folders.
Our experience is very good with this workaround, only to be aware to have all rights for the shared One Drive folder, then Goodsync can even create or delete folders within shared OneDrives.
Good luck! Wolfgang from Salzburg
For everyone's benefit, I will explain what we have done.
We are using Azure Active Directory and manage all users there. We connected SharePoint site to it and it has a OneDrive behind. Now our App for Office connects to that using SharePointContext from here and it magically works.