I've set up access to MS Graph API, using Oauth 2.0 3-legged, where permission is asked to final user.
Is it possible to set up MS Graph API Oauth 2.0 for a Office 365 Domain, Group of users via Azure AD or Admin in Office 365 Portal? In other words, a 2-legged Oauth 2.0 for MS Graph?
In G Suite is well documented 2-legged Oauth 2.0, but I have not found documented for MS Graph.
I found the solution, using the admin consent endpoint, my app can gather permissions for all users in a tenant, including admin-restricted scopes
https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-v2-scopes#using-the-admin-consent-endpoint
Related
I have an application (Blazor WebAssembly in my case but I believe this scenario applies to other application types as well) that uses the excellent (and convenient) Azure B2C login services to allow my users to register and log in using either a local account or some social accounts. In particular, I am supporting logging in with a Microsoft account. Once a user is logged in using his Microsoft account I want to give the user the option to save content on OneDrive without the user having to provide credentials again to access the Microsoft Graph API.
In the returned claims after logging in using Azure B2C API I see that there is a idp claim (that's how I can determine if the user is logged in using a Microsoft account) and there is also a idp_access_token claim but it is not a valid JWT to use against the Microsoft Graph unfortunately.
What is the nature of the idp_access_token? How can I use it to access the Microsoft Graph and request additional scopes?
Azure AD B2C receives an access token (idp_access_token) from the identity provider. Azure AD B2C uses that token to retrieve information about the user. See details here.
No matter whether idp_access_token claim is a valid JWT, it cannot be used to access Microsoft Graph or other additional scopes. As the document has stated, it is for retrieving information about the user. Usually the embedded IdP access token is used to call the services that the IdP hosts. But Microsoft Graph data is hosted in Azure AD, not Microsoft Account side.
Currently, if you want to call Microsoft Graph API for B2C tenant, you have to follow Azure AD Authentication protocols. For example, OAuth 2.0 authorization code flow.
If you want to call you own API protected by B2C, you should choose Azure B2C Authentication protocols. For example, OAuth 2.0 authorization code flow in Azure Active Directory B2C.
I'm trying to help someone to ingest Office 365 Alerts with the Graph Security API. This requires SecurityEvents.ReadAll as minimum permission. The docs mention that the permission setting is done in the Microsoft Graph API Explorer (see e.g. this blog). However, the account admin insists on setting the permissions using Azure AD. The question is how that is actually done. Azure AD / Enterprise Applications / Graph Explorer apparently doesn’t list any permissions. Would anyone know how to achieve this?
Many thanks!
If you want to test Graph Security API in Microsoft Graph Explorer, your just need to set SecurityEvents.Read.All in Microsoft Graph Explorer.
If you want to call Graph Security API in your app, you should set SecurityEvents.Read.All in the app registered on Azure portal.
You could refer to Authentication and authorization basics for Microsoft Graph to learn more about how to handle the permissions and authorization to call Microsoft Graph API.
Context:
AD domain, AAD Connect, Office365 tenant
ADFS deployed, federation between AD and AAD
SAP GW on premise, with SAML and OAuth configured
SAP GW does not support integration with AAD (only SAML SSO, and it's required to use it's own OAuth server)
Scope:
I'm trying to build an application in SharePoint online where the authenticated user can:
fetch data from the SAP gateway (oh behalf of the user)
fetch data from Microsoft Graph
Design (So far):
The user access Office 365 and authenticate with ADFS
With ADAL/MSAL I'm able to acquire an OAUTH token from AAD and get data from Graph (supported by the registration of an Enterprise application in AAD with permission for Graph)
Issue:
The OAuth token generated by AAD is not validated by SAP OAuth Server onprem if I try to access the onprem SAP API.
What should I do?
Should I get another SAML assertion directly from ADFS to get another OAuth token for SAP OAuth Server to access the onpremise SAP API? If so, how can I get a SAML assertion (to call the SAP OAuth server) from ADFS without passing to adfs user credential (like in this example: https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-saml-bearer-assertion) and by using information available in the user session (already authenticated with AAD)?
Is there a way to configure ADFS to accept SAML assertions / JWT tokens originating from AAD?
Should I do something else?
Any idea on how could I support this scenario?
Thank you
The blog post: Announcing Exchange ActiveSync v16.1 states that:
While not a part of EAS 16.1, we also want to note that both Office 365 and Outlook.com customers can now utilize the OAuth 2.0 protocol for authorization through EAS.
My question is: which scope should I use in the oauth request?
Is there an example, perhaps of the full request?
Note: there was a similar question about using OAuth for Office365 with IMAP, but here I'm specifically asking about ActiveSync. I referenced this question in a comment to one of the answers on that thread.
Secondary problem:
Thanks to Jason's answer and some additional tweaks, we managed to generate oauth token using https://login.windows.net/common/oauth2 but only for office365 users (Organization Accounts) and not to Microsoft users account (live, hotmail, outlook.com...)
The token allows access to both ActiveSync protocol (via https://eas.outlook.com/Microsoft-Server-ActiveSync) and for EWS API (via https://outlook.office365.com/EWS/Exchange.asmx).
Unfortunately we cannot find a way to generate same token for Microsoft online accounts (hotmail, live, outlook.com). We tried using this endpoint: https://login.live.com/oauth20_authorize.srf which allow only activesync and not EWS.
Is there a way to use the same token for both organization and online accounts on both protocols (ActiveSync and EWS)?
Sorry this took so long, but I wasn't aware of this question until today :). You need to register your app as a native application in Azure Active Directory:
Then add the Access mailboxes as the signed-in user via Exchange Web Services (under Office 365 Exchange Online) delegated permission.
NOTE: You cannot register this in the Application Registration Portal (https://apps.dev.microsoft.com), it needs to be registered in the Azure Portal (https://portal.azure.com/), and you need to use the v1 Azure auth endpoints for authorization and token requests.
Is there a way to impersonate a user in office 365 using the new Microsoft Graph API?
I am currently using EWS API to impersonate office 365 users to add calendar events.
The Microsoft Graph uses OAuth2.0, and so you can have your app operate as the signed-in user, if the user grants the app the ability (in your case) to read/write calendar events. (In OAuth2.0 this flow is known as the code flow). If you need your app to create events on behalf of many users, where the user is not actually signed in to your app - say your app is a daemon service of some sort - then you could use the OAuth2.0 app-only (client credential) flow.
Acquiring delegated access token to call Microsoft Graph is documented here: https://learn.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow
Hope this helps,