I've a web app which access Microsoft Graph API which authenticate the user using Azure v2.0. Both Personnel User account and Organisational user can provide the user consent and access the app. Organisational user can remove the consent by going to myapp.microsoft.com however Personnel user are not able to see the consented app in myapps.microsoft.com
So how can personnel user remove the consent to the application ?
Thanks,
Himal
Users with personal Microsoft accounts (Hotmail, live, outlook.com, etc.) can revoke apps at https://account.microsoft.com/privacy/. If you click on Apps and services that can access your data, you'll see a list of all the apps you've consented to and you can revoke them there as well.
For example, I test the Graph explorer app with a live.com account. I can review the permissions it uses and revoke the application if necessary.
Related
We have created a Microsoft Teams tab app with bot integration that we want to distribute to various organizations either manually or via an App Store. In summary,
We created Tabs App with Microsoft Bot using node.js botbuilder package.
We provided zip archive to another organization (another tenant Id).
Organization uploaded our app using Microsoft Teams Admin panel and approved permission in Permission tabs.
Question is how can we receive the tenant id from the organization we are deploying to without asking their admins to go to Azure Active Directory and look it up. Once provided, the graph api and the multi tenant bot does work fine. We are trying to avoid asking their admin to provide us the tenant id and want to retrieve it automatically upon the app being uploaded or on startup.
Thank you.
The best place to get the tenant id is from the access token you are provided by logging in to your app. Look for the 'tid' value.
I'm assuming you are talking about stream lining the company wide admin consent for your application.
What you can do is have a web site that a customer's admin can log into (using standard Microsoft OAuth interactive flow). You can then pull the Tenant ID from the access token and then run through the Microsoft consent process. Once consent process redirected back to your web site, you can do your own customer onboarding if required.
I'm trying to create an iOS application that allows to read Office 365 user's email. So, I've created a multi-tendant Azure Active Directory Application and during OAuth authentication I request following scope: offline_access User.Read Mail.Read EWS.AccessAsUser.All.
Unfortunately when I try to log in as a non-admin Office 365 user, instead of showing permissions review dialog I get "%AppName% needs an administrator approval".
Could you please help me to figure out how could I avoid "Admin Approval Required" dialog?
Logging in via other email clients (I've tested Edison Mail) with the same scope and to the same account shows a grant dialog (no-one in the organisation has previously logged in to the app neither admin has previously approved it). If more details are needed I'll be happy to provide them!
Thank you in advance!
P.S. Leaving just offline_access User.Read in the scope actually shows grant dialog, but popular applications somehow can get all the required permissions at once...
Although the Mail.Read and EWS.AccessAsUser.All scopes do not require admin approval at the Graph API level, organisations can turn off the Office 365 user consent setting Let people in your organisation decide whether third-party apps can access their Office 365 information.
Security best practice recommends that this setting is turned off. If it is turned off one of two things will happen.
If admin consent workflow is enabled, then the user will get a form where they can submit a request for the app to be approved.
If admin consent workflow is not enabled, then they will see the "administrator approval required" message.
More information on user consent is available here
You will need to provide some guidance for users on getting their organisation to approve your app in the case where the user is unable to provide that consent themselves.
I am not sure why Edison Mail is working, although it is possible that its app registration has been whitelisted by Microsoft; I don't have access to the Office 365 admin portal to confirm.
My organization has an institutional e-mail account in Outlook 365.
There is a small number of users who are responsible for managing that mailbox, reading, answering, forwarding and sending messages from that account.
I am writing a web application (PHP) to automate some messaging operations, so I implemented access to that account using Microsoft Graph. But this requires to login using that account's credentials, and I wouldn't like to share account's password (which I have) with those users.
Is it possible to to grant permission for those users' accounts so MS-Graph will allow them to read/write/send messages from that account, once they have logged in? If so, how would it done?
If this post lacks some relevant information I'm not remembering now, please comment and I'll edit to add it.
Thank you very much.
You could use admin consent for that purpose. Administrator can grant access for the entire tenant, and users will not be prompted for consent afterwards
https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-permissions-and-consent#requesting-consent-for-an-entire-tenant
My current application supports Microsoft and Google oAuth verification sign in. The idea is to give users the option of signing in with their personal accounts for ease of access. This is working fine with google, but AAD will only allow users with emails that end in the App ID URI domain to sign in
eg: App Id URI = someOrg.com/guid and their sign in = someUser#someOrg.com.
Attempting to sign in with a Microsoft account like an outlook or hotmail account redirects to a page saying
"We're unable to complete your request
Microsoft account is experiencing technical problems. Please try again later."
Is there a way to allow AAD to accept any Microsoft account in the login, or can it only accept users in a single domain?
Basics
Yes! Checkout https://aka.ms/aadv2. The v2 endpoint allows both personal Microsoft and Azure AD accounts to be signed in from a single app reg. You'll need to hit this special endpoint (can be done using the MSAL libraries) and setting your app audience in the Azure portal.
Details...
By default and using the following URLs (note the common piece):
https://login.microsoftonline.com/common/v2.0/authorize
https://login.microsoftonline.com/common/v2.0/token
If set to common, your app can sign in any domain and personal Microsoft accounts.
Other options
For the sake of covering everything, here's the other options:
common->organizations: Only allow Azure AD accounts
common->consumers: Only allow personal Microsoft accounts
common->[tenant_id]: Only allow accounts from the specified tenant
MSA as a guest
The edge case you may need to address is a personal Microsoft account added as a guest to an Azure AD tenant. When the user hits common, they'll be signed in as a personal Microsoft account; however, they may intend to sign into their domain. You can build around this by introducing a "enter your email" screen, then passing this as a hint to Microsoft via the common endpoint.
So, basically I have a multi-tenant App that makes numerous calls to Graph API. The problem is with the call to assign license to a user - POST /users/{id | userPrincipalName}/assignLicense.
In the Azure App registration portal , in the permissions section, I have given all the delegated permissions under Azure AD and Graph API.
Permissions Assigned screenshot.
Then, I made an global admin consent to this app for all the users in the organization using admin consent flow through the link such as below :-
https://login.microsoftonline.com/common/oauth2/authorize?client_id=ffa835f3-417f-415c-b8f5-6f8833f93901&response_type=code&redirect_uri=http%3a%2f%2flocalhost%3a8910%2f&nonce=1234&resource=https://graph.microsoft.com&prompt=admin_consent
The admin consent was successful which means that all users from this directory have been authorized.
Now, when I log to my multi-tenant application through a global admin, the call to assignLicense endpoint is a success which means my code is working well.
However, when a non Global Admin logs in to the application , he is able to login too ( due to the consent given above ) but when I call is made to the graph api to AssignLicense, I get a 403 Forbidden error.
I am not able to understand what should I do to get rid of this error.
This looks like an effective permissions issue. From https://developer.microsoft.com/en-us/graph/docs/concepts/permissions_reference
For Delegated permissions, the effective permissions of your app will
be the least privileged intersection of the Delegated permissions the
app has been granted (via consent) and the privileges of the currently
signed-in user. Your app can never have more privileges than the
signed-in user. Within organizations, the privileges of the signed-in
user may be determined by policy or by membership in one or more
administrator roles. For more information about administrator roles,
see Assigning administrator roles in Azure Active Directory.
For example, assume your app has been granted the User.ReadWrite.All
Delegated permission. This permission nominally grants your app
permission to read and update the profile of every user in an
organization. If the signed-in user is a global administrator, your
app will be able to update the profile of every user in the
organization. However, if the signed-in user is not in an
administrator role, your app will be able to update only the profile
of the signed-in user. It will not be able to update the profiles of
other users in the organization because the user that it has
permission to act on behalf of does not have those privileges.