Accessing users' photos from Outlook using REST API (MVC 5) - asp.net-mvc

Is there a way to use the Outlook User photo REST API using Azure AD & OAuth or do we have to use the Azure AD v2 authentication endpoint way to retrieve photos?
Is there any other way to retrieve user photos from Outlook.com so I can use it in my web app?
I am using Azure AD to authenticate users at the moment and want to use the Azure portal only, not the Microsoft Application Registration portal.
Thanks.

The difference between Azure portal and Microsoft Application Registration portal is that Microsoft Application Registration portal supports Azure AD V2.0 endpoint.
The Azure AD v2.0 endpoint supports both Microsoft accounts and Azure Active Directory accounts.
So, it depends on which users' photo you want to acquire. If you want the app only support the users from Azure AD tenant, it is well to select Azure portal to register the app.
And here is the Microsoft Graph REST API about get the photo in user's mailbox on Exchange Online for your reference(Get photo):
GET https://graph.microsoft.com/v1.0/me/photo/$value

Related

Using Azure B2C login to access Microsoft Graph is the social login is a Microsoft account

I have an application (Blazor WebAssembly in my case but I believe this scenario applies to other application types as well) that uses the excellent (and convenient) Azure B2C login services to allow my users to register and log in using either a local account or some social accounts. In particular, I am supporting logging in with a Microsoft account. Once a user is logged in using his Microsoft account I want to give the user the option to save content on OneDrive without the user having to provide credentials again to access the Microsoft Graph API.
In the returned claims after logging in using Azure B2C API I see that there is a idp claim (that's how I can determine if the user is logged in using a Microsoft account) and there is also a idp_access_token claim but it is not a valid JWT to use against the Microsoft Graph unfortunately.
What is the nature of the idp_access_token? How can I use it to access the Microsoft Graph and request additional scopes?
Azure AD B2C receives an access token (idp_access_token) from the identity provider. Azure AD B2C uses that token to retrieve information about the user. See details here.
No matter whether idp_access_token claim is a valid JWT, it cannot be used to access Microsoft Graph or other additional scopes. As the document has stated, it is for retrieving information about the user. Usually the embedded IdP access token is used to call the services that the IdP hosts. But Microsoft Graph data is hosted in Azure AD, not Microsoft Account side.
Currently, if you want to call Microsoft Graph API for B2C tenant, you have to follow Azure AD Authentication protocols. For example, OAuth 2.0 authorization code flow.
If you want to call you own API protected by B2C, you should choose Azure B2C Authentication protocols. For example, OAuth 2.0 authorization code flow in Azure Active Directory B2C.

Accessing Azure B2C-protected odata feed using PowerBI desktop / excel

I'm working on OData/webAPI service implementation. PowerBI desktop app will be used to retrieve info from the service using odata feed datasource.
Service in protected by Azure B2C auth. Accessing odata endpoints using browser works fine - after signing in access is granted. But when I'm trying to connect to the feed using powerbi desktop by performing signin attempt, it reports that token source is not trusted.
picture related: sign in error
Also, in case of single-tenant Azure AD auth (not B2C) usage, authentication in PowerBI worked though.
So, is there a possibility to make PowerBI work with Azure AD B2C (to make it trust the token source)?
No, Azure AD B2C does not issue tokens which Microsoft first party services recognize. AAD B2C is used to protect you own services which you supply to your own customers.
If you would like your customers to have self service sign up, and access Power Bi resource, then have your front end web app talk to a backend API. Protect the front end and backend with AAD B2C. That backend API should use client_credentials to authenticate via AAD endpoints to access Power Bi data on behalf of the user.

Allow login authentication on our web-site using Microsoft Azure MFA

We have a company web-site developed in ASP.NET MVC that currently allows our customers to login using login name and password. These customers are in our SQL Server database. The customers once logged in can use our services.
We would like to authenticate our customers using Azure Multi-Factor Authentication feature.
How can we implement Microsoft Azure Multi-Factor authentication in our use-case ?
Is it required that our website should be deployed on Azure App service.
Thanks,
Gagan
Take a look to this Add sign-in to Microsoft to an ASP.NET MVC web app.
Or
Configure your App Service or Azure Functions app to use Azure AD login for a simplified setup.
You don't need Azure Web Apps to enable MFA, you can enforce MFA using Conditional Access Policies or similar Azure AD features.
You can then add an Id column into your SQL database user table to store the Azure AD User Object Id (which you can obtain from his Azure AD token sub claim) as a reference for future operations.

ASP.Net MVC : Allow multiple identity provider (MSA and AAD) at same time

I’m currently working on application built on ASP.NET MVC which uses Microsoft account (MSA) authentication. To implement a new requirement, during a flow (say on step 2) the application has to validate the user against Azure Active Directory (AAD) authentication for organization account (while MSA login should persist) to grant special privileges and move to step 3.
So during step 2 to 3 navigation, MSA authentication should not be logged out and user can be validated against AAD.
Is it possible to allow have concurrent logged-in via two different identity providers (MSA and AAD)?
It is not possible if you are suing Azure AD v1.0 endpoint. However, you can Azure AD v2.0 end point to implement. This document helps in Comparing the Azure AD v2.0 endpoint with v1.0 endpoint.
To build an app that accepts both personal Microsoft account (MSA), and work or school account (Azure AD) sign-in, you'll need to register an app with the Azure Active Directory (Azure AD) v2.0 endpoint. At this time, you won't be able to use any existing apps you may have with Azure AD or MSA - you'll need to create a brand new one. refer to this document to help on it - Quickstart: Register an app with the Azure Active Directory v2.0 endpoint.
You can also use Azure AD B2C and use custom policy to add MSA as Identity Provider. Refer to this document for details - Azure Active Directory B2C: Add Microsoft Account (MSA) as an identity provider using custom policies.

Is MS Azure Active Directory account mandatory to implement oauth for office 365?

To access office 365 mails using Oauth, do I need Azure account?
Can't I use normal office 365 or exchange server account to create the application?
With Office 365, an instance of Azure active Directory is automatically provisioned for your O365 tenant. You need to setup an Azure account/subscription to access the AAD configuration via the Azure portal but you do not need to pay anything additional. Your O365 tenant admin will have access to the Azure portal.
To create an application that leverages O365 credentials for authentication, you must register your application with your AAD instance. There's lots of documentation on the Azure docs site, with samples and more detailed guidance.

Resources