SharePointOnline: How to authenticate user from Azure AD via CSOM - asp.net-mvc

I have the following requirements:
Create a MVC site with Azure AD authentication.
Fetch lists from SharePointOnline/O365 which also uses the same Azure AD.
Fetch lists from SharePointOnline/O365 anonymously (is it even possible?)
Thanks to VS2015 the first step is trivial.
But how to authenticate the current user in SharePoint? User.Identity does not provide password, so I cannot use ClientContext.Credentials.
I heard there is some Token Provider but haven't found a working case yet. Can anyone help me out?

To get the list of SharePoint online from our MVC sites, you can consider using the Microsoft Graph REST API instead of CSOM.
You can refer here about the list operation of Microsoft Graph. However, since this API is in beta version, it is not recommend to use in the product version.
And you also can refer the link below to get started developing with Microsoft Graph:
App authentication with Microsoft Graph

Related

Authentication failure while trying to authenticate with OAuth 2 against Microsoft Office365 account

I have a custom developed Windows service that until recently used basic authentication to access an O365 mailbox over POP and pull the contents on a predefined schedule. Microsoft recently announced that they were dropping the support for basic authentication and I should be using OAuth 2 instead. I have followed the steps in this article and my application has the necessary permissions in the Azure portal. I'm still running into an issue.
I can successfully generate the OAuth token. When I try to use said token to authenticate I get "Authentication failure: unknown user name or bad password". No further details are available. I tried Microsoft support but they only referred me to guides I've already followed. Any help is greatly appreciated!
After three days of scratching my head I finally stumbled upon the answer. Turns out that according to Microsoft ObjectID is different from ObjectID. Because logic! Two different interfaces for the same thing with two different ObjectIDs. You need the one on the right when giving permissions to the mailbox.

MS Graph API Authentication | MS Teams | Bot framework

I am new to bot development. I am working on creating a MS Teams bot using bot framework. The bot will be installed in ‘Personal’ scope in Teams, and it doesn’t have any tab / messaging extension etc. Once installed, I want to get the list of all the members/ channels/ Notification updates (i.e. members added/deleted etc.). As per the different documentation, I can get the list using Graph API.
List members of team - Microsoft Graph v1.0 | Microsoft Docs
List members of a channel - Microsoft Graph v1.0 | Microsoft Docs
To achieve this, I need the token that will be passed in API. I am not sure how to implement that. I have followed the instructions mentioned in Add authentication to a bot in Bot Framework SDK - Bot Service | Microsoft Docs. There was a step to add ‘Add OAuth Connection Settings’ and there were multiple options in ‘Service Provider’. I selected ‘Azure Active Directory v2’. After doing that, it works and I can get the token, but it only works if during login, I user my azure directory credentials. I have a Microsoft account linked with my MS Teams which id different than the Azure account. A user in team can have a Microsoft account / work / office account so this needs to work for everyone so what would be the correct ‘Service Provider’ option that will work for all accounts?
I was thinking that the flow should be like:
When clicks on ‘Add’ button to install the app in Teams
Once added, bot will prompt for Graph API permission using OAuth.
Once user gives the permission, I can use the token to call graph APIs.
I have also looked at the following tutorials:
How to use Bot Framework Composer to build low-code Microsoft Teams bots (Part 1)
Get user profile information in your Microsoft Teams bot with Microsoft Graph (Part 2) - YouTube
But after performing all the steps, when I try to login, it says – ‘This action can't be performed since the app does not exist or has been uninstalled.’.
I am not getting a clear approach on how to proceed with it.
As #Maxim has also suggested, if you want to have a bot that should run multitenant you need to put tenant Id as common in OAuth Setting in Azure bot. As the value suggest it isn't going to specific to single tenant and Redirect Uri should be set to https://token.botframework.com/.auth/web/redirect in app registration.
This is it, you don't need to add anything.
This is also mention in the doc --
We have some sample around it as well that shows how to use Graph API with the bot -
https://github.com/microsoft/BotBuilder-Samples/tree/main/samples/csharp_dotnetcore/24.bot-authentication-msgraph
You can setup this one and update the Graph calls to get member of team or channels.

Excel web addin authentication for AppSource

I am building an Excel Web Addin. I'll need to authenticate the user against Office 365 and publish the addin to AppSource / Office Store. What is the ideal authentication method to use?
I found tutorials for SSO authentication, but then I read on https://learn.microsoft.com/en-us/office/dev/add-ins/develop/sso-in-office-add-ins : "The Single Sign-on API is currently supported in preview only. It is available to developers for experimentation; but it should not be used in a production add-in. In addition, add-ins that use SSO are not accepted in AppSource."
Does this mean SSO applications will still not be accepted to the Store? What authentication flow should I use then? I only need the user to sign in a access my Web API via this identity. If possible, the user shouldn't need to reenter their credentials. Is there a code sample I could follow to get this done?
AppSource is not accepting add-ins that use the preview SSO system at this time.
To authenticate a user with a Microsoft Account or a Work or School (Office 365) account without SSO, the user will need to sign in again even if she or he is already logged into Office. Without the SSO system, the add-in has no way of knowing who is logged into Office, just as an web app open in a browser wouldn't know if Office is running on the machine or who is logged into it.
(Your choice of flow might be affected by whether you have a single page app (SPA) or a server-generated UI. Since you mentioned you have a Web API, I'll assume this is not a SPA.)
I don't know of any sample Office Add-ins that only authenticate the user; but there are a couple that log in the user and then use the Auth Code Flow to get an access token to Microsoft Graph.
PowerPoint Add-in Microsoft Graph ASPNET InsertChart. The Office app is PowerPoint, but the auth-related code would be the same for Excel.
Office Add-in Microsoft Graph ASPNET. This is nearly the same, but has Excel as the Office app. It's not polished. (See the Known Issues in the readme.)
But please keep in mind that an Office add-in is just a web app and -- with one exception -- authorizing a user is the same in an add-in as it would be in any other web app. So, you should be able to use the samples in Azure AD Quickstarts.
The one exception is that you have to open the AAD sign-in page in a special dialog window that is invoked with the Office.js displayDialogAsync API. The 2 samples I linked to above do this. You can get detailed guidance about using the Dialog for auth in the article Dialog API in Office Add-ins.
BTW, Microsoft is in the process of improving its documentation and samples for non-SSO auth. We hope to get these improvements published over the next few weeks.

Microsoft Graph API on existing MVC application

I am implementing a webhook using a Microsoft Graph API using the tutorial on https://github.com/microsoftgraph/aspnet-webhooks-rest-sample.
I have made a demo version to work on my localhost. I have an existing web application host on Mircosoft Azure.
The issue or rather concern is that do I use the Account Controller provided by the link https://github.com/microsoftgraph/aspnet-webhooks-rest-sample. Or Merge it with my existing application
I have merged it but having trouble with the login process. The existing login is troubling with the login using office365. note that the office365 users are not part of the users table yet

Microsoft Graph API auhetication for service apps

We are developing a web application using Microsoft Graph, where the signed in user can, Export all the calendar events to a third party calendar Application. After this initial export, we need to keep the exported data in sync with calendar changes via service app (a scheduled task running on server). This need to be a multi tenant application, as people from different organizations should be able to use this service.
Right now we did the authentication using OAuth 2.0 and OpenID Connect as described in this sample. Later we understood that the access token we get using this method cannot be used in the service app without user interaction. Considering our scenario what is the best way to achieve this?
I have read about App-only authorization method to do this. If we use this authentication method, the app need to be consented by a tenant administrator and the these applications are quite powerful in terms of what data they can access in the Office 365 organization. Considering we are developing a product used by different organizations, will it be feasible to use this method?
To use the client credentials OAuth2.0 flow (aka "App-only" or service account access depending on who's documentation you're reading) the admin for each tenancy will need to specify which scopes your daemon process can have for users in their tenancy. The end users can't give these scoping rights to your code themselves (as far as I know at least).
One thing to watch out for is that currently Graph API doesn't allow you to mess about with calendars that are attached to Office 365 Groups if you're using the client credentials flow. This is a pain for us, so we've raised it as an issue that needs fixing in the Office 365 feedback system. if that's an issue for you or anyone else, please throw a few votes at it so that it gets more attention at Microsoft. :-)

Resources