I have a test office 365 install to run some sample queries against Microsoft Graph.
Part of the authentication flow outlined here, describes getting the tenant ID from Azure AD. To get your tenant ID you have to go through manage.windowsazure.com according to the guidance provided.
So, is it that to build these MS graph apps, you have to provision an Azure Subscription?
No. You don't have to provision an Azure Subscription. The the tenant ID from Azure AD is referenced because I guess 'behind scenes' office 365 is on Azure, its authentication based on Azure AD, etc.
You can create application in https://portal.azure.com, even if you don't have azure ad subscription.
Related
az ad app permission add needs Azure Active Directory Graph - Application.ReadWrite.All:
az ad app permission add - Insufficient privileges to complete the operation
However, Azure AD Graph API is being deprecated. Will az ad at some point be updated to use Microsoft Graph API instead?
az ad manage Azure Active Directory Graph entities needed for Role Based Access Control. And it is still using AD Graph API but not the new Microsoft Graph API. You could feedback to UserVoice.
You could call Microsoft Graph API with az rest in Azure CLI, see here.
Since Microsoft Graph Service Principal API is GA, we recommend using
az rest instead of az ad for the time being until we fully migrate az ad to Microsoft Graph.
According to this comment from a member of the Azure cli team, they plan to migrate az ad to MS Graph: https://github.com/Azure/azure-cli/issues/12946#issuecomment-737196942
Azure CLI team is currently working on the ADAL -> MSAL migration. We
will start the planning and implementation of Active Directory Graph
-> Microsoft Graph migration once the previously task is done. + #achandmsft
You can achieve it by adding required role to service principle.
You don't require AAD graph permissions. You need to add the service principal to the Global Administrator Role using Azure portal->Azure AD->Roles and Administrators->Application Administrator
Does Microsoft Graph already have functionalities for Azure AD B2C User CRUD?
I found these related SO questions:
Which Graph API should be used with Azure AD B2C
Correct Graph API to manage Azure AD B2C
But both have answers that are dated 2017, so I am wondering if there are already updates from Microsoft that I am not aware of. I still have not find in my searches.
Below are the links I have found so far that seems to be conflicting each other (some of the links were also mentioned in the other questions).
In (D), it seems to offer options for User CRUD but I am not sure if it is just for Azure AD and not for Azure AD B2C.
Any help is appreciated. Thanks!
A. Azure AD B2C: Use the Azure AD Graph API (Date: 08/07/2017)
https://learn.microsoft.com/en-us/azure/active-directory-b2c/active-directory-b2c-devquickstarts-graph-dotnet
It says: You must use the Azure AD Graph API to manage users in an Azure AD B2C directory. This is different from the Microsoft Graph API. Learn more here.
B. Operations on users | Graph API reference (Last Updated: 2/12/2018)
https://msdn.microsoft.com/en-us/library/azure/ad/graph/api/users-operations
It says: We strongly recommend that you use Microsoft Graph instead of Azure AD Graph API to access Azure Active Directory resources. Our development efforts are now concentrated on Microsoft Graph and no further enhancements are planned for Azure AD Graph API. There are a very limited number of scenarios for which Azure AD Graph API might still be appropriate; for more information, see the Microsoft Graph or the Azure AD Graph blog post in the Office Dev Center.
C. Microsoft Graph or Azure AD Graph (Date: July 8, 2016)
https://blogs.msdn.microsoft.com/aadgraphteam/2016/07/08/microsoft-graph-or-azure-ad-graph/
It says: In general, we recommend the use of Microsoft Graph over Azure AD Graph, as Microsoft Graph is where we are investing for Microsoft cloud services.
But then, it says at the bottom:
AAD Graph Capability | Status in Microsoft Graph (March 23, 2018)
12. Manage users in a B2C tenant (set local accounts, sign in names) | Coming soon (preview)
D. Microsoft Graph: User resource type
https://developer.microsoft.com/en-us/graph/docs/api-reference/v1.0/resources/user
It list options to Create, Update and Delete user.
It is a bit ambiguous but I believe it is clear from the Azure AD B2C documentation that "you must use the Azure AD Graph API to manage users in an Azure AD B2C directory".
For example, according to the Microsoft Graph API documentation, you can't create a local account in an Azure AD B2C directory with a sign-in name.
I have also experienced issues which getting and setting a few properties, including any extension properties, for users in an Azure AD B2C directory using the Microsoft Graph API.
To access office 365 mails using Oauth, do I need Azure account?
Can't I use normal office 365 or exchange server account to create the application?
With Office 365, an instance of Azure active Directory is automatically provisioned for your O365 tenant. You need to setup an Azure account/subscription to access the AAD configuration via the Azure portal but you do not need to pay anything additional. Your O365 tenant admin will have access to the Azure portal.
To create an application that leverages O365 credentials for authentication, you must register your application with your AAD instance. There's lots of documentation on the Azure docs site, with samples and more detailed guidance.
We are planning to integrate Authentication with Office 365 using MVC(.net)and had few questions
I am under the assumption that many organization might have office 365 subscription but it is not mandatory that they should have Azure subscription as well. Is this right?
Under the Office 365 account for an organization, there can be many users(not AD).
If my organization needs to export existing AD users into Office 365, is that the point I should be thinking of Azure subscription or can existing users from AD be directly exported to Office 365
You can use Office 365 (O365) without an Azure Subscription,
however, the directory service used for access to O365 is actually
Azure Active Directory (Azure AD). The default directory namespace
is {subscriptionname}.onmicrosoft.com.
All O365 users will be registered in an Azure AD instance tied to
the O365 subscription.
Existing on-premise users held in Windows Active Directory can be syncronised to Azure AD using the Azure Active Directory Sync Services which is a free tool and which can be used without an Azure Subscription.
If at some later point you wish to use the same Azure AD instance as part of an Azure Subscription it is possible to.
Chris, your first assumption is correct. Customers that have an Office 365 subscription do not necessarily have an Azure subscription too. However this doesn't prohibit them from signing up for applications like yours using their Office 365 Azure AD and using single sign-on with their Office 365 accounts. During sign-up customers will consent to granting your application the required delegated permissions - this experience doesn't require an Azure subscription.
All Office365 accounts live in the Azure Active Directory to which that Office365 subscription is associated. That Azure AD can contain user accounts mastered in the cloud and/or user accounts mastered in an on-premises directory that have been syncronized to the cloud. Many of our customers are small businesses with accounts only in the cloud, whereas our enterprise customers syncronize accounts from on-premises and also create cloud only accounts.
Synchronizing on-premises directory to Office 365 Azure AD also doesn't require an Azure subscription. The Azure AD Sync tool is available outside of an Azure subscription.
Finally, Azure AD administration via the Azure management portal (requires Azure subscription) provides many identity management features that aren't available in the Office365 management portal: Azure AD premium reports including anomalous sign-ins, managing access to third party applications like the one you're building (simple users and groups assignment as well as assigning users and groups to application roles), managing security groups in the cloud and many more.
Read more about Azure AD and most importantly try out both the experiences (without and with Azure subscription).
Hope this helps.
If I have an Office 365 Business plan, can I build an ASP.NET MVC and authenticate against Office 365 AD? or do I still need to create a separate AD on Azure and connect to it?
If you have an Office 365 account, you have an Azure Active Directory. When signing in to Azure, you'll have to make sure you choose to use your admin organizational account (and sign up for a free trial if you haven't yet done so). Once in the Azure portal, click on 'Active Directory' and you will see that you already have a directory.
Now, as far as MVC web application, check out the Azure Active Directory Samples on GitHub. Also be sure to look at some different scenarios which are documented on MSDN. In particular, I'd recommend looking at the WebApp-GraphAPI-DotNet which is a MVC application authenticating with OpenID Connect against Azure AD, and using this to query the AAD Graph API for details.
(Edit: updated links to new material.)
I would recommend you to get a azure enterprise account and you should federate your users to Azure AD and then register your MVC application with Azure Active directory to get single sign-on capability.