We have a web application that OAuth with Office 365 using Azure AD. We are trying to restrict the resources we have access to.
Example: The authentication user have access to Site1, Site2 and Site3. We want to limit our application access to Site1 only. Does any one know if this is possible? I tried to go over Office 365, Azure AD and even Discovery API documentation, but I couldn't find anything helpful.
Did you also register the site1, site2 and site3 on the Azure AD? If I understood correctly, we can config the app manifest for the site1, site2 and site 3 to set the require permission like below(refer to here)
"oauth2Permissions": [
{
"adminConsentDescription": "Allow the application full access to the Todo List service on behalf of the signed-in user",
"adminConsentDisplayName": "Have full access to the Todo List service",
"id": "b69ee3c9-c40d-4f2a-ac80-961cd1534e40",
"isEnabled": true,
"type": "User",
"userConsentDescription": "Allow the application full access to the todo service on your behalf",
"userConsentDisplayName": "Have full access to the todo service",
"value": "user_impersonation"
}
],
Then we need to assign the web app with right permission as the Microsoft build service like figure below:
The last step is that site1, site2, site3 need to verify whether the request has the permission to visit the resource via analyze the scope in the access token.
In order to manage Authorization by user you should implement Role Base Access Control, in this link you will find an example using Azure AD https://github.com/Azure-Samples/active-directory-dotnet-webapp-roleclaims
Related
We are trying to identify Sharepoint sites user has access to using Graph API. This is working just fine for internal users. However when we try this for external user (already guested in Azure AD), we are getting below error -
"error": {
"code": "itemNotFound",
"message": "Item not found",
"innerError": {
"date": "2022-06-20T16:28:01",
"request-id": "cde68280-5538-40c3-af60-6602bd7c1214",
"client-request-id": "ef1f7a56-caf4-e1f2-b2b0-57577fa96f03"
}
}
We have tried to use Graph Explorer https://developer.microsoft.com/en-us/graph/graph-explorer and it's the same error there as well.
if you are using the /common endpoint a guest user has its own shadow tenant and wont be pointing to the AAD tenant it has been invited into, thus they cannot access resources like a normal member could, plus they have limitied default permissions and that does not include groups/site access unless they have been added to the area as a direct member.
However, if you are defining the tenant id in the authority then the above is not relevent.
You are right, I tried to do the same thing.
My workaround solution is testing with MS Graph Explorer, its worked for me, then you can code the same requests to talk to Graph API. Here are the steps:
Get your tenant Id using this site : https://www.whatismytenantid.com/
Open MS Graph Explorer like this : https://developer.microsoft.com/en-us/graph/graph-explorer?tenant=tenantId
Sign in to MS Graph Explorer with the guess account
You should see the name of your guess signed in with your tenant if not sign out and sign in again.
Unfortunately, You won't be able to lists the SharePoint Sites using https://graph.microsoft.com/v1.0/sites?search=* (honestly I do not know why, maybe because the guest has only a Family account ? Its worked fine with a user in the same org.
You need to know the siteId, then you can list the document libraries, folders, files, etc... using a request like this : https://graph.microsoft.com/v1.0/sites/siteId/drives
I wish I can get the siteId from MS Graph Explorer for a guest user, but looks like it is not possible. BTW, doing the same on Google WorkSpace is a no brainer using shared drives, not like Microsoft at all...
Required: MS Graph App that has access to companyB.sharepoint.com drive/file items for a member of CompanyA
I am from Company/Organisation A. I have been granted access to a sharepoint site of Company/Orgtanisation B.
https://companyB.sharepoint.com/sites/company_name/XXXX%20Files/Forms/AllItems.aspx
Via a browser this works as expected (i.e. access to the sharepoint site)
I have created a Multi-Tenant App (Azure dev portal) and have been able to receive a user delegated access token. refresh token works fine.
The App (Overview) => Supported Account types: Multiple organisations.
Using the Graph Explorer (Authenticated for company A user) https://developer.microsoft.com/en-us/graph/graph-explorer
https://graph.microsoft.com/v1.0/sites/companyB.sharepoint.com:/sites
returns
{
"error": {
"code": "invalidRequest",
"message": "Invalid hostname for this tenancy",
"innerError": {
"date": "2022-04-12T04:36:00",
"request-id": "qqq21a6d3-xxx-xxx-xxx-xxx390a4yyy",
"client-request-id": "qqq382fa-xxx-xxx-xxx-xxx708yyy"
}
}
}
What I'm trying to achieve is to get access to and obtain a list of files contained in the Sharepoint site under CompanyB. Then being able to walk through the files, add/edit/delete files to these directories (or whatever terminology MS uses for Sites and Files/Folders within a site)
I cannot seem to find the 'SiteID' or 'DriveId' that the URL references point to...
Would it be feasible to create an APP under Company B (ie create a dev account for them) and create a simpler, non verified, organisation only app under company B and then login as a user from Company A?
Any pointers of examples of anyone that has done this is appreciated.
We have a published app in the Teams App Store.
We want to let the bot to have access to Teams Files. This is possible using Graph Application Permissions.
But there's a small problem, the "Files.Read.All" and "Files.ReadWrite.All" seems like overkill to our clients and they are not going to let us access all SharePoint resources just to upload a file into Teams Directory.
Resource-specific consent looks like a solution for our purposes.
However, after checking the documentation and samples we've found out that there are no "Files.ReadWrite.Group" and "Sites.ReadWrite.Group" resource-specific consent permissions.
Despite that, we tried to add them but got an error during the app installation process.
When we're requesting the channel information from graph api using resource-specific consent permissions we get:
{
...
"filesFolderWebUrl": "https://example.sharepoint.com/sites/RSC/Shared Documents/General",
...
}
If we try to request GET {filesFolderWebUrl} with auth token we get 401 UNAUTHORIZED.
We also tried to use https://example.sharepoint.com/_api/ and it fails with:
{
"error_description":"Exception of type 'Microsoft.IdentityModel.Tokens.AudienceUriValidationFailedException' was thrown."
}
The GET https://graph.microsoft.com/beta/sites/ request returns blank response:
{
"#odata.context": "https://graph.microsoft.com/beta/$metadata#sites",
"value": []
}
Is there a way to get access to Teams Files using resource-specific consent? Any help would be appreciated.
As an alternative to RSC you could use SharePoint Site collection Level Permission
aka "The SharePoint flavour of RSC"
using the ``Sites.Selected` Graph permission.
This will allow a Customer Admin to grant your app/bot access to specific SharePoint SiteCollections.
While this does not give the 'automagical' permissions when a Teams App is installed in a team, it will allow you to use App Permissions with a scope that is both controllable, and smaller than 'entire tenant'
See:
PG Blog Bost & Demo:
https://devblogs.microsoft.com/microsoft365dev/controlling-app-access-on-specific-sharepoint-site-collections/
Blogpost with samples : https://dev.to/svarukala/use-microsoft-graph-to-set-granular-permissions-to-sharepoint-online-sites-for-azure-ad-application-4l12
Create Site Permission: https://learn.microsoft.com/en-us/graph/api/site-post-permissions?view=graph-rest-1.0&tabs=http
Team (group) resource-specific consent doesn't currently support access to the team's files.
There are some new graph scopes (preview) you could try:
Files.Read.Selected - allows read access to files user can select.
Files.ReadWrite.Selected - allows read/write access to files user can select
Files.ReadWrite.AppFolder - allows access to files in the "app folder". This one looks promising in your case.
These are new, and in "preview" state at the moment of writing, but already available for the apps. Disclaimer: I have not tried them myself yet, just discovered recently.
I am attempting to create user social accounts for Microsoft logins on my B2C tenant without using the sign up userflow. When the sign up userflow is ran and you register a Microsoft Account a user is created in the tenant with a source of "Microsoft Account".
I have been experimenting with the Microsoft Graph API using the create user post request where in i can create a working local account fine but am having issues creating a Microsoft user that works with the B2C Login using the examples in the link below. I don't think I have a valid issuerAssignedId for the Microsoft accounts I am creating and I am not actually trying to migrate existing accounts. The user record is created in B2C when the post request is ran but when i try to log in using the microsoft account it is responding back with AADB2C99002: User does not exist.
https://learn.microsoft.com/en-us/graph/api/user-post-users?view=graph-rest-1.0&tabs=http#example
Not exact values but example of payload i am using:
{
"displayName": "Test Name",
"identities": [
{
"signInType": "emailAddress",
"issuer": "mytenant.onmicrosoft.com",
"issuerAssignedId": "test#outlook.com"
},
{
"signInType": "federated",
"issuer": "live.com",
"issuerAssignedId": "test#outlook.com"
}
],
"passwordProfile" : {
"password": "password-value",
"forceChangePasswordNextSignIn": false
},
"passwordPolicies": "DisablePasswordExpiration"
}
Is there a way I can achieve this? Thanks.
I don't think I have a valid issuerAssignedId for the Microsoft
accounts I am creating and I am not actually trying to migrate
existing accounts.
You cannot use Microsoft Graph API to create an MSA which doesn't exist.
Although the user record is created in B2C when the post request is ran, it is only a record as you mentioned.
The real identity authentication process is done by MSA rather than B2C.
So AADB2C99002: User does not exist is the expected behavior in this case.
You can set a non-existing MSA while calling this Microsoft graph endpoint, but it will not create an MSA in the MSA IDP side. So you cannot log in with it.
The best practice is to create the MSA in advance and use it for this Graph call.
I also would like reset a user password using Microsoft Graph from a windows service using admin permissions. Using PATCH request to the user's profile
seemed promising but the required Directory.AccessAsUser.All permission is not on the list at apps.dev.microsoft.com so I get a "Insufficient privileges to complete the operation." error.
I had promised to replace PowerShell cmdlets with Microsoft Graph in our application and this small but essential feature now becomes a blocker.
Is there a plan to add this permission to the list?
Is there any way I can assign this permission? perhaps by editing the manifest? If so does anyone know the correct info
"resourceAppId": "????",
"resourceAccess": [
{
"id": "????",
"type": "Scope"
,
What's with the office portal Azure Directory Admin, app registration (preview)? I can see the app I registered at apps.dev.microsoft.com. Is it now an alternative to apps.dev? I like the interface better and the built-in admin consent button.
There is no application permission (yet) that allows you to reset a user's password using Microsoft Graph.
Is there a plan to add this permission to the list?
Yes, but that's about all there is to share, at the moment.
Is there any way I can assign this permission?
The only way to achieve this today (2019-01-17) is to assign the "Company Administrator" role to the ServicePrincipal object for your app — a very risky move (which is not recommended), as it will give your app full admin permissions.
What's with the office portal Azure Directory Admin, app registration (preview)? [...] Is it now an alternative to apps.dev?
Yes, though it's still in preview and it's possible some things might not work (as with all things in preview).