I am currently working on an application that allows users to upload/download files. My company wants to have user files stored in their One Drive and not on our server. The only problem with this is that we want to avoid double authentication in order to access their OneDrive account.
For example we have n users associated with an organization. This organization has a single OneDrive account that all of the users will share (legal?). Once a user authenticates to our application, the idea is to have our application sign them in without user interaction by using the Live API so that they may access their organizations files.
Do we have to authenticate every time we wish to use this service or just once?
It's not a big deal for us to do this once for every organization when setting up their account but a requirement is to avoid double authentication. We want the OneDrive storage to be transparent to the user.
Does this violate any of Microsoft's Terms and Conditions?
Thanks! Any input is appreciated as I've never worked on a cloud based application before. If OneDrive isn't a viable solution are there any other recommended services my company could look at?
Consumer OneDrive isn't intended for business use and sharing a single OneDrive account for multiple people isn't recommended either. You should look into OneDrive for business for your scenario: https://onedrive.live.com/about/en-us/business/.
OneDrive for Business uses the SharePoint developer APIs: http://blogs.msdn.com/b/sharepointdev/archive/2013/08/13/access-skydrive-pro-using-the-sharepoint-2013-apis.aspx
I found that the Box API does not support a grant type of passworrd. Neither does OneDrive or DropBox. Without this grant type it is impossible to sent a username and password to log a user in.
Related
I have an App. registered as multi-tenant in azure, configured to allow access to users from other tenants including personal accounts etc..
But it fails when I tried to send using an external personal account. However it is working fine on the tenant members.
My question is, is it required for an external user to have an Exchange License to send email using the Graph API via my app?
If I'm sending using the application scope sendMail, does the user I used to send the email from needs to have a valid exhange license?
Thanks!
I need some experienced opinions or links to a helpful articles about my issue.
Yes, the user you are using to send the email using application permission must have a valid Exchange license.
Also, user has to be part of your tenant while using the application permission otherwise it will just throw 404 not found
Yes, user should be licensed. And to be accessed with personal accounts your application should be registered with audience as "Accounts in any organizational directory and personal Microsoft accounts" https://learn.microsoft.com/en-us/graph/auth-register-app-v2
I am writing an api using the msgraph api which should be able to read mail from shared mailboxes. I have setup the application in Azure and have given the following permission (my app is running as its own service and not on behalf of an user)
What I am confused about is
Why does it show Delegated, all the rest of my permissions to the application show Application.
Since this is an application how does an user share a particular mailbox with this application, what I can think of is to create a service account, then this application impersonates that service account and then uses the service account to access the shared mail, but this sounds like a really complicated process and am wondering if I'm heading down the correct path.
thanks in advance.
From the Microsoft graph permissions reference, Mail Permissions Mail.Read.Shared and Mail.Send.Shared require a signed in user which is why the permissions show up as delegated. To the best of my knowledge, there isn't currently a way to access shared mailboxes via Ms graph without a signed in user.
Please let me know if this helps, and if you have further questions.
I'm developing an application on Microsoft Graph that runs as a daemon, and needs access to many accounts. As a result, I'm using a service account, also known as client credentials (using this method).
I can request the proper scope (calendars.readwrite) however as far as I can see, I cannot restrict to which calendars I have access. In my case, I only need access to the meetingroom calendars, and I'm afraid that organisations will not allow my application if I can also read and write from/to the CEO's calendar.
Is there any way (either while creating the app, or during/after giving admin consent) to restrict my app to only a subset of calendars? Or should I approach this problem differently and (e.g.) not use a service account in the first place?
I saw some information about single sign on in combination with the azure ad. Does that mean I can create a web application that's using the graph api (Calendar , Contact) and using the single sign on for a pleasant user experience. I'm aware of the fact that the user should autorize the application to access his/her private data.
I have already looked on
https://azure.microsoft.com/en-us/documentation/articles/active-directory-sso-integrate-saas-apps/
https://azure.microsoft.com/nl-nl/documentation/articles/active-directory-appssoaccess-whatis/
Yes, you can register an application with Azure AD and use it to leverage the user's identity in the Microsoft cloud (for work and school accounts and for personal accounts) to support single sign-on. In addition that same application can then be authorized to access their data (mail, calendar, files, contacts, etc.) via the Microsoft Graph API.
We are developing a web application using Microsoft Graph, where the signed in user can, Export all the calendar events to a third party calendar Application. After this initial export, we need to keep the exported data in sync with calendar changes via service app (a scheduled task running on server). This need to be a multi tenant application, as people from different organizations should be able to use this service.
Right now we did the authentication using OAuth 2.0 and OpenID Connect as described in this sample. Later we understood that the access token we get using this method cannot be used in the service app without user interaction. Considering our scenario what is the best way to achieve this?
I have read about App-only authorization method to do this. If we use this authentication method, the app need to be consented by a tenant administrator and the these applications are quite powerful in terms of what data they can access in the Office 365 organization. Considering we are developing a product used by different organizations, will it be feasible to use this method?
To use the client credentials OAuth2.0 flow (aka "App-only" or service account access depending on who's documentation you're reading) the admin for each tenancy will need to specify which scopes your daemon process can have for users in their tenancy. The end users can't give these scoping rights to your code themselves (as far as I know at least).
One thing to watch out for is that currently Graph API doesn't allow you to mess about with calendars that are attached to Office 365 Groups if you're using the client credentials flow. This is a pain for us, so we've raised it as an issue that needs fixing in the Office 365 feedback system. if that's an issue for you or anyone else, please throw a few votes at it so that it gets more attention at Microsoft. :-)