I'm using a Ruby gem called Savon to interact with SharePoint 2010's UserProfileService Web Service. I'm getting an error: Attempted to perform an unauthorized operation. I used
client.wsse.credentials "username", "password"
to pass my credentials. Anyone know what permissions are needed to use the UserProfileService web service?
In SP 2007, the username/password you use will need to have the "Manage User Profiles" permission set in the Shared Service Provider (SSP). IN SP 2010, I am not sure what the equivalent is since there is no longer an SSP, but an User Profile Service. I am sure there is something similar.
In Manage service applications in Central Admin, click on the User Profile Service then click Permisions in the ribbon add the user with Full Control permissions
Related
I'm currently trying implement an app to read calendars only for a group that's permitted to the app. The idea behind this is that when I want to add a another calendar all I'd have to do is add the object to a specific o365 group. I'm taking the application approach over delegation that way I don't have anything actually logging in to utilize the app. Ultimately I'd like to stay away from any of the *.All permissions for security reasons.
Steps taken :
- created o365 group
- added resource objects and one user service account (just for testing) to the group
- registered app
- generated secret
- assigned group to the app
- granted admin consent to groups.selected via the azure portal
When I run a GET for group/{id}/members :
{'error': {'code': 'Authorization_RequestDenied', 'message': 'Insufficient privileges to complete the operation.', 'innerError': {'request-id': '473410a8-4db4-49d6-8d2c-92b9fbd4edb1', 'date': '2020-03-05T14:59:28'}}}
As per the docs
https://learn.microsoft.com/en-us/graph/api/group-list-members?view=graph-rest-1.0&tabs=http
If you are using Application permissions to Get Members for a group. you will need User.Read.All, Group.Read.All, Directory.Read.All.
The usual issue is not granting that permissions to the application in Portal.azure.com and admin consenting it.
If you're confident with that. Then I'd eliminate your code as being the issue by using something like postman with your app id and client secret. We have a sample Postman collection here https://learn.microsoft.com/en-us/graph/use-postman . for delegated permissions you can use our Graph Explorer playground.
MS docs says:
Note: This permission is exposed in the Azure portal for a feature that is not available for general use. Do not use this permission as it is subject to change.
https://learn.microsoft.com/en-us/graph/permissions-reference
I also would like reset a user password using Microsoft Graph from a windows service using admin permissions. Using PATCH request to the user's profile
seemed promising but the required Directory.AccessAsUser.All permission is not on the list at apps.dev.microsoft.com so I get a "Insufficient privileges to complete the operation." error.
I had promised to replace PowerShell cmdlets with Microsoft Graph in our application and this small but essential feature now becomes a blocker.
Is there a plan to add this permission to the list?
Is there any way I can assign this permission? perhaps by editing the manifest? If so does anyone know the correct info
"resourceAppId": "????",
"resourceAccess": [
{
"id": "????",
"type": "Scope"
,
What's with the office portal Azure Directory Admin, app registration (preview)? I can see the app I registered at apps.dev.microsoft.com. Is it now an alternative to apps.dev? I like the interface better and the built-in admin consent button.
There is no application permission (yet) that allows you to reset a user's password using Microsoft Graph.
Is there a plan to add this permission to the list?
Yes, but that's about all there is to share, at the moment.
Is there any way I can assign this permission?
The only way to achieve this today (2019-01-17) is to assign the "Company Administrator" role to the ServicePrincipal object for your app — a very risky move (which is not recommended), as it will give your app full admin permissions.
What's with the office portal Azure Directory Admin, app registration (preview)? [...] Is it now an alternative to apps.dev?
Yes, though it's still in preview and it's possible some things might not work (as with all things in preview).
On exchange 2010, LogonExchangeMailbox() is able to access multiple mailboxes using the current window credential.
session.LogonExchangeMailbox(userOne, mailServer)
session.LogonExchangeMailbox(userTwo, mailServer)
On exchange 2013, what's the proper way? It's a vb script, I don't want the user password hardcoded in the file. I tried something like but can't make it work:
session.Logon()
session.UseEWSImpersonation=1
credential=session.credentials
session.LogonHostedExchangeMailbox(userOne#mail.com, credential)
session.LogonHostedExchangeMailbox(userTne#mail.com, credential)
I also tried AddDelegateExchangeMailBoxStore(user), but if I accidentially added twice, one will not be able to delete.
Outlook redemption is latest version with Outlook 2013 on Win 7.
LogonExchangeMailbox uses the credentials of the current domain user to connect. If you want to open a mailbox of another user, logon to the current user's mailbox using LogonExchangeMailbox, then open another user's mailbox using RDOSession.GetSharedMailbox
I have a rails application running on a server. The Application has user authentication implemented using Devise. I have files hosted on another server, I want to be able to allow only authenticated (logged in) users within my application to download these files - is this possible? is there a nice Rails solution?
Thanks.
You are looking for a SSO mechanism.
Required a single user manager app that can act as a Provider (OAuth2
?) and different applications (or Clients) that can authenticate
themselves using this same user manager
See : http://codetheory.in/rails-devise-omniauth-sso/
Github : https://github.com/rishabhp/sso-rails-provider
Jeff
I am creating an app on iOS that will run in a "kiosk" mode. Part of the application requires users to be able to search an organisation's directory. I would like to support Azure AD via the Azure Graph API to provide this function.
I don't want to require an interactive login when the app starts and I don't want to have to use an additional web service; I would like for the iOS app to simply access the Azure Graph API via REST.
I am aware of the risks associated with cached credentials, however the use of "service accounts" for non-interactive logins is fairly well established, the access is read-only and the credentials can be secured in the iOS keychain.
I have looked through numerous Azure samples and read the documentation and it seems that the method that provides what I need acquireToken(resource, credential) isn't available in the iOS ADAL library (and either is the ClientCredential class).
To clarify, this is how I would like my app to work:
User installs the app from the app store and runs it the first time
As part of the setup they authenticate to Azure AD by providing their tenant, application client ID and an application key. If they can't authenticate with an application key, a user id/password is acceptable as long as:
They never get prompted to authenticate again
Is there a solution here or do I just give up on Azure AD?
This can be done, but not with the ADALiOS framework as it doesn't expose the client_credentials grant that is required to make it work.
I was able to build a working demonstration using p2/OAuth. The sample app is here
The steps to build a working solution are:
Login to the legacy Azure Management portal and select your Azure AD Instance
Create a new application in that AD instance
Select "Add an application my organisation is developing"
Give it a name and select "Web application and/or Web API" not "Native Client Application"
Enter values for sign on url and app id url. These need to be well-formed URLs but do not need to be reachable
Once the application has been created select "Configure". Note the Client ID - you will need this
In the "Keys" selection, select 1 or 2 years from the drop down, then click "Save"
Once the key is displayed, copy this and save it somewhere; it can't be displayed again.
Set the required "Permissions to other applications" to allow your app the access it needs
Finally, at the bottom of the screen click "view endpoints" - You need to copy the OAuth 2.0 Token Endpoint and the OAuth 2.0 Authorization Endpoint
Download the demo code from GitHub
Run pod install
Plug the values into the Settings.plist file
Run the app
The meat of the authentication process is to set up an instance of OAuth2ClientCredentials -
let settings = [
"client_id": appData.clientId!,
"client_secret": appData.secret!,
"authorize_uri": appData.authString!,
"token_uri": appData.tokenString!,
"keychain": true,
"secret_in_body": true
] as OAuth2JSON
self.oauth2 = OAuth2ClientCredentials(settings: settings)
Then you can call doAuthorize() to get a token
self.oauth2.doAuthorize()