Under which account are web parts run? - sharepoint-online

If I create some SharePoint Online web parts, are they run under the credentials of the user that is using the web part?
(this is what I would assume)
Say I need to make a query to the Graph API, would a SharePoint Administrator have more access that a standard cloud user?
Is there a way to run as a different user (one that has more privilege's)?
Thanks
P
var client = await this.context.msGraphClientFactory.getClient('3');
var result;
result = await client.api('groups/' + this.properties.groupGUID + '/members').get();

SPFX Webparts run in the context of the current logged in user. They will have all permissions the user is having. So if you are an admin, you will be able to do more stuff (if your webpart can do it) than as an user with "read" permissions.
If you want to do something with higher privileges you will have to use a backend like a custom API, Azure Functions or even Power Automate.

SPFx web parts runs in the context of the current user and connection in the browser.
Source: Key features of the SharePoint Framework
If you want to use MS graph in SPFx web part with specific permissions, you can request them from your web part.
when deploying the solution package to the app catalog, SharePoint creates permission requests and prompts the administrator to manage the requested permissions. For each requested permission, a global or SharePoint administrator can decide whether they want to grant or deny the specific permission. This will work for all users - SharePoint admin as well as normal users.
You can also use Application permissions and delegated permissions with Azure AD app registration.
Check below documentations for more understanding:
Use Microsoft Graph in your solution
Connect to Azure AD-secured APIs in SharePoint Framework solutions
Register an application with the Microsoft identity platform
Microsoft Graph permissions reference

Related

Authenticate SharePoint user in external API

I've created a SPFX feature that needs to call an external API. The external API is part of a system that has its own authentication methods outside of SharePoint. Ideally I would like to send details about the current logged in SharePoint user to this API, validate them to ensure that the user is actually logged in in SharePoint, compare the SharePoint user with the external system's user (they'll have the same email addresses) and, once matched, run the external API's code with that user.
Is there any way to go about doing something like this? If not, what is the best way to handle this sort of problem? Do other Microsoft tools like Azure need to be used for this?
The supported way to authenticate SharePoint framework components to a custom API is by using Azure Active Directory (AAD) and OAuth.
You need to AAD-protect your API. You can configure it so it supports two authentication mechanisms: AAD and your current authentication method. For example, if a JWT token is present, you use AAD+OAuth, and if not you use your other authentication method.
The SPFx to API authentication mechanism is described in details in the page Connect to Azure AD-secured APIs in SharePoint Framework solutions.
In summary, you will need the following elements:
Register an application in Azure AD, which represents your API.
Use a server library to protect your API with that AAD application.
Configure your SPFx package so it has permissions to query your API.
Grant the permissions to your SPFx package in the SharePoint central administration.
Use the AadHttpClient in your web part to access your API.

How to obtain Azure AD token inside Office 365 Outlook (or office apps) add-in?

I need the token in order to use office api discovery service (https://api.office.com/discovery/) to find SharePoint root url.
Is it possible to get access to Azure AD token from add-ins (Outlook/Office)?
Edit(To make things more clear):
As I'm building a multi-tenant Azure hosted app that should be launched via add-ins, I will have to force users to log-in in popup and give consent for application. Login is mandatory since in office add-in's we cannot find out who the logged in user is.
You can follow the documentation here on how to retrieve an authorization token - https://graph.microsoft.io/en-us/docs/platform/rest from Azure AD for the use of finding the root URL - also you can use the Microsoft Graph, which is the newer version of the Discovery service (more details about it again at the link provided).

web application to multi tenant application one drive business api

my question is similar to question Multi-Tenant app - OneDrive Business API
but i want my application to access the one drive from tenants of other different azure subscription, is it possible? i understood that if i register my application and mark it as multi-tenant, it will allow me access the tenant in my azure subscription, but if i want to access the tenant using the same application but in different azure subscription whats the way.
What’s kind of authentication flow are you using? Normally, we use the Authorization Code Grant Flow that the user delegates access to a web application. In this scenario, to enables the users on other tenants to login the website and access their Office 365 resource, we only need to enable the multiple-tenant app on the Azure portal.
but if i want to access the tenant using the same application but in different azure subscription whats the way.
It depends on which REST you were using. It is same as we are call the REST API for the single tenant app if we are using the Microsoft Graph to query the OneDrive for business. The endpoint of the list children of a driveItem is still like below no matter which tenant the user login:
GET https://graph.microsoft.com/v1.0/me/drive/root/children
GET https://graph.microsoft.com/v1.0/me/drive/items/{item-id}/children
GET https://graph.microsoft.com/v1.0/me/drive/root:/{item-path}:/children
If you were using the Office 365 REST API, we need to discover the service endpoint. You can refer to here for more detail about Office 365 Discovery Service REST API.
Depending on the permissions that you need normally the tenant admin of the other tenant has to add the application to their own Azure AD. With the newer app model v2 this is quite a lot easier as the admin can simply give consent once in the normal consent screen for the entire tenant. See here for a mor elaborate explanation of how this would work.

Sharepoint Multi Authentication

I need to find out how I can allow our Sharepoint portal to support both windows authentication and form based authentication. The objective is to allow those users in our Active directory to sign into the portal using their active directory credentials, and at the same time we want to allow those users who don't belong to our active directory to register an account online and be able to access our sharepoint portal after their account is approved by an admin.
You need to enable the Dual Authentication for the SharePoint Site. Here one of the class article in the subject
Also you need to deploy the controls for enabling the user to register and create login refer this

If I want to use MOSS 2007 Single Sign-On, do my users HAVE TO be Active Directory users?

I want to use MOSS 2007's single sign-on feature, but read that the server needs to be in an Active Directory environment. This I understand, but does this mean all my users HAVE TO be Active Directory users? Can I not use MOSS2007 Single Sign-on if my users are authenticated using Forms Authentication (using a custom membership provider?).
You can, but you'd have to write your own SSO provider. The default one only works with Windows identities.
Edit: There's a walkthrough on MSDN for creating them, if you want to go that way.
when i connect SP server with CS server using SSO, does the roles and user permissions for SP users transfered with the user, so if i created new sp user with read role, then i accessed cs server, i will find that a role created for that user in the cs with read permissions?

Resources