I want to access the sharepoint API and only have my username/password. I dont have an app registration and also not the access rights to create it, which means I dont have a clientID.
How can I get an access token?
Since I am able to access sharepoint from my useraccount, I believe it must be possible witout a clientID. Many thanks in advance.
There is a way to obtain an access token, but not without an app registration. Please see this post:
SharePoint Rest API how to get Access Token?
Related
I've an Azure AD app setup, the Rest api's under scope: user_impersonation works but I also need user profile info from some GET API request (with same scope as I cannot have two scopes under one access token). I could not find a suitable API for it.So, any help in this regards will be highly appreciated.
Thanks in advance!
As you are making requests to different APIs, you will need to request separate access tokens for this information.
In the case of user profile information, you will need to request a token for the Graph API resource with the User.Read scope.
Depending on the type of application, you can either request this information on behalf of a user or as a service. When requesting as a service, you need to grant the User.Read.All permission instead (docs.
You can use Profile API in Microsoft Graph to retrieve yourself and another user profile.
Using Profile API use for retrieve the sing-in user profile information together Azure AD or account information. This information we can use in application as requirements and we can store as requirements.
when you use these API you will need to valid permissions to access profile information.
Example : https://graph.microsoft.com/beta/me/profile/
More information about Use the Profile API read these official document by Microsoft Documents.
I have an secured API student API which I am able to access via OAuth2.0 client credentials flow which creates an access token using IConfidentialClientApplication app and accesses secured app.
Now comes to access the secured API using OAuth 2.0 Resource Owner Password credentials. I have mostly used the code in microsoft github page.
https://github.com/azure-samples/active-directory-dotnetcore-console-up-v2
I am able to sign in using username and password, able to generate access token as well. But this access token is not able to access my secured student API. Though the sample code is able to access the Microsoft graph API, it is not able to access my secured API.
I tried to allow public client flow for my secured student API as well and decrypted both the access tokens to see the difference. There is a lot of difference. What I noticed here is in ROPC flow are using IPublicClientApplication where I am not able to give the ResourceId while acquiring token. So "aud" is different in ROPC token and other fields as well.
Can anyone tell where I may be going wrong or how to fix the above scenario?
I think you may need to perform these 2 steps to get a token valid for your own API:
Expose an API scope in your Azure AD API Configuration
Add an API permission in your Azure AD Password Client Configuration
See step 6 of my Azure AD Blog Post for how this looks. The article also explains some token differences.
Business Requirement:
We want to replace our Skype meeting URL with Teams meeting on our production system(within a ABAP daemon service without user integration). So I am trying to integrate with Teams using Microsoft Graph API to be able to generate one online meetings. Then this online meeting URL will send to our customer with a mail.
Target Graph API: For MS Graph API V1.0 verion, I think this in only one option Create onlineMeeting.(Graph API with /beta version is not a good option for production usage).
According the MS Graph documentation V1.0 Create onlineMeeting, this API only support permissions with Delegate type. I think we could only use use username/password authentication flow. Correct me if I'm wrong.
Issues: I'm trying to get token with user and password as describe with ROPC Microsoft identity platform and OAuth 2.0 Resource Owner Password Credentials, use following API to test it with my corporate mail.
POST /{{TennatId}}/oauth2/v2.0/token HTTP/1.1
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
SdkVersion: postman-graph/v1.0
Content-Type: application/x-www-form-urlencoded
grant_type=password&client_id={{ClientId}}&client_secret={{ClientSecret}}&scope=https://graph.microsoft.com/onlineMeetings.ReadWrite&userName=MyCorporateMail#org.com&password=MyPassword
But, it will always get invalid_grant response: AADSTS50126: Error validating credentials due to invalid username or password.
I don't know why it cannot get token response with my corporate(work) mail/account **#sap.com, I'm sure my password and other parameters are correct.
And if I use a new-test-user sapse#wardsap.onmicrosoft.com which is created by Azure Active Directory, I'll get token successfully. This user doesn't need Two-Step authentication when login to Azure. But this user does have Teams/OnlineMeeting license, so it couldn't generate onlineMeeting.
My Question:
Will it possible caused by MFA configuration from my org? Because I noticed that every time I login to https://aad.portal.azure.com/, it has second authentication step, verify with my Phone message.
If yes, will it be possible to disable MFA to some test/dev account forever? Where should we config it? Within MS Azure or some where else? Who should I get support from?
For this Create onlineMeeting API, do we have other authentication flow for this Delegate permission type for a back-end daemon service?
Thanks and Best Regards,
Ward
MFA will definitely prevent you from using this authentication flow.
The Resource Owner Password Credentials flow and its use are discouraged.
There are many flows which are more secure, and usually you can use ones like authorization code flow to achieve what you want.
MFA is configured by your organization, you'll need to contact your IT about that.
But I would not recommend disabling MFA for this.
A back-end daemon application needs to either use application permissions or a refresh token.
If the API in question does not support application permissions, you can acquire a refresh token for a user through the authorization code flow, store it securely, and use it whenever you need a new token.
If you do this, be sure to overwrite the old refresh token with the new one that you get when you ask for an access token.
I've been searching for a couple days, and I can't seem to find a straightforward guide on how to set up Authorization (AuthZ) between an AAD App and my AAD Web API set up in App Service. I've tried things like this official guide, but I can't seem to get calls with a Bearer token from the client app to work.
Has anyone done this successfully? Is there a step by step guide out there that could help?
Please let me know if there are any questions!
To implement your requirements, you need to expose an api in your AAD Web API first.
Then go to your AAD App which used to request the token, add the permission to it.
Click "Grant admin consent for *" button.
After that, we can request the access token successfully (below I provide a sample use password flow for your reference)
In your Web API app, you need to parse the access token and get the scope permission from the access token. And then determine whether the request has permission.
I want to read all the Outlook Task assigned to the logged in user from with an Office365 web part (SPFX), But I do not want the user to sign in again or do any such operation, Ideally what I want is to use SharePoint context to be used to authenticate the user.
I came across the GraphHttpClient which uses /_api/SP.OAuth.Token/Acquire to acquire an access token which can be used with Microsoft Graph but, by default, this method only issue Group.ReadWrite.All and Reports.Read.All permission.
I need to grant it Tasks.Read permission.
I was wondering if there is any way to pass the Scope into the method to get an updated token?
I have already tried passing Scope as a query string to URL and as a header, both yielded me no result. Any suggestions on how to tackle this issue will be helpful.
The GraphHttpClient has been deprecated, you want to use the new MSGraphClient instead.
By default, MSGraphClient doesn't have any permission scopes applied other than User.Read. It does, however, support requesting additional permission scopes from the tenant administrator. The overview for how this works can be found at Connect to Azure AD-secured APIs in SharePoint Framework solutions.