I have developed several web API's for my Blazor front-ends.
The front-end's are using Code Flow (PKCE) against Azure AD.
Now some users want to access the API from MS Excel.
When making the call to the API I need to pass a token that can identify the logged in user.
In Excel the users are logged-in to our AD that are synched to Azure AD.
So I am thinking of using Integrated Windows Authentication if it's possible.
The ideal workflow would be for the user to go to the swagger end-point choose the call to make and use that to import data into Excel.
When excel wants to access the data a sign in form should pop-up. I guess though the web browser or the phone?
How can I use most of the build-in Excel features without coding a lot off "ugly" VBA code?
It's not just me shy of writing VBA code (: But Excel can do so much out of the box and I would like to give the users a good experience.
Authentication flows and application scenarios
Related
I have to integrate SharePoint with my web app(just want to show the content of the user account).
For that, I have researched and I am looking for the SharePoint integration with REST API through OAuth process, Right now I found a different way where users have to create their SharePoint app and they have to share username and password and then I can get the data with their credential for the users.
The above approach is not a good option.
Please help if someone knows how to get share point content through the OAuth approach with REST.
You are able to connect to Microsoft Graph which hosts an API for the Office365 entities such as Calendar, Mail, Sharepoint etc.
In order to authenticate, you need to follow the OAuth 2.0 flow. This involves the generation of access tokens, which are then used in case of username/password.
More information about the MS Graph API and setting up authentication as well as a number of SDKs can be found: https://learn.microsoft.com/en-us/graph/auth-register-app-v2?view=graph-rest-1.0
I want to read mails of users of a specific domain (tenant) using Outlook API. However, I don't have privileges to register new app in Azure portal, for that domain, and so am not able to use Graph API. We cannot use Outlook API without an OAuth app. In this case, using IMAP/POP3 is my only choice? How secure is to use IMAP/POP3 to read mails when compared to Azure AD Graph API? Please advise.
It depends on what you really want to achieve.
If you just want to read the messages, configuring your mailbox in Outlook or other email provider with IMAP/POP3 is a preference. You don't need to worry about its security, it has been in service for decades.
For Microsoft Graph API, to call Microsoft Graph, your app must acquire an access token from the Microsoft identity platform. See Authentication and authorization basics for Microsoft Graph to learn more details about it.
So the point is how you want to read your email.
If you are developing your own app, using Microsoft Graph API is certainly the best choice. You can test GET https://graph.microsoft.com/v1.0/me/messages to list your emails in Microsoft Graph Explorer without registering an app in Azure AD.
I am diving into the Microsoft Graph API and want to use its features to interact with an Excel workbook. I intend to create a client side application that interfaces with my API which in turn interfaces with Microsoft Graph API.
I ran into some confusion with the Microsoft Graph permission documentation. When sifting through the Excel API documentation, I saw that in order to Update Range or Get Worksheet (or really any endpoint) I need to have Delegated (work or school account) permission. I then looked at the Graph permission doc mentioned above and it says:
Delegated permissions are used by apps that have a signed-in user present. For these apps either the user or an administrator consents to the permissions that the app requests and the app is delegated permission to act as the signed-in user when making calls to Microsoft Graph. Some delegated permissions can be consented to by non-administrative users, but some higher-privileged permissions require administrator consent.
To me, this reads "a user must login using oauth to interact with a workbook via the API". I'm hoping that is not the case, because I want to have the workbook data publicly available and to have read/write permission. I understand I will have to authenticate some (admin) user within my organization in order to retrieve/update a workbook (via the Graph API) stored in OneDrive, for example, but I just wanted to see the requirements for accessing the workbook.
Looks like you intend to use Excel workbook as a central source data rather than an individual user based store. In that case you can access API without a user sign-in by using application level consent. See here. Client "app" will call into a server (such as nodeJs) and that in-turn will make API calls to Microsoft Graph to interact with Excel workbook. This server-to-Graph call is abstracted from the client app and hence secure.
The downside of this approach is that you'll need server implementation and you can't implement single page application that doesn't require server side implementation. It is not a big hurdle - just takes different set-up.
I'm trying to get familiar with Microsoft Graph API. I would like to create an Outlook Calendar add-in using the graph API. However, all of the articles I have read all seem to use the OAuth 2.0 model which requires manual sign in of the user. An add-in though, should not require a sign in by the user. If you are already using outlook, you should not have to authenticate manually in order to use the add-in. Can anyone suggest the correct authentication method for add-ins that still uses the Graph API?
I have read through this doc which appears to cover the entire scope of application types and their authentication method, but does not include add-ins. Is that because add-ins should not use Graph API?
At present, the Office add-in api is not able to provide the access token(it provides idToken and callback token) for the Microsoft Graph automatically. We still need to authenticate the user manually.
But we can call the EWS service directly in the Mail add-in. You may consider using the EWS to see whether it is helpful for your business.
Or you can use the client credential flow that could get the app-only token which doesn't need the users to interact in the authentication process.
Since I have my users log in and password, can I silently log into their Microsoft Graph?
I want to fetch info from Office 365 API from a server app, so therefor I cannot have a Microsoft Login Window popping up.
Thanks
You want to use the confidential client flow for authenticating the Graph API. See the section "Daemon or Server Application to Web API" in this document for details. Of course you'll need to be the admin of you Azure AD, or have the admin's trust and blessing, in order to use this flow as the user isn't involved in the process themselves.
I've been trying to use it for calendaring apps. The flow login works fine but be aware that there are some limitations on using the Graph API with this authentication flow type (specifically interacting with Unified Groups calendars in my case).