I have created a custom MS Teams Message extension app in Teams and successfully published that in Azure, but i have noticed that Azure web app bot where i have added Teams as a Channel, i can access the app out side the organization also.
So is there a way i can restrict it to my AD users and in AD also i need to provide access with specific AD groups.
If I copy the URL and try to open with user not in AD still i can access it.
In this case, you can implement the authentication for you bot/Messaging Extension and make sure your bot/ME is configured for single tenant only.you can not restrict uses to access it for AD Groups
Related
I'm trying to develop a web application that is connected to our AD Azure app which allows anyone with a code (specified in our own web application) to start a Teams meeting through the Ms Graph API.
The flow is simple as follows:
Use the host code to create the Ms Teams room
Store the created room information in our web app's database
Send users using a guest code to the correct Teams room
At first i tried using the beta Ms Graph API to use the 'application' permission type on which the host (in step 1) would create a meeting room in our AD Azure domain. This works however, refering the uuid of a user outside of our AD Azure domain isn't allowed or does not seem to work.
I then rewrote the web app to use the 'delegated' permission type. The user using the hostcode in step 1 is then redirected to Microsoft to log in, is returned to our web app with the correct auth tokens which we can use with Ms Graph to create the meeting rooms on behalf of the logged in user.
As far as i know, i configured the corresponding permissions for 'OnlineMeetings.ReadWrite' (or OnlineMeetings.ReadWrite.all, depending on the permission type). Admin consent has been done, i've even set the auth type to 'Accounts in any organizational directory (Any Azure AD directory - Multitenant)' but to no avail.
Both of these solutions seem to be quite limited to only our own AD Azure space/domain meaning we can't offer a web application that automatically creates a meeting room on behalf of a user and connects users to those same meetingroom.
Is there a way to allow the aforementioned?
For your requirement, I summarize two situations as below for your reference:
There are two tenants (tenant A and tenant B), your registered app is in tenant A and set as Accounts in any organizational directory (Any Azure AD directory - Multitenant).
1. If you want user in other AD to create a meeting room in tenant A, it can't be implemented.
2. If you want user in other AD to create a meeting room in current tenant(such as tenant B). You can request the token with id of tenant B in request token endpoint(like https://login.microsoftonline.com/{id of tenant B}/oauth2/v2.0/token. And in request body, you should use client id in tenant A of the registered app. We can just implement the steps by auth code flow and it will pop-up window to ask for login, you need to use admin account(of tenant B) to do the login at first time(to allow this operation).
I have set up a Azure Active Directory App so that I can access the Microsoft Graph API with MSAL. However, I want to perform API calls without a user (https://learn.microsoft.com/en-us/graph/auth-v2-service) and as such I have added a few permissions that require "Admin consent" to my app. However, I cannot find a way to grant my app these permissions.
I've tried looking around the Azure portal for a way to grant these permissions but without success. I have also tried using the https://login.microsoftonline.com/{tenant}/adminconsent&... link to grant permissions, but unsucessfully so.
The response I received was
AADSTS500201: We are unable to issue tokens from this API version for
a Microsoft account. Please contact the application vendor as they
need to use version 2.0 of the protocol to support this.
I do not have an Azure subscription (not even the free one), but seeing as I was able to add apps to Azure AD as well as get access tokens and then make API calls on behalf of the authorized users I assumed I might not need a subscription.
I just made another app and now I have the grant consent button when I open the API Permissions view.
We are building a Web App/API to publish in our Azure AD and want to provide access to the app by inviting (B2B scenario) external users into our Azure AD. This will create accounts in our Azure AD of type "Guest" which we will use to assign permissions to the app. In this scenario, do we need to configure our application to be "multi-tenant"? There are steps to take inside the code to accommodate for multi-tenant sign-ins and there is a setting on the Settings tab of the App Registration in Azure AD that is labeled "Multi-tenanted" where you select either Yes or No. On the App Registration setting, there is a pop-out bubble that says:
Designates whether users in external organizations are allowed to grant your
app access to data in their organization's directory
I am not sure how (or if) the code changes and the app registration setting are related but our app will not need access to any data outside of our directory.
No your app does not need to be multi-tenanted and you do not need to direct users to the /common endpoint. I have tested this, and you still get a kind of SSO experience.
Example paul#org1.com (homed in Org1 AAD) is a guest user in Org2 AAD (invite has been accepted). Now this same user opens a private browser and logs in to Org1 AAD.
The user then tries to hit a web app with app registration in Org2, and web app redirects user to https://login.microsoftonline.com/org2.onmicrosoft.com/oauth2/authorize.
Result, user is considered logged in by AAD and gets redirected to the redirect_url with tokens, etc.
We have an Azure resource app whose APIs we want to expose for access by a client app on Azure. The two apps are on different tenants. The users accessing the APIs (Office 365 account holders) are on different tenants.
The whole set up works when we manually provision a service principal on the tenant that is trying to authenticate from the client app against the resource app. By that I mean they are able to log in using their Office 365 account and are shown the consent screen.
If we do not provision a service principal on the AAD tenant of the user trying to authenticate, we get this error:
AADSTS65005 - The app needs access to a service <service> that your
organization org.onmicrosoft.com has not subscribed to or enabled. Contact
your IT Admin to review the configuration of your service subscriptions.
It is not feasible for us to provision a service principal on every tenant that is accessing our app (resource app). Is there something we are missing? Are we using the right flow?
You can find help for your scenario here: https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-devhowto-multi-tenant-overview#understanding-user-and-admin-consent. (Scroll down to Multiple tiers in multiple tenants)
In the case of an API built by an
organization other than Microsoft, the developer of the API needs to
provide a way for their customers to consent the application into
their customers' tenants.
The recommended design is for the 3rd party
developer to build the API such that it can also function as a web
client to implement sign-up:
Follow the earlier sections to ensure
the API implements the multi-tenant application registration/code
requirements
In addition to exposing the API's scopes/roles, ensure
the registration includes the "Sign in and read user profile" Azure AD
permission (provided by default)
Implement a sign-in/sign-up page in
the web client, following the admin consent guidance discussed earlier
Once the user consents to the application, the service principal and
consent delegation links are created in their tenant, and the native
application can get tokens for the API
Basically, all of the parts that your app needs must be present as service principals in the customer's tenant. This is a requirement of AAD.
The only way for that to happen is for an admin to go through consent for the API and app separately, since they are registered in different tenants.
If they were registered in the same tenant, you could use the knownClientApplications property in the manifest to allow consenting to both at the same time.
In my case, I am exposing my own API and trying to access this API from my other Application (Client Credentials mode), I removed the default permission on both of the app(consuming app and api app) - "Azure Active Directory Graph-> User. Read" since I thought I don't need that but that caused this problem "The app needs access to a service .... that your organization has not subscribed to or enabled. Contact your IT Admin to review the configuration of your service+subscriptions.
I got the clue from the answer of #juunas - point 2. Thx Juunas
I'm using AngularJS Adal plugin to handle login on my page, with Azure AD.
I got everything working and it's great, one problem I have is, I would like to restrict who in Azure AD can use the login, is this possible?
Thanks,
Feeloor
To restrict the users for the apps which protected by the Azure AD, we can config the app to enable the ‘User assignment required to access app’ on the portal like figure below:
Then we can assign/remove the users who you doesn’t want to use the app at the users tab like below:
You can use Azure AD to manage access to resources such as your application. You can give specific users access or control access via groups where all members of a group are given access.
Here are some useful links to get you started
Managing access to resources with Azure AD
Using a group to manage access