I want to develop a custom ASP.NET Web API which can be used to send out emails as a user using the Microsoft Graph API. I think this will be a Multi-tenant application. Below are few ideas I have and some questions:
I have a working ASP.NET MVC web application where different users can login using their unique credentials provided by us.
I have an "Email Setup" section in my web app. Every user will navigate to this section one-time and be redirected to the "https://login.microsoftonline.com/common/oauth2/v2.0/authorize?client_id={{client_id}}&response_type=code&redirect_uri={{redirect_uri}}&response_mode=query&scope=offline_access%20user.read%20mail.read&state=12345"
On the consent screen user will sign in using their Microsoft Office 365 credentials and provide consent to my app.
On providing consent, user will be redirected back to my web app and I will get Access token for the code returned and store the access token in a SQL database.
User navigates to a page to send email, fills in the To, Subject, Body, Attachments etc. and clicks on the "Send" button.
On send button, my ASP.NET web app will call our custom Web API to send the email. The API will have an endpoint that knows the user and will get appropriate access token from the SQL database to send email on that user's behalf.
Questions:
Do I need to register an Azure App with type "Multi-tenant" since I want to support users from different tenants?
What kind of scopes/permissions will be required in order to "Send Email" as the user?
Do I need Delegated/Application permissions on the Azure side?
How can I ensure that the email that is sent, also gets saved to that user's "Sent Items" folder on Outlook?
According to the sending email graph api, we can see it provides the Application api permission, that means you can create an azure ad application and assign the Mail.Send permission to this api and using client credential flow to generate access token to call this api, so it's not necessary to creating a multi-tenant azure ad application via this way.
And certainly, if you insist on auth code flow to generate access token to using delegate permission to call the api, you should creating a multi-tenant application so that users from different tenant can generate access token through this azure ad application.
Related
I have a web application and I want to give the ability for the user to connect his Outlook account with my web application.
Which will give the ability to create a meeting in his calendar once he adds it in the system.
I've create an Azure AD application, the user can login and generate an access token which I can create the meeting using Graph API.
and refresh token isn't working from backend service.
But my problem is that I need a permanent token so the user doesn't have to login again,
same as the outlook calendar app in slack.
Is there a specific configuration that I need to make this happen?
Thanks
I have a web api as backend and a mobile app that users can sign up and sign in and call web api(protected) methods to post and get some data from user. I am using Azure AD B2C to authorize and authenticate users with policies. After a user has sign up or sign in, mobile side has an access token and use this token in request to web api.
But in my scenario, mobile side will send username to web api and I will use microsoft graph api to create user with username and default password.(First request is without user token because there is no a user at this time or can be special token that both sides know.) After I created user in server-side I want to get access token using objectId that came response from create request or I want to know how to get access token.
When I have token, I will send this token to mobile and then mobile send requests to web api using access token that come from server.
I wonder this scenario is possible and can be implemented.
Architecturally, If i understand correctly You want to protect your Mobile app and web api using Azure AD B2C which is clearly possible.
You need to do the following:
Create a AD B2C tenant.
Configure a sign-up or sign-in policy
Use the steps in the Azure AD B2C documentation to create a sign-up or sign-in policy. Name the policy SiUpIn. Use the example values provided in the documentation for Identity providers, Sign-up attributes, and Application claims. Using the Run now button to test the policy as described in the documentation is optional.
Register the API in Azure AD B2C
In the newly created Azure AD B2C tenant, register your API using the steps in the documentation under the Register a web API section.
After the API is registered, the list of apps and APIs in the tenant is displayed. Select the API that was previously registered. Select the Copy icon to the right of the Application ID field to copy it to the clipboard. Select Published scopes and verify the default user_impersonation scope is present.
After adding authentication to your web api , you can test it using Postman.For that you have to register postamn under your B2C tenant.
Since Postman simulates a web app that obtains tokens from the Azure AD B2C tenant, it must be registered in the tenant as a web app. Register Postman using the steps in the documentation under the Register a web app section. Stop at the Create a web app client secret section.
The newly registered web app needs permission to access the web API on the user's behalf.
Select Postman in the list of apps and then select API access from the menu on the left.
Select + Add.
In the Select API dropdown, select the name of the web API.
In the Select Scopes dropdown, ensure all scopes are selected.
Select Ok.
For calling a web api you need to get the bearer token before calling actual web api request.
To make an authenticated request to the web API, a bearer token is required. Postman makes it easy to sign in to the Azure AD B2C tenant and obtain a token. Taking postman as an sample tool.
- On the Authorization tab, in the TYPE dropdown, select OAuth 2.0. In the Add authorization data to dropdown, select Request Headers. Select Get New Access Token.
- Complete the GET NEW ACCESS TOKEN dialog as follows:
- Select the Request Token button.
- Postman opens a new window containing the Azure AD B2C tenant's sign-in dialog. Sign in with an existing account (if one was created testing the policies) or select Sign up now to create a new account. The Forgot your password? link is used to reset a forgotten password.
- After successfully signing in, the window closes and the MANAGE ACCESS TOKENS dialog appears. Scroll down to the bottom and select the Use Token button.
- Now you can test your Web Api with the token, also if you want to save suer information before that you can do that. Also it's the Signup Policies job is to create a user for your when you hit a request.
Hope it helps , Please let me know if you need any help.
I can login to Outlook 365 in my web with MS Graph without user action. I'm using simple-oauth2 module and oauth2.ownerPassword.getToken method to generate tokens with username/password from my database.
I'd like embed Outlook.com in my web for each user (with their credentials).
Is there any way to do this?
Why would you do that?
If your application already lets the user login with Azure Ad account, you could use the on-behalf-of flow. Then your web application can request a token for another resource by sending the access token of the user for the current application.
If they aren’t logged in to Azure ad already you could have a look at the client credentials flow. Then your application will just get a token with access to all mailboxes.
I want to implement a process along the lines of;
Staff member creates Salesforce Contact
Personalised registration link is sent to client
Client registers for the web application with Azure AD
Client fills in profile information which is stored against the SF Contact
Web application has access to logged in client's profile information
My initial thoughts were to send an identifier for the SF Contact in the registration link which is then attached to the AD user (does AD support custom attributes during signup?). When the user signs into the web app and completes their profile, update the Contact using the Salesforce REST api. Profile data would then also be pulled into the web app as required via the same means.
Is there a better approach to this problem?
I have authenticated with Azure & OAuth to receive an access token. Now I want to read their Outlook emails through a Microsoft Graph endpoint from a native WPF desktop app using c#. However my request to get the emails, of the currently signed in user, fails with a 501 error. The delegated permissions my app has are:
View users' email address
Access user's data anytime
Sign users in
Read user mail
Sign in and read user profile
Here is my network trace.
Now I'm getting a 404 too
Based on the quest, were you authenticate the app with external user for the Azure AD?
If I understood correctly, the Microsoft Graph API only support for the users in the tenant.