MS Graph Daemon App - Obtaining Bearer Token - azure

I’m creating a daemon app, e.g. a 'non-user interactive' app, authentication will be performed on behalf of end-users using a ‘service account’. So the no sign in prompt required.
The 'service account' has the relevant Delegated Permissions and Admin Approval is consented for the app, the app permissions are set as 'Application Permissions'.
Company policy forbids the Client Credential flow, so no access to the 'client_secret'. If I try using the ROPC flow with the service account username/password the POST request returns the 'Invalid Grant' error.
I’m confused as to what flow I’d use/can use to obtain a bearer token, that will enable the app to call MS Graph API?
The question is similar to this, though I cannot use Client Flow: Can a MS Graph background/daemon app impersonate a user account without user interaction

To impersonate a user (i.e. delegated access, using delegated permissions) and access Microsoft Graph on behalf of the user, the user must have signed in to the application at some point (or to an upstream application).
The alternative is for the service to authenticate as itself (i.e. using the Client Credentials flow) and access Microsoft Graph directly.
The Microsoft Identity platform does not support impersonation of arbitrary users who have not actually signed in to the app.
In general, using the Resource Owner Password Credential (ROPC) flow to impersonate a user account using that account's username and password is strongly discouraged.

Related

Access denied when requesting Oauth2 token from Azure AD with Authorization code flow

We are developing an application with a frontend and a backend. The backend should be accessed via Rest API with an OAuth2 token. Authorization provider is Azure AD.
In Azure we created 2 app registrations. One for the API, one for the client app. The API registration defines 3 scopes (Read, Write, Delete). The client app registration has delegated permission for these scopes.
We are requesting tokens with the clientID and clientSecret from the client app registration.
When requesting a token for a certain scope, after login and approval of permission grant prompt, I just get an access denied error. Does my user need any additional permission in Azure AD to grant permission for the requested scope?
As a workaround I could add the client app as an 'Authorized client application' in the API registration for all three scopes. But then all three scopes are always returned in the JWT under 'scp' regardless of the scope I am requesting and the user does not see the permission grant prompt anymore. Not sure if I want this. I would rather understand how to solve the access denied.
It seems that user consents are not allowed in my organization's AD tenant. (Enterprise Applications -> Consent and Permission -> User Consent Settings.)

How can I create a Azure Web Application to authenticate User and acquire its Access Token?

I want to create an Azure Web Application that can authenticate an external/internal (from any Organization) user upon opening the Web Application link through Azure AD Credentials and acquire its Access token in return.
I want to use that Access Token to programmatically create an application registration in User's tenant.
First, you need to register an application and set it as a multi-tenant application, then use the auth code flow to authenticate the user and obtain an access token.
Next, you need to use the access token to call the MS graph api to create an application, because you are using the auth code flow to obtain the token, so you need to grant delegation permissions to the application.
see: sample.

How to create Teams Message via REST from an Application properly

I have a c# service, the service is running somewhere in the azure cloud without an user interface. some specific events should trigger new messages to a team channel.
According to this documentation, the Create Message https://learn.microsoft.com/en-us/graph/api/channel-post-messages?view=graph-rest-1.0&tabs=http is only supported by delegated account, not by the application tokens.
How can i create a delegated token for my service application without specific user account and without a login interface in the cloud?
Which Authentication Provider is the right one? https://learn.microsoft.com/en-us/graph/sdks/choose-authentication-providers?context=graph%2Fapi%2F1.0&view=graph-rest-1.0&tabs=CS
As you mentioned in the question : chatMessage , supports only the Delegated Permission type.
What exactly is Delegated Permission Type?
A permission which specify scope-based access using delegated authorization from the signed-in.
The reason on the emphasis of the above point is being that - for Delegated permission we would need the context of a user account
Coming back to your questions :
How can i create a delegated token for my service application without specific user account
You can obtain a token without a specific user account but this will not help your cause.In order to overcome this, I would suggest a creation of service account - this account has permission over the teams.Part 2 of this questions suggests which provider can help without the login prompt.
The steps include :
Register your app.
Configure permissions for Microsoft Graph on your app.
Get administrator consent.
Get an access token.
Use the access token to call Microsoft Graph.
Detailing of the steps is included in the article here : https://learn.microsoft.com/en-us/graph/auth-v2-service
without a login interface in the cloud
Now you could use the below option :
Microsoft identity platform and OAuth 2.0 Resource Owner Password Credentials
In this provider, you will be passing the creds of the service account.
POST {tenant}/oauth2/v2.0/token
Host: login.microsoftonline.com
Content-Type: application/x-www-form-urlencoded
client_id=<YOUR CLIENT ID>
&scope=user.read%20openid%20profile%20offline_access
&username=<YOUR USERNAME>
&password=<YOUR PASSWORD>
&grant_type=password
You can generate the token for your service account by above request and application can consume the chatMessage API.

Why signing in Apps via OAuth ROPC flow is not recorded in AAD sign-in logs?

When I use ROPC (Resource Owner Password Credential) flow in my App to let users to sign in my App, why I cannot see any sign-in logs in AAD with it?
ROPC is defined in OAuth2 protocol: https://www.rfc-editor.org/rfc/rfc6749#section-1.3.3 and it’s not included in OpenID Connect.
It just likes other flows in OAuth2, they’re designed for protecting API resources, not authenticating users.
The behavior of ROPC in AAD:
For the ROPC flow, user inputs his/her AAD username and password in the client app side. Then the client sends the user’s credential to AAD. It shows as this below picture:
This behavior may cause a main risk: The client may store and upload the user’s AAD credential and used it for other things. It can play as a phishing app to obtain user’s AAD credential.
Generally, in claims-based authentication, clients should just obtain a user’s attributes(E.g. claims in OIDC id_token, SAML token) issued by a trusted IDP to identify the user. Client shouldn’t obtain the user’s credential for other Identity providers.
Why it’s still supported in AAD?
We can see lots of our customers want to use ROPC flow to delegate user permissions to run a job automatically. Some of our customers use ROPC for their own customized login experience.
From Microsoft side, AAD supports ROPC flow as we can really understand it’s necessary in some special scenarios.
So, what kind of app we can use ROPC in it?
All client apps should be public client(Native App) first.
In Microsoft 1 party Apps, like Powershell.
In User’s owned/trusted Apps.
How can we avoid being phished by a 3rd party app which prompts AAD login?
Make sure the page prompts you to input your AAD user credential is AAD login page. You can also check the domain in the URL. It should be start with “https://login.microsoftonline.com/”.
Generally, we shouldn’t input the username and password together in one form. If a 3rd party app asks you to input your AAD username and password in one form, you need to be careful and don’t try to login it via your AAD credential here. Because AAD doesn’t provide any login page to let you enter your user credential in one form currently.
Overall, user login via ROPC flow may be a sign-in event for the client but it’s not a sign-in event for AAD as the user is not signed in AAD.

Embed Outlook.com with especific credential user generated by MS Graph access_token

I can login to Outlook 365 in my web with MS Graph without user action. I'm using simple-oauth2 module and oauth2.ownerPassword.getToken method to generate tokens with username/password from my database.
I'd like embed Outlook.com in my web for each user (with their credentials).
Is there any way to do this?
Why would you do that?
If your application already lets the user login with Azure Ad account, you could use the on-behalf-of flow. Then your web application can request a token for another resource by sending the access token of the user for the current application.
If they aren’t logged in to Azure ad already you could have a look at the client credentials flow. Then your application will just get a token with access to all mailboxes.

Resources