MS Graph API administration - azure

How can I view all subscriptions regardless of the 'app registration' that created it?
On our AAD, we have 2 'App Registration', lets call them regAppA & regAppB. We ran into an issue where we used both apps to create subscription for outlook events. This resulted in multiple events firing for a single change which caused issues down the line when handling them.
The problem is if you call :
GET https://graphUrl/subscriptions (with regAppA secret) you will only get the subscriptions created using that App Registration, and likewise with regAppB's secret
To avoid this situation happening again, I would like to run an automated script/program/whatever, that would get all subscriptions created regardless of the App Registration used to create it and flag issues found in the data.
I could do that using https://developer.microsoft.com/en-us/graph/graph-explorer, but I don't know how-to or if you can use delegated authentication programatically. I need this solution to run with no user intervention.
Any help will be much appreciated.

Related

What is the Azure "api.cds.appsplatform.us" service?

I am developing a multi-tenant application to use Microsoft's Business Central API. At first I want to check if I can simply log in myself.
However, every time I try to grant admin consent inside the app's API permissions, I get this error:
This app requires access to a service (\"https://*.api.cds.appsplatform.us/\") that your organization is not subscribed to or has not enabled.
I cannot find anything online about "api.cds.appsplatform.us". I have a subscription (trial) set up, I also have a trial subscription with Business Central (although removing all the API permissions to just the default Microsoft Graph permission, still gives me the same error).
The error message is sort of unhelpful, so what do I need to enable to access my own app?
I believe that the CDS here is Common Data Service. Common Data Service for Apps is a service built on the Common Data model that you can use to store, build, and manage apps and app data. It's used most by PowerApps and Microsoft Flow.
https://learn.microsoft.com/en-us/powerapps/maker/common-data-service/data-platform-intro
https://powerapps.microsoft.com/en-us/common-data-service/
https://learn.microsoft.com/en-us/business-applications-release-notes/april19/dynamics365-business-central/
The only API permissions I needed for a Microsoft Dynamics 365 Business Central app was "Dynamics 365 Business Central" and its subpermissions.
I had included "Dynamics CRM" as an API permission, which requires CDS (Common Data Service), hence the error above.
However, when I wrote above that I had attempted to remove the above permissions and tried the 'grant admin consent' button again, and I got the error again, the problem was that I had forgotten to refresh the page after I had removed the "Dynamics CRM" permission.
Indeed, the takeaway from the error is that one has added a permission too many. But every time one removes a permission, it is paramount that one refreshes the page before attempting the 'grant admin consent' button again.

Mail.ReadBasic equivalent Application scope

I'm trying to access email metadata via Microsoft Graph without access to the content of the emails. From the documentation, I've noticed there is a Mail.ReadBasic permission that might help but this permission only appears as a Delegated scope. My service is a backend task so I need an Application scope.
I would really appreciate some help with these issues:
Is there a way to enable this Mail.ReadBasic permission as an Application permission?
Can I create custom permission for the application?
Can I use Mail.Read and enforce selection of fields to reduce it into Mail.ReadBasic Permission (otherwise requests will be blocked)
Is there any other way to get only the email metadata from the Microsoft Graph (webhooks, access via audit logs, etc)?
1) I am actually the Program Manager in the process of getting this rolled out into Microsoft Graph right now. We are currently deploying this internally to our pre prod env. It is in the deployment process and should be there in all tenants within the next two months.
2 & 3) You cannot create your own custom permissions or reduce fields with Mail.Read.
4) Mail.ReadBasic will get you the email metadata (not body or attachments) with on behalf of flows right now. And soon app-only.

Unable to add API access entry

I have created three B2C applications:
TestWebApp
TestApiOne
TestApiTwo
Both API applications were created the exact same way. Web API access is enabled, reply URLs have been specified, an App ID URL has been assigned, and keys have been generated. Both APIs have an additional read and write scope.
In TestWebApp API access, I am able to add TestApiOne with all three scopes without an issue.
When trying to add TestApiTwo to the TestWebApp API access list, the operation fails with the following error.
Failed to add the API access. Reason: The B2C service has an internal
error. If you created this B2C directory just now, please try again
after couple of minutes. If the problem persists, please contact
Support
(https://azure.microsoft.com/en-us/documentation/articles/active-directory-b2c-support/).
If you do not have a B2C directory you can refer
https://azure.microsoft.com/en-us/documentation/articles/active-directory-b2c-get-started/
I thought maybe there is a limit of one API per application. To test, I created a temporary application "TempApp". I received the same error displayed above while trying to add API access for both TestApiOne and TestApiTwo.
Has anyone else experienced this issue?
There's not a limit of one API per application. I have done research and it works fine by my side.
Please have a look at the guide and check your steps.
I have tried to replicate the issues that you are facing by putting diff redirect reply url domains and also by making one application to be native and one normal web app but it doesn't help.
Could you try to delete all the webapps and try making 1 and then adding another to it.
Then create the 3rd one.
Please check this or if you can share some screen shots. That would be helpful.
You can definitely add multiple web apps to api access of one web app.

Windows Store 8.1 App Azure ADAL offline client authetication

I'm building a Windows 8.1 store app and need to incorporate authentication. This is an enterprise app used in house. We load the app onto a tablet and a team may check that tablet out for weeks at a time, go out to the field to collect data and then we put in on a shelf until another team needs to use it. Now different teams may work for difference clients so when we authenticate users not only do they get access to the app but we also check what groups they are in to determine what clients they can work on or what previous records they can search for.
I've followed various ADAL tutorials and am able to setup everything in Azure and in my app I am able to authenticate a user successfully and get their groups. This relies on ADAL handling the username/password. What happens when the app shuts down and the user in a place where there is no internet (or even a reliable cell connection)? Specifically how can I have the user type a username/password to re-authenticate and get the same groups they were in when they can't access Azure services?
It appears they isn't available as the guidance always points to that is a risky proposition to have the app handle username/passwords. I understand that stance and can appreciate the caution behind it. However, in all of the ADAL documentation that I find that says this, none of them tell me how to handle an offline authentication scenario.
I have found links such as ADAL v3: How to authenticate using UserPasswordCredential? that tell me how to bypass the ADAL login page. I may have to move to that route and handle all of the username/passwords securely within the app, but first I would like to reach out and see how others tackle this scenario. Is it really as simple as avoiding best practices and just handle the username/password within the app?
If anyone has some guidance, ADAL (or other oauth providers) documentation, or other articles/advice I can follow up on to help achieve offline authentication I would greatly appreciate it!
Additional Information:
My scenario that I'm trying to cover is what happens when I have 1 device, 1 app, and many different users? These users will be in different groups that will determine how data fields get populated (filter data in combo boxes) and what previously submitted forms they can query for. All users would need to login when online to cache their information (say on Day 0) before they can ever use the app. On Day 1 user 1 uses the app and doesn't log out. I would expect the app to have a timeout timer to log that user out after 2 hours of no activity. On Day 2, user 2 just grabs the device off the shelf and takes it out into the field. He has no internet and needs to log in to determine who they are and what group they are in. I would expect since he has logged in once and verified his credentials already that we can enable this sort of scenario.
What I'm looking for is guidance if ADAL as a library can handle this or is it truly up to me the app developer to handle this sort of scenario. As I see it currently I need to store all user credentials, but at the same time it seems like everyone advises against that. I feel like I'm in a situation where I need to create a custom login screen and store the user data, SECURELY of course, even though its not recommended. It seems like all articles on how to use ADAL are written from a consumer app standpoint (or a BYOD) and don't take into account how a mobile app would be written for the enterprise.
That depends on your app design, if the first time(app online) , user login and app store all groups ,user information .After that user doesn't need to use token to get related information again(send request to server to acquire groups/user info). If app is offline , user doesn't need to re-authenticate(app controls the user session) , just get group/user information from cache . When using resource owner flow , you still need to send authenticate request to Azure AD server which need internet.

Azure Easy API on Node.js 'No route registered for '/api/xxx'?

I'm having problems even running a simple Easy API method. I keep getting the response that says "No route registered for '/api/userInfo'".
I know that this location is correct because the I'm opening the App Service editor at https://XXXX/dev/wwwroot/api/userInfo.js
The file also has anonymous access, so there shouldn't be an authorization issue. I'm simply trying to hit the api method from a browser.
The code of this very simple method has been reduced to the following for debugging purposes
module.exports = {
"get":function(){
console.log('whooohooo');
}
};
Is there a setting I'm missing to enable the ability to call Easy API's? I've not been able to find any documentation that states that Easy APIs method must be explicitly enabled, nor can I find any settings related to enabling them.
Please note that I did not set up a Node.js project and deploy it to Azure. I am using an "out of the box" app service.
My end goal is to use an Easy API method go get an authenticated user's email and name, but my efforts have been reduced to confirming that I can call a method. Thanks in advance.
UPDATE:
I've created 3 different mobile App services with no luck and varying advantages.
App Service 1:
This Mobile Apps project is 10 months old and was created in the Azure portal. It has a routing line in the app.js file that suggest that the api route should be present, but doesn't work. I don't remember if i authorized the easy apis when i created it, but the fact that it has the following line suggests that I did
mobile.api.import('./api');
AppService 2:
This project was created in the MobileCenter using the Tables menu option for a Xamarin project. I then navigated to the Azure Portal and hooked up a SQL db to the table. I don't think I had the opt in to use Easy APIs, but the I was allowed to create an Easy API script, then edit it. Upon editing it, I realized that the project had no app.js file. Apparently web apps created via MobileCenter are created differently.
I picked this option because it allows you to use the "per-user" flag when setting up tables and doesn't require you to manually filter out data with a modification to the table's script. Apparently this is not an option if you don't set up an App Service via the MobileCenter??
App Service 3:
I created a brand new project within the portal and followed the the steps Aaron Chen laid out. I opted in, hooked up the table and modified the js file (I created a new one called 'testing'). I browsed to https://zzzzapitestzzzz1.scm.azurewebsites.net/api/testing
and got the dreaded no routes found error. Of course, the API method was created with anon access rights.
Basically, we can easily create an Easy API in the Azure portal.
Select your app service and click on Easy APIs in the MOBILE menu.
Enable Mobile extension for your app by clicking Need to configure Easy Tables/Easy APIs ...
Connect a database and then click Initialize App button.
After app initialized, you can add an API from Easy APIs blade.
Change the userInfo.js file to something like this:
Now, we can access the API with the endpoint http://<yourappname>.azurewebsites.net/api/userInfo.
For more info, please refer to this blog post.

Resources