I am a bit confused with Office 365 subscriptions and the application I have created in Azure AD for OAuth.
I have programmatically created an Azure AD app for OAuth and have assigned it appropriate permissions for Graph API and EWS API. The app is working perfectly fine with the Dev tenant I have for my testing. I am able to programmatically access OneDrive and Mailboxes using the token created by this application.
Now I am not sure if I need to associate this app with Office 365 subscriptions. Currently, my dev tenant does not have any Azure / Office 365 subscriptions but users in the field may have Azure / Office 365 subscriptions.
I am not sure if I need to perform any specific checks for subscriptions and associate my app with any. Information I found on the net is confusing and I am unable to conclude anything from it.
Please let me know if you have any idea about this. I am a bit new to this whole thing so forgive my ignorance.
Access Graph API and EWS API only requires that you have O365 subscription.
But you don't need to do something like associating with O365 subscription.
Just make sure this Azure AD application is available in the corresponding tenant.
For example, we have a tenant #testTenant.onmicrosoft.com, and a user admin#testTenant.onmicrosoft.com.
You need to create the AAD application in this tenant #testTenant.onmicrosoft.com. And if admin#testTenant.onmicrosoft.com has O365 subscription with Exchange Online license, you can access its AAD user profile information and O365 mailbox with Graph and EWS. If the user doesn't have O365 subscription, you can also access its AAD user profile information. But the mailbox is not existing so you can't access the mailbox.
Related
Question: Using Microsoft Graph API, is there a way to query if a logged-in user has both the Office365 and Azure subscription?
Details:
My WPF-Core app is using MS Graph to access Azure resources as well as Office365 services (Outlook schedule and OneDrive). My personal Azur Account does not have Office365 subscription. When I login with
an Azure (admin) account to my app the app can perform CRUD operations on Azure AD users.
Likewise, when I login as an MSA account (Outlook, Hotmail, etc.) the app can perform operations such as updating Outlook events, Upload/Download files to the logged-in user's OneDrive etc.
But in both case the converse is not true. For example, if I log-in using Azure AD account and try to have app update Outlook event (or upload a file to my OneDrive), I get the following error: Tenant does not have a SPO license.. So, if a user is logged-in with Azure AD account and try to click on the app's button that display or update user's outlook events I would like to display a message to the user that your Azure account does not have a SPO license. And, display a similar message in the reverse case (i.e. this Office account does not have Azure subscription etc.)
NOTE: The above scenario is not working for display purposes, as well. That is, an Azure AD login is not able to see Outlook events; and an MSA login is not able to see the Azure AD users list.
Firstly, the answer is NO. We cannot determine if the user has Azure subscription.
MS Graph mainly manages the Azure AD resources while Azure subscription mainly manages Azure resources such as Azure App Service, VM, etc.
But we can determine if a user has O365 subscription (or the license under O365 subscription).
Firstly, you could use GET https://graph.microsoft.com/v1.0/me?$select=userPrincipalName,assignedPlans to get the logged-in user's O365 licenses.
We can find the Sharepoint license in the response:
In fact you may find more than one Sharepoint license in the response because the user may have multiple O365 subscriptions.
Besides, if the Azure subscription you mentioned actually refers to AAD subscription, then the method I described above is also suitable for querying AAD subscription.
The above content applies to AAD users.
If the logged-in user is an MSA, when you query GET https://graph.microsoft.com/v1.0/me?$select=userPrincipalName,assignedPlans, it won't return a property named assignedPlans.
I have an Office365 Exchange server where I host my corporate email.
I also have an Azure subscription with some services (webapp, database, etc.)
What I want to achieve is that the users I create on Exchange (user#mycompany.com) can log in to the Azure portal using the same credentials, and I can grant permissions to some of them to administer Azure resources.
Basically SSO between Offce365 Exchange and Azure portal.
Please note I have nothing "on premises".
If it is only some users, you can invite them as guest users in the AAD tenant you have linked to the Azure subscriptions.
This way they can still use the same credentials and you can give them RBAC roles in the Azure subscriptions/resource groups/resources.
Another possible way might be to change the linked tenant to your Office 365 AAD tenant.
Do note this would erase all RBAC role assignments and they would need to be re-done.
Also anyone needing access to the Azure subscriptions would need to exist as a user/guest in the Office 365 tenant then.
This might be best if only users from this Office 365 tenant use the subscriptions.
This is NOT a code related question. But a question on auth while accessing Microsoft Graph.
I have a small nodeJS code that will access my own files on one drive and pull some data from an excel spreadsheet. This app is just my own, for automating a task. Is it possible for nodeJS code to access Microsoft Graph APIs without having to register this app and get admin approval?
I have a work account. My admin would not approve an app that is not going to help my organization.
It's determined by what kind of your account.
If your account is a work/school account, which is managed by your organization, you must register the application/create servicePrincipal in your organization tenant to call Microsoft Graph API. Because all company data, including your account data, is managed by your organization, not yourself.
If your account is a personal account, Microsoft Live Account, you can use Microsoft app registration portal for personal identity platform: https://apps.dev.microsoft.com/. It's managed by your own personal account.
I want to build a daemon to read and write emails using my organisation's office 365 account. My team has a private Azure Instance (not linked with any O365) and i have no admin access to o365 other than my accounts credential. How can i build a daemon service that authenticate with ms-graph and read/write emails without any user interaction?
You need to have an application definition in the directory that has the Office 365 accounts.
You can either create it directly, or you can create it as a multi-tenant application in another directory.
In the latter case, you need to grant it access to the Office 365 tenant's Azure AD.
If you haven't worked with Azure AD and the Microsoft Graph API before, I recommend you check out the samples. There are some for node.js, but the principles are the same for all other environments.
my question is similar to question Multi-Tenant app - OneDrive Business API
but i want my application to access the one drive from tenants of other different azure subscription, is it possible? i understood that if i register my application and mark it as multi-tenant, it will allow me access the tenant in my azure subscription, but if i want to access the tenant using the same application but in different azure subscription whats the way.
What’s kind of authentication flow are you using? Normally, we use the Authorization Code Grant Flow that the user delegates access to a web application. In this scenario, to enables the users on other tenants to login the website and access their Office 365 resource, we only need to enable the multiple-tenant app on the Azure portal.
but if i want to access the tenant using the same application but in different azure subscription whats the way.
It depends on which REST you were using. It is same as we are call the REST API for the single tenant app if we are using the Microsoft Graph to query the OneDrive for business. The endpoint of the list children of a driveItem is still like below no matter which tenant the user login:
GET https://graph.microsoft.com/v1.0/me/drive/root/children
GET https://graph.microsoft.com/v1.0/me/drive/items/{item-id}/children
GET https://graph.microsoft.com/v1.0/me/drive/root:/{item-path}:/children
If you were using the Office 365 REST API, we need to discover the service endpoint. You can refer to here for more detail about Office 365 Discovery Service REST API.
Depending on the permissions that you need normally the tenant admin of the other tenant has to add the application to their own Azure AD. With the newer app model v2 this is quite a lot easier as the admin can simply give consent once in the normal consent screen for the entire tenant. See here for a mor elaborate explanation of how this would work.