Microsoft GRAPH API possible without Azure App Registration? - azure

I would like to try out Microsoft GRAPH API. But as far as I can tell there is no way to test it without App Registration client and tenant id in the Azure Portal. Is this correct? I don't have access to App Registration on Azure so if this is correct then I need to contact admin, which means I need to start a whole long-winded process.

No, this is not possible, to access the graph api, (for a work or student account) there must be an app registration to give you permissions to those endpoints.

It is possible IFF you are just trying to do CRUD operations and other GET requests that doesn't require an admin consent.
You can check the same inside Graph Explorer, for the requests that require your/admin's consent.
You must also consider that the access token gets refreshed when you try to integrate it with any code.

The accepted answer is misleading. This is possible using the Microsoft Graph PowerShell SDK.

Related

Authenticate against Azure AD

I'll try to make this as straight-forward as possible.
I have a ASP.NET Web API application running in Azure. I generate JWT tokens for callers, who authenticate with my service by sending in the equivalent of a username and password. Rather than managing my own membership database, I would like to utilize Azure Active Directory. I would then create users in AD.
My question is this: From a web application running in Azure, can I make a simple API call to Azure Active Directory with a username and password and get back a result indicating that the user exists in AD? If so, can you please point me in the right direction that will not eventually lead to a dead-end where I finally discover that it only will work for desktop applications, or some other contrived scenario.
Thanks in advance!
If my understanding is correct, you are looking for an APi so that you can check whether user exist in AD or not. For checking if user exist in Azure AD or not , you can simply use Azure Graph rest api:
for which you can find the reference here:
https://learn.microsoft.com/en-us/azure/active-directory/develop/active-directory-graph-api?redirectedfrom=MSDN
you can simply utilise the below query with right set of filter:
GET https://graph.windows.net/myorganization/users?api-version[&$filter]
Check this link for additional reference:
https://learn.microsoft.com/en-us/previous-versions/azure/ad/graph/api/users-operations#GetUsers
https://forums.asp.net/t/2017251.aspx?Check+if+username+exist+in+Windows+Azure+Active+Directory+C+
Hope it helps.

web application to multi tenant application one drive business api

my question is similar to question Multi-Tenant app - OneDrive Business API
but i want my application to access the one drive from tenants of other different azure subscription, is it possible? i understood that if i register my application and mark it as multi-tenant, it will allow me access the tenant in my azure subscription, but if i want to access the tenant using the same application but in different azure subscription whats the way.
What’s kind of authentication flow are you using? Normally, we use the Authorization Code Grant Flow that the user delegates access to a web application. In this scenario, to enables the users on other tenants to login the website and access their Office 365 resource, we only need to enable the multiple-tenant app on the Azure portal.
but if i want to access the tenant using the same application but in different azure subscription whats the way.
It depends on which REST you were using. It is same as we are call the REST API for the single tenant app if we are using the Microsoft Graph to query the OneDrive for business. The endpoint of the list children of a driveItem is still like below no matter which tenant the user login:
GET https://graph.microsoft.com/v1.0/me/drive/root/children
GET https://graph.microsoft.com/v1.0/me/drive/items/{item-id}/children
GET https://graph.microsoft.com/v1.0/me/drive/root:/{item-path}:/children
If you were using the Office 365 REST API, we need to discover the service endpoint. You can refer to here for more detail about Office 365 Discovery Service REST API.
Depending on the permissions that you need normally the tenant admin of the other tenant has to add the application to their own Azure AD. With the newer app model v2 this is quite a lot easier as the admin can simply give consent once in the normal consent screen for the entire tenant. See here for a mor elaborate explanation of how this would work.

Limit o365 App to access specific OU or security group

Is there a way to limit the interaction of an app that is built on the o365 api to a specific set of users? I checked in Azure, but I don't see a setting that would do that. The permissions for the app indicate the they would give it access to the entire directory.
Thanks
Currently the only scopes that are supported (when providing access to O365 APIs, Azure AD Graph or Microsoft Graph) are for the signed-in user only and tenant-wide. Unfortunately we don't have anything in-between. This is something that we are considering. Please file a request for this on UserVoice. It would also be great to understand the scenario or reason for this request.

OAuth2 and Microsoft Graph API for my Node.js app?

I'd like to add an Office365/Graph Calendar integration to an existing Node.js app (hosted on AWS). I've already done a similar integration with Google's Calendar, and it was trivial to get set up. I'm not having nearly as much luck with the Microsoft version of things.
I've found at least 4 different ways to register an app (get a clientId and clientSecret), and I seem to get different errors for each of them, but can't get any to work properly.
I think a large part of my problem is that I've never had to work in the MS ecosystem before, so I don't have a lot of the baseline knowledge that the documentation assumes.
I'm not looking to host anything with Microsoft - do I even need an Azure account?
I'd like to allow any user with an Office365 account to connect it to my app - do I need to learn about Active Directory to do this? Does this part of it require Azure?
I've found instructions for using both https://login.microsoftonline.com/common/oauth2 and https://login.microsoftonline.com/common/oauth2/v2.0 for this, do I need to worry about which version I use depending on how I registered my app?
Microsoft Graph leverage Azure AD to authenticate and authorize users. The doc refers as:
To get your app authorized, you must get the user authenticated first. You do this by redirecting the user to the Azure Active Directory (Azure AD) authorization endpoint, along with your app information, to sign in to their Office 365 account. Once the user is signed in, and consents to the permissions requested by your app (if the user has not done so already), your app will receive an authorization code required to acquire an OAuth access token.
So you need to register an Azure account for configure the Azure AD service. Refer https://graph.microsoft.io/en-us/docs/authorization/app_authorization for more info.
Meanwhile, to implement Microsoft Graph in node.js application, you can refer the following code sample for your information.
Microsoft Graph service app sample using Node.js
An Office 365 API sample app using Node, Express and Ejs
Office 365 Node.js Connect sample using Microsoft Graph
Matt, you can do this without an Azure account if you use the oauth2/v2.0 auth endpoint. When you do that, you can register on apps.dev.microsoft.com using a Microsoft account.
See this tutorial for doing it with the Outlook REST API, which is similar to the Graph (in fact, for Calendar operations the calls and entities are identical).

Using ADAL to invoke Azure Service Management API

I have created an Azure AD native client application and have given delegated permissions to Azure Service Management API. Now, I'm able to invoke the service management API using my id from a Windows Phone 8.1 app using ADAL library. However, another user can't invoke operations on their subscription even though I add them as co-administrator in my directory. I get the token for the user but when I try to make an API call, I get 'Invalid token:A security token exception occurred for the JWT token'. Is there a way to allow another user to access details about his subscriptions using ADAL authentication from an AD app hosted in someone else's AD? I have searched for any related information for quite some time and I'd gladly take any help.
Here is what I interpret what you are doing.
You have a native app and it is connected to your tenant and it works fine for accessing service management APIs in your tenant/subscription.
You gave the app to a friend and they are trying to use it to access service management APIs in their tenant/subscription.
The suggestion above in the comment is on the right track, but you need to look at the steps for making your native application multi-tenant. This way, the AD service will know to look for the tenant for the authenticated user. Changing the url to use 'common' instead of the tenant id is one of the steps required. Here are a couple of posts to help with that transition.
http://www.cloudidentity.com/blog/2013/04/09/walkthrough-3-developing-multi-tenant-web-applications-with-windows-azure-ad/
This is a native client example of multi-tenant for a windows store app. I could not find one in the repo for a phone app. Hopefully, this gets you on the right track.
https://github.com/AzureADSamples/NativeClient-WebAPI-MultiTenant-WindowsStore

Resources