I would like to use MS Graph Booking API for publicly available application.
Users are going to login with identity providers but obviously are not in our Azure AD.
Per my understanding, it's possible to access this API only with delegated AD user permissions.
Also as I see Azure B2C AD users seem to not have access to MS Graph API.
Question: Is there a way to expose and use MS Graph Booking API by users who are in our database or in Azure B2C AD?
I am afraid there is no such way. To use Microsoft Graph API, we need to provide the appropriate access tokens for the corresponding operations, and we must get the access token from the Microsoft identity platform(formerly Azure Active Directory for developers).
The steps are:
Register your app with Azure AD.
Get authorization.
Get an access token.
Call Microsoft Graph with the access token.
Related
Per the docs, there is no 'out of the box' way to enable Azure AD B2C users to interact with the M365 environment associated with the Azure AD tenant that was used to create the Azure AD B2C tenant.
Azure AD B2C can't be used to authenticate users for Microsoft 365.
Source:
Can I use Azure AD B2C to provide social login (Facebook and Google+) into Microsoft 365?
But I still need to be able to provide this functionality, i.e GET and POST requests to M365 via the Graph API.
To be clear, this is what I have achieved so far:
Azure AD B2C users can login
Azure AD users can login and interact with their own M365 environment via Graph API
(to enable this, I added the Azure AD tenant as an identity provider, per this article)
What I have not yet been able to figure out is:
How can the Azure AD B2C users interact with the M365 environment associated with the Azure AD tenant?
(that created the Azure AD B2C tenant)
To illustrate a use case for this requirement:
Company_A wants to enable external contractors to be able to submit compliance documents to them
They set up Azure AD B2C and create accounts for their external contractors
They set up a Node.js/Express web app on Azure
External contractors can now login to a web app and view forms designed to submit data and attachments
How can those forms send data and attachments to a Document Library in Company_A's M365 environment?
I have been pondering this issue for a while and can't conceptualise a mental or technical model of how this can be achieved.
Google searching related phrases doesn't produce any relevant content.
I am hoping someone will have the knowledge and experience to be able to say:
You will need to follow THIS paradigm which is documented HERE and involves doing THIS
Edit:
I am reading articles like these:
Get access without a user
which talks about scenarios where:
apps that have a signed-in user present may also need to call Microsoft Graph under their own identity
and contemplating adding Application Permissions (as opposed to Delegated Permissions) to my Azure AD B2C application registration.
Just to test the idea, I have added Sites.ReadWrite.All as an Application Permission and granted Admin Consent for that permission. How would I define this scope (Sites.ReadWrite.All) to be associated with the 'home' Azure AD tenant (as opposed to the Azure AD B2C tenant)? I am using msal-node which has a method named getAuthCodeURL() where you pass through the scopes required. I am assuming if I just added Sites.ReadWrite.All it would default to being applied to the Azure AD B2C tenant, rather than the desired Azure AD tenant?
M365 doesn’t exist in an Azure AD B2C tenant, you cannot apply a license for Office there. This simply isn’t possible.
For Graph API, you cannot use B2C issued tokens to call it. You must use underlying AAD Tokens to access it. Your server would need to perform Azure AD client credentials flow against the Azure AD endpoint of your AAD B2C tenant and ask for a token to Graph API. https://learn.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow
Microsoft service scopes only apply to the underlying Azure AD endpoints of your AAD B2C tenant. They won’t mean anything at the AAD B2C login endpoints. Hence, the differentiation is made by the endpoint used.
An Azure AD B2C tenant has both endpoints:
AAD: login.microsoftonline.com/tenantId
B2C: b2clogin.com/tenantId
Since M365 env does not exist for B2C tenants, the MS Graph API is only useful to R/W user data. But, for this, you could just use the B2C user flows to R/W user profile data, and return user profile data into the B2C token, so you don’t have go call MS Graph API. This is actually the intended usage pattern.
I want to get user information, not only from Azure Active Directory, but also from Azure B2C Tenant Users. I was able to reproduce results for AAD users, but I couldn't find enough resource as for how to access to B2C Users (e.g. Gmail.com). I get this error when I swap to my desired clientid/clientsecret (fetched from Azure AD B2C - Application) in this project (https://github.com/microsoftgraph/aspnetcore-connect-sample):
'unsupported_response_type', error_description: 'AADSTS700054: response_type 'id_token' is not enabled for the application.
I couldn't find the recent resources helpful, as a lot of Azure component changed. I would greatly appreciate your kind guidance!
If I understand your question correctly, you want to be able to programatically CRUD B2C Users.
AADB2C has a documentation for same using AADGraph (and not using Microsoft Graph)
Build user CRUD operations by using the Graph API
As of today,you must use the Azure AD Graph API to manage users in an Azure AD B2C directory. This is different from the Microsoft Graph API. The sample you referred to is not appropriate for managing B2C tenant users.
I am trying to create a multi-tenant application in Azure AD, which can login all users like Microsoft live/hotmail and also get the access permissions to access their management resource apis. I can get work accounts from other domain login but not live account. I get this error-
User account 'mitesh_***#live.com' from identity provider 'live.com' does not exist in tenant 'Default Directory' and cannot access the application '382dfccb-33af-4567-90cd********' in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.
I have heard of MSAL v2 endpoint to login both type of accounts, but I heard that this endpoint doesnt support permissions to access Resource management libraries yet.
Is there any way to achieve this with ADAL or any other way?
Thanks,
Mitesh
The azure ad v2.0 endpoint supports both personal Microsoft accounts and work accounts from Azure Active Directory . But the v2.0 endpoint issues access tokens only for:
-The app that requested the token. An app can acquire an access token for itself, if the logical app is composed of several different components or tiers.
-The Outlook Mail, Calendar, and Contacts REST APIs, all of which are located at https://outlook.office.com.
-Microsoft Graph APIs. You can learn more about Microsoft Graph and the data that is available to you.
v2.0 endpoint doesn't support management apis .And azure ad v1.0 endpoint it supports work accounts unless Microsoft accounts are added as an external user in the tenant first . In my opinion , currently there is no other ways or workaround to achieve your requirement .
I have created a WebApi app which can create a user on Azure AD B2C tenant using Graph API.
Now the user has to authenticate on Azure AD B2C as the same way I have used like Graph API. I mean a programmatic approach to sign in instead of Microsoft login page. Is it possible to authenticate against Azure AD B2C using Graph API? If yes can you please suggest me the way to do it.
It is not possible to authenticate an user in azure AD using graph API. Graph API provides methods to various AD related operations on the users, signed on user, groups, directory roles, policies and so on. https://msdn.microsoft.com/en-us/library/azure/ad/graph/api/users-operations
You can programmatically authenticate users against Azure AD using a certain call but MS refuses to officially support the method in libraries, despite it existing for over 4 years.
For node, the denied pull request is here: https://github.com/AzureAD/azure-activedirectory-library-for-nodejs/pull/99?_pjax=%23js-repo-pjax-container
The code repo referenced in the pull is here: https://github.com/testdouble/azure-activedirectory-library-for-nodejs/tree/client_secret_optional
I have a web app (node.js) which will access the GraphAPI through OAuth using ADAL to my company's Azure AD. Does it support SSO such that the domain user doesn't need to give credential again after domain login?
The Azure AD Graph API is not used for SSO, you can refer to its API reference.
The Azure Active Directory Graph API provides programmatic access to Azure Active Directory through REST API endpoints. Apps can use the Azure AD Graph API to perform create, read, update, and delete (CRUD) operations on directory data and directory objects, such as users, groups, and organizational contacts.
For more details of single sign-on, please see the doc What is application access and single sign-on with Azure Active Directory?